topic Re: Avoid tracking connection but still log sk113479 in Firewall and Security Management

Avoid tracking connection but still log sk113479

frenzetti — Fri, 03 Nov 2023 09:43:41 GMT

Hi,

We need to allow users to reach a certain site but avoid tracking the connection.
We created a rule setting logging to "none" but the console displays the error Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed. To learn more see sk113479.

Connection starts in http and then switches to https. Only http traffic (with the error) is logged. Https is correctly not tracked

Has anyone found themselves in the same situation and managed to resolve it?

Release is 81.10, blade are firewall and application control

Thx for your support

Re: Avoid tracking connection but still log sk113479

PhoneBoy — Fri, 03 Nov 2023 19:18:21 GMT

What does the rule that permits the traffic look like?
Unless it contains http explicitly (the service), this is expected behavior.
To resolve the issue, add http to the the Services for the relevant rule (or create a new one).

Re: Avoid tracking connection but still log sk113479

frenzetti — Tue, 07 Nov 2023 08:05:46 GMT

Hi @PhoneBoy , thx for your response.

Rule number 1 (above all) looks like this:

Source = Any
Destination = IP Address Object
Services = http,https
Log = None
Install On = Target Cluster

Still logging

Re: Avoid tracking connection but still log sk113479

PhoneBoy — Tue, 07 Nov 2023 15:41:12 GMT

Can you provide a full log card (with sensitive details redacted)?
I suspect this may be a bug of some sort and will require TAC to assist: https://help.checkpoint.com

Re: Avoid tracking connection but still log sk113479

frenzetti — Tue, 07 Nov 2023 15:54:58 GMT

Hi @Daphne_Reese , what is exactly needed (when you say 'full log card')

Re: Avoid tracking connection but still log sk113479

PhoneBoy — Tue, 07 Nov 2023 20:19:03 GMT

When you double-click on an individual log entry, you will see a screen pop up with more details; This is the log card.

Re: Avoid tracking connection but still log sk113479

frenzetti — Wed, 08 Nov 2023 13:31:03 GMT

Hi, today we splitted the rule.

Rule 1 for service HTTP, Drop, No-Log

Rule 2 switched Services to ANY, Accept, No-Log (Any protocol: ping, https, ntp, etc)

Rule Number 1 is matched and no log is present for HTTP - that's ok

For HTTPS, as you can see, matched rule is exactly number 2 but still logging

Re: Avoid tracking connection but still log sk113479

PhoneBoy — Wed, 08 Nov 2023 19:42:57 GMT

What is the precise destination here?
Is it the gateway or something else?
What about using the explicit https service in Rule 2?
Are there other ordered Access Policy layers in use or just the one?

Re: Avoid tracking connection but still log sk113479

frenzetti — Thu, 09 Nov 2023 14:42:07 GMT

What is the precise destination here? Destination is an IP Address (in rule we put IP Address Object)
Is it the gateway or something else? External WebSite
What about using the explicit https service in Rule 2? Tried without success
Are there other ordered Access Policy layers in use or just the one? URL/App filtering with allow policy but no log about AppControl blade

Re: Avoid tracking connection but still log sk113479

PhoneBoy — Thu, 09 Nov 2023 21:20:55 GMT

If the rule that is matched in the other layer is set to log, the connection will be logged.
This is expected behavior.
If this isn't the case, I recommend a TAC case: https://help.checkpoint.com

Re: Avoid tracking connection but still log sk113479

frenzetti — Fri, 10 Nov 2023 11:04:45 GMT

Hi @PhoneBoy we will set no-log on all layers and try again.

Otherwise we will open the TAC case.

Thx