https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30458#M97809 <HTML><HEAD></HEAD><BODY><P>We decided not to show rule numbers in the audit logs - by design. And I'd like to share this decision.</P><P>Remembering a rule number&nbsp;may not be a good practice. Because at any given time, someone can place a rule above it, and then the number is changed.</P><P>So this is why when discussing change history, we try not to give the rule number as the "most important property" but rather name, UID, and the policies that hold this rule.&nbsp;&nbsp;</P><P style="direction: ltr;">If you are still interested with what was the number of the rule, you can use&nbsp;this script -&nbsp;<A href="https://community.checkpoint.com/thread/6867-how-to-get-all-the-information-about-a-deleted-rule" target="_blank">https://community.checkpoint.com/thread/6867-how-to-get-all-the-information-about-a-deleted-rule</A>&nbsp;&nbsp;</P><P style="direction: ltr;"></P><P style="direction: ltr;">Hope this helps</P></BODY></HTML> Fri, 21 Jun 2019 09:16:41 GMT Tomer_Sole 2019-06-21T09:16:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30456#M97807 <HTML><HEAD></HEAD><BODY><P>Hey all</P><P></P><P>Has anyone encountered this issue before? searching through the changes in audit log seems that the number of security rule involved by the change is not reported , if you copy the entire message from the audit log you can have a rule uid but is not a very "fast way" to retrieve this information.</P><P></P><P>Thanks in advance</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/63128_pastedImage_2.png" style="width: auto; height: auto;" /></P></BODY></HTML> Fri, 16 Feb 2018 11:57:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30456#M97807 Marco_Valenti 2018-02-16T11:57:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30457#M97808 <HTML><HEAD></HEAD><BODY><P>Perhaps not all the log fields are indexed...&nbsp;</P><P>Are you trying to find what rules changed in a given session?</P></BODY></HTML> Fri, 16 Feb 2018 17:28:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30457#M97808 PhoneBoy 2018-02-16T17:28:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30458#M97809 <HTML><HEAD></HEAD><BODY><P>We decided not to show rule numbers in the audit logs - by design. And I'd like to share this decision.</P><P>Remembering a rule number&nbsp;may not be a good practice. Because at any given time, someone can place a rule above it, and then the number is changed.</P><P>So this is why when discussing change history, we try not to give the rule number as the "most important property" but rather name, UID, and the policies that hold this rule.&nbsp;&nbsp;</P><P style="direction: ltr;">If you are still interested with what was the number of the rule, you can use&nbsp;this script -&nbsp;<A href="https://community.checkpoint.com/thread/6867-how-to-get-all-the-information-about-a-deleted-rule" target="_blank">https://community.checkpoint.com/thread/6867-how-to-get-all-the-information-about-a-deleted-rule</A>&nbsp;&nbsp;</P><P style="direction: ltr;"></P><P style="direction: ltr;">Hope this helps</P></BODY></HTML> Fri, 21 Jun 2019 09:16:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30458#M97809 Tomer_Sole 2019-06-21T09:16:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30459#M97810 <HTML><HEAD></HEAD><BODY><P>Thanks Tomer for the reply , will push customer to name their rule for better understanding of the changes made to a rulebase</P></BODY></HTML> Wed, 21 Feb 2018 08:21:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/30459#M97810 Marco_Valenti 2018-02-21T08:21:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/60357#M97811 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/332">@Tomer_Sole</a>&nbsp; I can under to a degree not including the rule UID and not the number due the the possibility of the display rule number changing, make some sense. That said, i see other UID with seem to obfuscate troubleshooting or audit actions that have been performed, why for instance would this be necessary</P><P>ActionSettings.action: Changed from '6c488338-8eec-xxxx-xxxx-xxxxxxxxxxxx' to '6c488338-xxxx-xxxx-xxxx-xxxxxxxxxxxx'</P><P>Where the action has been changed from drop to accept. It doesnt make it easy to see what went on with this particular edit.</P><P>&nbsp;</P> Thu, 15 Aug 2019 05:57:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/audit-log/m-p/60357#M97811 Richard_Carson 2019-08-15T05:57:59Z