https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10141#M94016 <HTML><HEAD></HEAD><BODY><P>Hi Carlos</P><P>I also notice the SmartLog search function are not perfect, I found some field data&nbsp;can't be searched.</P><P>So I only use the&nbsp;field what I known how to use to search.</P><P></P><P>Because it is not perfect, so we need to suggest CheckPoint to improve it.</P></BODY></HTML> Wed, 18 Jul 2018 14:44:30 GMT RickLin 2018-07-18T14:44:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10136#M94011 <HTML><HEAD></HEAD><BODY><P>Hi everyone,</P><P></P><P>I'd like to post this query before I move to support, maybe I'm doing/assuming something wrong here.</P><P></P><P>So a very simple log filter query "domain"</P><P>Searching shows a lot of information...</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/67097_pastedImage_2.png" /></P><P>Now let's use "domain-udp"</P><P>comparing domain with domain-udp, domain-udp is, to me, more specific than just domain, right? ...Wrong?</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/67098_pastedImage_3.png" /></P><P>I would say, this is a typical WTF?! question, but as I said above, maybe I'm doing/assuming something wrong with this search filter.</P><P>I narrowed down the time to get the highlighted dropped domain-udp sessions from the previous search.</P><P>The only difference I notice is the log type: the geo drops are marked as "log" were as for the matched rules are type: connection, but still we have a drop in the middle that hits the clean-up rule 180.</P><P></P><P>Can anyone explain to me, or is this really a support issue?</P><P></P><P>Best regards,</P><P>Carlos</P></BODY></HTML> Wed, 18 Jul 2018 10:50:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10136#M94011 MrSaintz 2018-07-18T10:50:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10137#M94012 <HTML><HEAD></HEAD><BODY><P>May have something to do with the word "domain" contained in the "description" field:</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/67102_pastedImage_1.png" /></P><P></P><P>If you want to have more accurate results, search with "service:" prefix:</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/67103_pastedImage_2.png" /></P></BODY></HTML> Wed, 18 Jul 2018 12:48:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10137#M94012 Vladimir 2018-07-18T12:48:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10138#M94013 <HTML><HEAD></HEAD><BODY><DIV style="border: 0px; font-weight: inherit; font-size: 14px;"><DIV class="" style="border: 0px; font-weight: inherit; margin: 20px 0px;"><P style="border: 0px; font-weight: inherit;">At the same time.</P><P style="border: 0px; font-weight: inherit;">If you know the service port number what you looking for, you can use "port:".</P><P style="border: 0px; font-weight: inherit;"><IMG class="image-1 jive-image" height="304" src="https://community.checkpoint.com/legacyfs/online/checkpoint/67106_pastedImage_1.png" style="border: 0px; font-weight: inherit; margin: 2px 20px 0px;" width="1129" /></P><P style="border: 0px; font-weight: inherit;">&nbsp;</P><P style="border: 0px; font-weight: inherit;">You also can reference the CheckPoint SmartConsole online help about SmartView query language.&nbsp;</P><P style="border: 0px; font-weight: inherit;"><A class="" href="https://sc1.checkpoint.com/documents/R80.10/SmartConsole_OLH/EN/html_frameset.htm?topic=zfFmGvPiAIUaJhQr-pxhDQ2" rel="nofollow" style="color: #6d6e71; border: 0px; font-weight: inherit; text-decoration: none; padding: 0px calc(12px + 0.35ex) 0px 0px;">SmartConsole R80.10 Help</A>&nbsp;</P></DIV></DIV><DIV style="border: 0px; font-weight: inherit; font-size: 14px;"> </DIV><DIV class="" style="border: 0px; font-weight: inherit; font-size: 14px; margin: 20px 0px 0px;"><DIV class="" data-comment-id="23501" style="color: #6d6e71; border: none; font-weight: inherit; font-size: 0.8571rem;"> </DIV></DIV></BODY></HTML> Wed, 18 Jul 2018 14:09:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10138#M94013 RickLin 2018-07-18T14:09:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10139#M94014 <HTML><HEAD></HEAD><BODY><P>Thank you Vladimir,</P><P>That was my assumption, but if you look at the screen shots, searching for domain matches much less records then searching for domain-udp, not the other way around...</P><P></P><P>Searching for specific fields, yes I understand, and it does narrow down to some degree, however it can narrow down too much for troubleshooting, consider asymmetric routing, we want to search for specific traffic on the service, and on the source port, one good trick I confidently used until now was, not specifying the fields in which I want to search for the flow, and hoped it would match more records than big query strings using 'or'/'and' for specific fields.</P><P></P><P><A href="https://community.checkpoint.com/migrated-users/3134">Rick Lin</A>‌,</P><P>Thank you for the input around the "port:" field,&nbsp; I did use the help to check for the query language the problem in the help file is that you always mention fields attached to a query string, however you also allow a simple string query.</P><P></P><P>My clarification request from this point on is:</P><P>What fields are used in a log filter search, when not field is specified? And can anyone explain to me how can "domain" match less then "domain-udp" in such scenario?</P><P></P><P>Best regards,</P><P>Carlos Santos</P></BODY></HTML> Wed, 18 Jul 2018 14:28:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10139#M94014 MrSaintz 2018-07-18T14:28:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10140#M94015 <HTML><HEAD></HEAD><BODY><P>Did you try domain* instead of just domain? Might do the trick. But of course it seems there is a minor issue with the search tool</P></BODY></HTML> Wed, 18 Jul 2018 14:44:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10140#M94015 _Val_ 2018-07-18T14:44:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10141#M94016 <HTML><HEAD></HEAD><BODY><P>Hi Carlos</P><P>I also notice the SmartLog search function are not perfect, I found some field data&nbsp;can't be searched.</P><P>So I only use the&nbsp;field what I known how to use to search.</P><P></P><P>Because it is not perfect, so we need to suggest CheckPoint to improve it.</P></BODY></HTML> Wed, 18 Jul 2018 14:44:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10141#M94016 RickLin 2018-07-18T14:44:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10142#M94017 <HTML><HEAD></HEAD><BODY><P>Carlos,</P><P></P><P>This may be an issue with implied delimiter: In the screen caps in my previous post, the OU=Domain is probably being recognized as a standalone "domain" in search string, whereas "domain*" will read "domain-udp".</P><P></P><P>Searching with prefix "service" using "domain" returns nothing:</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/67109_pastedImage_1.png" /></P><P></P><P>While doing same with "domain*" actually yields results containing "domain-udp":</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/67110_pastedImage_2.png" /></P><P></P><P>So this reflects the results discrepancy you are seeing.</P></BODY></HTML> Wed, 18 Jul 2018 15:02:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10142#M94017 Vladimir 2018-07-18T15:02:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10143#M94018 <HTML><HEAD></HEAD><BODY><P>It does help Valeri, thank you for the heads-up, i guess i need to use more wildcard options from now on.</P><P>In the end the purpose of a log filter search is to to troubleshoot for specific flow conditions, if one cannot feel confident on the search results, troubleshooting is limited right from the start.</P></BODY></HTML> Wed, 18 Jul 2018 15:13:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10143#M94018 MrSaintz 2018-07-18T15:13:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10144#M94019 <HTML><HEAD></HEAD><BODY><P>I think you narrowed down to issue, it does seem to implied delimiter, I only thought that "-" should affect it the same way (as a delimiter) maybe we need to figure out what is forcefully excluded in any search, but then again wildcard does perform very well.</P></BODY></HTML> Wed, 18 Jul 2018 15:20:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10144#M94019 MrSaintz 2018-07-18T15:20:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10145#M94020 <HTML><HEAD></HEAD><BODY><P>Thank you Rick, to be true nothing is that "perfect", but one needs to feel confident of the used tools in hand to help your customers, right? <IMG src="https://community.checkpoint.com/legacyfs/online/checkpoint/emoticons/wink.png" /></P></BODY></HTML> Wed, 18 Jul 2018 15:21:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-Filtering-Issues/m-p/10145#M94020 MrSaintz 2018-07-18T15:21:20Z