topic How to filter a established connection logs (request-reply) in Firewall and Security Management

How to filter a established connection logs (request-reply)

Mk_83 — Thu, 26 Dec 2024 11:15:18 GMT

Hello everyone,

I'm just deploy a new internal CP Firewall (to control traffic for Server Farm Zone). I'm creating the policy using logs in Firewall.

I to filter a log which established (Log at Session Start - Log at Session Start) connection like Palo Alto Firewall, to except incoming log which have no reply.

(example: Server1 only port 3389 are listening, 443 not enable. User1 scan port 3389, 443 to Server1 => only port 3389 reply, 443 will not reply => I want to filter the log that 3389 request-reply)

I already choose Session at Action-Rules option, but it's still have a log session port 443 although 443 on server is not enable (user access to server:443 failed either)

A lot of logs port 443 have duration 3 hours:

Does anyone facing this problem before? Please help me.

Thanks & Best Regards,

Mk_83

Re: How to filter a established connection logs (request-reply)

AkosBakos — Thu, 26 Dec 2024 16:01:24 GMT

Hi,

Interesting, but the webserver can't cause this limit? I mean, the server closes the connection in every 3 hours.

If you switch on "Accounting" in the log column, you will se more details. First try this.

Akos

Re: How to filter a established connection logs (request-reply)

PhoneBoy — Thu, 26 Dec 2024 21:34:54 GMT

If I'm understanding you correctly, you only want to log TCP SYNs if and only if a SYN/ACK is received for that SYN?
As far as I know, this isn't possible.

Re: How to filter a established connection logs (request-reply)

JozkoMrkvicka — Fri, 27 Dec 2024 06:27:15 GMT

Or other way around - log only connections for which the firewall recieved reply from the server.

Interesting idea, since currently Check Point firewall is creating one log entry only for connection which has the same source port+source IP+protocol+destination port+destination IP and which is allowed by rulebase (or implied rules) while Track option in not "None".

It is sometimes not clear from firewall logs if connection is properly working or not. You need to enable Accounting and open log entry to check statistics of sent/recieved packets. Or do live packet capture, or telnet from the firewall.

Such a log feature will help firewall operators identify the problem much faster and speed up problem resolution.

Re: How to filter a established connection logs (request-reply)

PhoneBoy — Fri, 27 Dec 2024 22:00:44 GMT

A TCP SYN is sent from the client.
A TCP SYN/ACK is sent from the server (the response).
It's basically what was asked.

We do offer TCP state logging, but it is not enabled by default: https://support.checkpoint.com/results/sk/sk101221
While we cannot log ONLY if a SYNACK is received, we can generate an additional log when it does with option 3: "When connection state changes"

Re: How to filter a established connection logs (request-reply)

Mk_83 — Sat, 28 Dec 2024 17:15:22 GMT

Many thanks for your information.
That actually my pain point. I will try the sk.

Thanks & Best Regards.