topic Re: Interpretation of Network Activity report in Firewall and Security Management

Interpretation of Network Activity report

Dave — Fri, 22 Nov 2019 10:34:42 GMT

How do you exactly correctly interpret this report?

Interpret1 has only 269 accept logs on internal firewall, which i hardly can believe given the amount of people that work here. Drop and Reject is a lot, which looks normal to me.

Interpret2 same -> low accept logs on internal firewall, although i know there is a lot of internall traffic.
Failover happened on this day, that's the reason why you see also high activity on IFW02. Normally IFW01 is the primary active one.

Interpret3 is report of 5 days, still low accept logs in internal firewall, Drop and Reject is a lot, which again looks normal to me

How is this possible when we log all rules in the policy where traffic has been accepted? Or how do i have to interpret this?

Re: Interpretation of Network Activity report

PhoneBoy — Sat, 23 Nov 2019 04:09:56 GMT

What does the Track field for the rules that accept the traffic say?
If it says Log and/or don't include Session info, they won't get indexed and won't appear in the reports.

Re: Interpretation of Network Activity report

Dave — Mon, 25 Nov 2019 07:55:11 GMT

Screenshot shows how it looks in our policy, quite normal i guess.

When looking at some log entries, indeed i could see that a lot of them don't have a Session tab.

I would have expected when you log your rules in your policy, that this would fully reflect in the Network Activity Report.
Is there a way to literally see all accept hits in the report?

Re: Interpretation of Network Activity report

PhoneBoy — Mon, 25 Nov 2019 17:03:45 GMT

You’d have to Right-Click on each instance of Log in the Track field, select More, then tick the Log Generation Per Session checkbox.
Some additional discussion around this here: https://community.checkpoint.com/t5/Logging-and-Reporting/Creating-reports-with-tracking-quot-per-connection-quot/m-p/30158