https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23990#M98442 <HTML><HEAD></HEAD><BODY><P>You hit a nail on the head Tomer! It's been bugging me for a while but so far have had no time to dig into it. I noticed that some of our logs started reported sessions after R80.x upgrades even though we never specifically set them. And when i check the rule it's not ticked.</P><P>Do you have any more information about how R77.30 to R80.x should have treated this particular option. Also what are CPU impacts of all those options in more detail?</P><P></P><P>To give you example, this traffic is logged as "session"</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62176_pastedImage_1.png" style="width: 620px; height: 111px;" /></P><P></P><P>but the rule is set to "none"!</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62177_pastedImage_2.png" style="width: 620px; height: 153px;" /></P><P></P><P>Is this a SR candidate?</P></BODY></HTML> Fri, 19 Jan 2018 10:11:51 GMT Kaspars_Zibarts 2018-01-19T10:11:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23989#M98441 <HTML><HEAD></HEAD><BODY><P>Let's say you enabled an application, but traffic still gets dropped from some reason.</P><P>In the logs, all you see is&nbsp;hits on the any, any, drop rule, but this could come from many different users.</P><P>What you can do is to change the default logging setting in the Track column from <STRONG>"Log"</STRONG> to:</P><P>- <STRONG>"Extended Log"</STRONG>:&nbsp;Adds application info to the logs.</P><P>- <STRONG>"Detailed Log"</STRONG>: Adds resource and file to the logs.</P><P>You could also add the option to generate another <STRONG>Log Per Session</STRONG>, in addition to the usual log per connection.</P><P></P><P>Please note that each addition to a log gets&nbsp;adds a performance impact. This is why <STRONG>the defaults</STRONG> for a Track column are relevant to what you picked in a rule: Rules with application objects get the Extended Log by default, while rules with content awareness get the Detailed Log by default.&nbsp;</P><P></P><P><IMG __jive_id="62152" alt="" class="image-1 jive-image j-img-original" src="/legacyfs/online/checkpoint/62152_1 initial.png" style="width: 620px; height: 330px;" /></P><P><IMG __jive_id="62156" alt="" class="image-2 jive-image j-img-original" src="/legacyfs/online/checkpoint/62156_2 change the track option.png" style="width: 620px; height: 330px;" /></P><P></P><P><IMG alt="" class="image-5 jive-image j-img-original" src="/legacyfs/online/checkpoint/62159_3 track options.png" style="height: auto;" /></P><P></P><P><IMG __jive_id="62158" alt="" class="image-4 jive-image j-img-original" src="/legacyfs/online/checkpoint/62158_4 log per session.png" style="width: 620px; height: 400px;" /></P><P></P><P></P><P>So if adding more log details to the highly hit cleanup rule can add performance to the log server, how can we overcome this?</P><P>a. You could apply that temporarily until fixing the problem, and then revert to "Log"</P><P>b. You could take that source traffic, <STRONG>make that an inline layer</STRONG>, and in the Drop rule of that inline layer which will probably get hit a lot less than the general policy, change the log setting. Afterwards you can undo the&nbsp;inlining or just keep it segmented as it is.&nbsp;</P><P></P><P></P><P>Let us know your feedback on this case.</P></BODY></HTML> Thu, 18 Jan 2018 20:51:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23989#M98441 Tomer_Sole 2018-01-18T20:51:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23990#M98442 <HTML><HEAD></HEAD><BODY><P>You hit a nail on the head Tomer! It's been bugging me for a while but so far have had no time to dig into it. I noticed that some of our logs started reported sessions after R80.x upgrades even though we never specifically set them. And when i check the rule it's not ticked.</P><P>Do you have any more information about how R77.30 to R80.x should have treated this particular option. Also what are CPU impacts of all those options in more detail?</P><P></P><P>To give you example, this traffic is logged as "session"</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62176_pastedImage_1.png" style="width: 620px; height: 111px;" /></P><P></P><P>but the rule is set to "none"!</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62177_pastedImage_2.png" style="width: 620px; height: 153px;" /></P><P></P><P>Is this a SR candidate?</P></BODY></HTML> Fri, 19 Jan 2018 10:11:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23990#M98442 Kaspars_Zibarts 2018-01-19T10:11:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23991#M98443 <HTML><HEAD></HEAD><BODY><P>Hello Kaspars,</P><P></P><P>Have you verify this solution regarding upgrade from R7X to R80.10: <A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116580" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116580">Tracking Objects are missing after upgrade to R80.10 (Track column in Access Policy)</A> ?</P><P></P><P>Regards.</P></BODY></HTML> Fri, 19 Jan 2018 13:32:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23991#M98443 KennyManrique 2018-01-19T13:32:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23992#M98444 <HTML><HEAD></HEAD><BODY><P>I believe, I've seen same behavior in straight R80.10 implementations as well, not only the upgrades.</P></BODY></HTML> Fri, 19 Jan 2018 14:22:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23992#M98444 Vladimir 2018-01-19T14:22:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23993#M98445 <HTML><HEAD></HEAD><BODY><P>Great - didn't see this SK before!. Bit late now <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;And now that I actually spent whole 5mins (instead of whinging..) I found it set on Application layer. So even though we use it as a "plain" firewall, we must have messed around at some point and created this app rule. Or it came as default in R80. Not 100%</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62426_pastedImage_4.png" style="width: 620px; height: 198px;" /></P></BODY></HTML> Fri, 19 Jan 2018 18:49:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-troubleshoot-an-app-drop-with-the-extended-log-options/m-p/23993#M98445 Kaspars_Zibarts 2018-01-19T18:49:01Z