https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84266#M80341 <P>Hi,&nbsp;</P><P>We would like to know&nbsp;if we can have the see return traffic entries in the logs.</P><P>&nbsp;</P><P>As we aware once we have the connection matches the policy, it logs the traffic and been written in the connection table.</P><P>&nbsp;</P><P>And the return traffic matches the existing connection table entry and been allowed / dropped. And we cannot see the return traffic logs in the checkpoint.</P><P>&nbsp;</P><P>1) Apart from TCPDUMP, do we have any way to find the historical return traffic logs ?<BR />2) If secureXL is disabled, can we see the return traffic logs ?</P><P>&nbsp;</P><P>Regards,</P><P>Vengatesh SR</P> Tue, 05 May 2020 20:06:04 GMT Vengatesh-SR 2020-05-05T20:06:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84266#M80341 <P>Hi,&nbsp;</P><P>We would like to know&nbsp;if we can have the see return traffic entries in the logs.</P><P>&nbsp;</P><P>As we aware once we have the connection matches the policy, it logs the traffic and been written in the connection table.</P><P>&nbsp;</P><P>And the return traffic matches the existing connection table entry and been allowed / dropped. And we cannot see the return traffic logs in the checkpoint.</P><P>&nbsp;</P><P>1) Apart from TCPDUMP, do we have any way to find the historical return traffic logs ?<BR />2) If secureXL is disabled, can we see the return traffic logs ?</P><P>&nbsp;</P><P>Regards,</P><P>Vengatesh SR</P> Tue, 05 May 2020 20:06:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84266#M80341 Vengatesh-SR 2020-05-05T20:06:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84272#M80342 <P>The closest you can get is to enable "Accounting" in the Track field along with "Log" to get this information.&nbsp; Every 10 minutes or when the connection ends (whichever comes first), additional information is added to the log entry including firewall egress interface, connection time, and bytes/sent and received.&nbsp; If these values are nonzero two-way connectivity is working.&nbsp;</P> <P>Modifying the state of SecureXL won't change this, but if you want to use <STRONG>fw monitor</STRONG> to capture accelerated traffic in R80.20+ check out the <STRONG>-F 0,0,0,0,0</STRONG> filtering syntax for <STRONG>fw monitor</STRONG>.</P> Tue, 05 May 2020 21:03:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84272#M80342 Timothy_Hall 2020-05-05T21:03:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84281#M80343 <P>Hi Timothy,&nbsp;</P><P>Thank you for quick reply.&nbsp;</P><P>The reason of this requirement is to randomly check if return traffic flow was complete or not for the existing connections.&nbsp;</P><P>Can we enable the accounting on all the policies in rulebase in production network ? Is it cause any impact ?</P><P>Apart from accounting do we have any other way to view the historical data for the return traffic.&nbsp;</P><P>Regards,</P><P>Vengatesh SR</P><P>&nbsp;</P> Tue, 05 May 2020 22:16:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84281#M80343 Nagesh_Aithal 2020-05-05T22:16:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84290#M80344 <P>A Track of "Log" only tells you what happened when the first packet of the connection was received, unless the log was added on to later by another blade like APCL.&nbsp; Enabling Accounting will cause some additional memory and especially logging overhead on the gateway.&nbsp; I'd try enabling it for a few rules in your policy and assess the impact; if your SMS/Log Server is already somewhat overwhelmed by regular logs, setting Accounting will certainly not help.</P> Wed, 06 May 2020 03:20:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Return-traffic-in-checkpoint/m-p/84290#M80344 Timothy_Hall 2020-05-06T03:20:45Z