https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/108728#M20690 <P>We work in a BAS technology to test security controls continuously, missing events because of the log suppression (default config) puts us in troubles because our test outcome is filled with false negatives (all suppressed logs)</P><P>We would like to know what's the logic behind the creation of a new event under the Session unification timeout (suppressed logs). After some tests we observed that in connections with the same source, destination and application , when an application parameter changes, (like the user agent in an HTTP request) the main event is updated with the new information (user agent), also, the lastupdatetime and the source port, but that does not occur always.</P><P>Any documentation or idea here?</P> Mon, 25 Jan 2021 08:13:40 GMT Oscar_Bernat 2021-01-25T08:13:40Z https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/108728#M20690 <P>We work in a BAS technology to test security controls continuously, missing events because of the log suppression (default config) puts us in troubles because our test outcome is filled with false negatives (all suppressed logs)</P><P>We would like to know what's the logic behind the creation of a new event under the Session unification timeout (suppressed logs). After some tests we observed that in connections with the same source, destination and application , when an application parameter changes, (like the user agent in an HTTP request) the main event is updated with the new information (user agent), also, the lastupdatetime and the source port, but that does not occur always.</P><P>Any documentation or idea here?</P> Mon, 25 Jan 2021 08:13:40 GMT https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/108728#M20690 Oscar_Bernat 2021-01-25T08:13:40Z https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/108959#M20722 <P>Quoting from <A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Log-Sessions.htm?Highlight=session" target="_self">R81 logging and monitoring guide</A>:<BR /><BR /><EM>By default, after a&nbsp;<SPAN class="SearchHighlight SearchHighlight1">session</SPAN>&nbsp;continues for three hours, the&nbsp;<SPAN class="mc-variable Other_Vars.tp_sgate variable">Security Gateway</SPAN>&nbsp;starts a new&nbsp;<SPAN class="SearchHighlight SearchHighlight1">session</SPAN>&nbsp;log. You can change this in&nbsp;<SPAN class="mc-variable Other_Vars.tp_con variable">SmartConsole</SPAN>&nbsp;from the&nbsp;<SPAN class="Menu_Options"><SPAN class="mc-variable Other_Vars.tp_set variable">Manage &amp; Settings</SPAN></SPAN>&nbsp;view, in&nbsp;<SPAN class="Menu_Options">Blades</SPAN>&nbsp;&gt;&nbsp;<SPAN class="Menu_Options"><SPAN class="mc-variable Vars_BladesFeatures.tp_appurlf variable">Application &amp; URL Filtering</SPAN></SPAN>&nbsp;&gt;&nbsp;<SPAN class="Menu_Options">Advanced Settings</SPAN>&nbsp;&gt;&nbsp;<SPAN class="Menu_Options">General</SPAN>&nbsp;&gt;&nbsp;<SPAN class="Menu_Options">Connection unification</SPAN>.</EM></P> Wed, 27 Jan 2021 10:51:21 GMT https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/108959#M20722 _Val_ 2021-01-27T10:51:21Z https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/109252#M20750 <P>I'm so sorry, my question was related to the Threat Prevention Unification session timeout and the suppressed logs, not about Application and URL filtering. We used the user-agent in the HTTP connection to test and force the generation of new events for a specific threat, in that case, we worked with the simplest one, making a connection to "<A href="http://www.threat-cloud.com/test/files/HighConfidenceBot.html&quot;" target="_blank">http://www.threat-cloud.com/test/files/HighConfidenceBot.html"</A>&nbsp;in order to generate a new anti-bot blade event. The question is that depending on the time between every new connection we can see the main event (anti-bot) updated or not. That's why we would like to know the logic behind creating or updating events when suppressed logs feature is enabled (default).</P> Fri, 29 Jan 2021 08:05:33 GMT https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/109252#M20750 Oscar_Bernat 2021-01-29T08:05:33Z https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/125903#M23200 <P>Better late than never to answer this question.&nbsp;&nbsp;All Threat Prevention logs have a suppression period of 10 hours (600 minutes).<BR />The suppression period restarts upon Threat Prevention policy reinstallation.&nbsp; Source:&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk115876&amp;partition=Expert&amp;product=IPS" target="_blank">sk115876: Some fields are missing from IPS or Threat Prevention logs</A></P> <P>&nbsp;</P> Fri, 06 Aug 2021 19:33:03 GMT https://community.checkpoint.com/t5/General-Topics/Under-what-circumstances-a-new-log-is-created-within-the-Session/m-p/125903#M23200 Timothy_Hall 2021-08-06T19:33:03Z