https://community.checkpoint.com/t5/Firewall-and-Security-Management/IDC-logs-always-quot-failed-log-in-quot-or-always-quot-log-in/m-p/207454#M39241 <P>Hi</P><P>on a lab environment the logs are always and only "<STRONG>Log in</STRONG>" so no "<STRONG>log out</STRONG>" or "<STRONG>failed log in</STRONG>" logs:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="collector7.JPG" style="width: 829px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24679iA20AA9299FDCB8D8/image-size/large?v=v2&amp;px=999" role="button" title="collector7.JPG" alt="collector7.JPG" /></span></P><P>Wireshark between the AD and the machine where IDC is installed shows this when trying wrong password, log in and log out:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a1.JPG" style="width: 853px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24680i8FCF5EA003C310BC/image-size/large?v=v2&amp;px=999" role="button" title="a1.JPG" alt="a1.JPG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a2.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24681i49971203535D9A21/image-size/large?v=v2&amp;px=999" role="button" title="a2.JPG" alt="a2.JPG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a3.JPG" style="width: 876px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24682iDB263D2C82B7A816/image-size/large?v=v2&amp;px=999" role="button" title="a3.JPG" alt="a3.JPG" /></span></P><P>&nbsp;</P><P>In production environment the logs are "failed log in" or "log out" and no "log in" logs:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a5.JPG" style="width: 290px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24683i8CEBF9F3C26D6B13/image-size/large?v=v2&amp;px=999" role="button" title="a5.JPG" alt="a5.JPG" /></span></P><P>running wireshark between AD and the machine where IDC is installed shows no LDAP or kerberos packets between these machines, it shows only DCERPC packets!</P><P>the machine where IDC is installed is 10.32.0.166, same machine i run wireshark:</P><P>ip.addr == 10.8.0.12 and ldap shows nothing</P><P>ip.addr == 10.8.0.12 and kerberos shows nothing</P><P>only&nbsp;ip.addr == 10.8.0.12 and dcerpc shows this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a6.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24684iC226218E5568DDC8/image-size/large?v=v2&amp;px=999" role="button" title="a6.JPG" alt="a6.JPG" /></span></P><P>&nbsp;</P><P>The question is why on lab environment I get only "log in" logs and why on production I get only "failed log in" or "log out"&nbsp;&nbsp;By the way the "failed log in" logs are not accurate because my environment is running with no problem.</P> Thu, 29 Feb 2024 09:32:11 GMT Moudar 2024-02-29T09:32:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IDC-logs-always-quot-failed-log-in-quot-or-always-quot-log-in/m-p/207454#M39241 <P>Hi</P><P>on a lab environment the logs are always and only "<STRONG>Log in</STRONG>" so no "<STRONG>log out</STRONG>" or "<STRONG>failed log in</STRONG>" logs:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="collector7.JPG" style="width: 829px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24679iA20AA9299FDCB8D8/image-size/large?v=v2&amp;px=999" role="button" title="collector7.JPG" alt="collector7.JPG" /></span></P><P>Wireshark between the AD and the machine where IDC is installed shows this when trying wrong password, log in and log out:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a1.JPG" style="width: 853px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24680i8FCF5EA003C310BC/image-size/large?v=v2&amp;px=999" role="button" title="a1.JPG" alt="a1.JPG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a2.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24681i49971203535D9A21/image-size/large?v=v2&amp;px=999" role="button" title="a2.JPG" alt="a2.JPG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a3.JPG" style="width: 876px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24682iDB263D2C82B7A816/image-size/large?v=v2&amp;px=999" role="button" title="a3.JPG" alt="a3.JPG" /></span></P><P>&nbsp;</P><P>In production environment the logs are "failed log in" or "log out" and no "log in" logs:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a5.JPG" style="width: 290px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24683i8CEBF9F3C26D6B13/image-size/large?v=v2&amp;px=999" role="button" title="a5.JPG" alt="a5.JPG" /></span></P><P>running wireshark between AD and the machine where IDC is installed shows no LDAP or kerberos packets between these machines, it shows only DCERPC packets!</P><P>the machine where IDC is installed is 10.32.0.166, same machine i run wireshark:</P><P>ip.addr == 10.8.0.12 and ldap shows nothing</P><P>ip.addr == 10.8.0.12 and kerberos shows nothing</P><P>only&nbsp;ip.addr == 10.8.0.12 and dcerpc shows this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="a6.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24684iC226218E5568DDC8/image-size/large?v=v2&amp;px=999" role="button" title="a6.JPG" alt="a6.JPG" /></span></P><P>&nbsp;</P><P>The question is why on lab environment I get only "log in" logs and why on production I get only "failed log in" or "log out"&nbsp;&nbsp;By the way the "failed log in" logs are not accurate because my environment is running with no problem.</P> Thu, 29 Feb 2024 09:32:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IDC-logs-always-quot-failed-log-in-quot-or-always-quot-log-in/m-p/207454#M39241 Moudar 2024-02-29T09:32:11Z