START_CONNECTION or END_CONNECTION

Daniel_Kavan — Thu, 29 Aug 2024 12:46:50 GMT

Does check point log START_CONNECTION or END_CONNECTION in their logs? I'm just seeing SSH version2 traffic, but NOT START or END_CONNECTION. Am I missing something? I may need more extensive logging (accounting) or a capture packet for that, correct?

Id: c107fa67-d9a7-b6fc-66be-cd5d00010006
Marker: @A@@B@1723776012@C@2042288
Log Server Origin: 172.bb.XX.XX
Time: 2024-08-16T03:54:05Z
Interface Direction: inbound
Interface Name: eth10
Id Generated By Indexer: false
First: true
Sequencenum: 125
Source Zone: External
Destination Zone: Internal
Service ID: ssh_version_2
Source: IPa
Source Port: 39892
Destination: IPb
Destination Port: 22
IP Protocol: 6
Xlate (NAT) Destination IP: someIP
Xlate (NAT) Source Port: 0
Xlate (NAT) Destination Port:0
NAT Rule Number: 165
NAT Additional Rule Number: 0
Nat Rule Uid: a56039b0-dc01-4b9a-896d-cc5f00aa0511
Action: Accept
Type: Connection
Policy Name: policy
Policy Management: colorm
Db Tag: {68C9D707-6C15-F940-88CE-0A3F4A66CC6F}
Policy Date: 2024-08-15T15:26:06Z
Blade: Firewall
Origin: colorN
Service: TCP/22
Product Family: Access
Logid: 0
Access Rule Name: autoloader transfers
Access Rule Number: 26
Policy Rule UID: c0209209-a428-4dbb-88f8-2b89c774cf72
Layer Name: Security
Interface: eth10
Description: ssh_version_2 Traffic Accepted from someIP to aIP

Id: 78f4c07f-b81c-6cdf-66be-cd5d00010004
Marker: @A@@B@1723776012@C@2042219
Log Server Origin: IPA
Time: 2024-08-16T03:54:05Z
Interface Direction: inbound
Interface Name: eth10
Id Generated By Indexer: false
First: true
Sequencenum: 107
Source Zone: External
Destination Zone: Internal
Service ID: ssh_version_2
Source: IPB
Source Port: 38657
Destination: IPC
Destination Port: 22
IP Protocol: 6
Xlate (NAT) Destination IP: someIP
Xlate (NAT) Source Port: 0
Xlate (NAT) Destination Port:0
NAT Rule Number: 165
NAT Additional Rule Number: 0
Nat Rule Uid: a56039b0-dc01-4b9a-896d-cc5f00aa0511
Action: Accept
Type: Connection
Policy Name: pname
Policy Management: colorM
Db Tag: {68C9D707-6C15-F940-88CE-0A3F4A66CC6F}
Policy Date: 2024-08-15T15:26:06Z
Blade: Firewall
Origin: colorN
Service: TCP/22
Product Family: Access
Logid: 0
Access oader transfers
Access Rule Number: 26
Policy Rule UID: c0209209-a428-4dbb-88f8-2b89c774cf72
Layer Name: rity
Interface: eth10
Description: ssh_version_2 Traffic Accepted from 1 to 2

Re: START_CONNECTION or END_CONNECTION

AkosBakos — Thu, 29 Aug 2024 12:55:33 GMT

From Phoneboy:

"When you enable accounting on a rule (which must be done per rule), it logs the bytes/duration of the relevant flow.
In general this data is updated every 10 minutes and after the connection closes."

https://community.checkpoint.com/t5/Security-Gateways/Log-accounting/m-p/110407#M15221

Akos

Re: START_CONNECTION or END_CONNECTION

the_rock — Thu, 29 Aug 2024 20:14:52 GMT

Never seen that link, thats super USEFUL.

Thanks brother 🙂

Andy

Re: START_CONNECTION or END_CONNECTION

the_rock — Thu, 29 Aug 2024 20:16:21 GMT

Hey bud, for the context, I figured would also share this link.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Tracking-Options.htm

topic Re: START_CONNECTION or END_CONNECTION in Firewall and Security Management

START_CONNECTION or END_CONNECTION

Re: START_CONNECTION or END_CONNECTION

Re: START_CONNECTION or END_CONNECTION

Re: START_CONNECTION or END_CONNECTION