This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
iamnzri
Participant
‎2023-01-20 06:14 AM

Understanding API output using show-logs command

Hello everyone,

Glad to be a part of the community. I only started using Checkpoint's Smart Console recently and am still learning a lot about it. 
I am trying to write a python script that processes the correlation between rules and log entries (not audit logs) and have since been delving deeper into the capabilities of the API. 

However, I found out that the keys structure from the show logs output are not very predictable. I keep getting KeyErrors because the key-value pair that I expect does not appear in the dictionary from the API. It seems that there is a certain logic behind it. For example, connections that are dropped does not necessarily have a matched rule number attached to the log. This wasn't documented in the API reference. 

I've also found out that ip addresses that are not internal doesn't have the key-value src_attr. I think there are a lot more pitfalls that I have yet to discover. But since there's about 10-20 key-pairs in the results, I do not want to theorize what every single one means and work based on guesses.   

I wished the docs have some more info on what type of log entries that might appear and how to reliably parse the data given. Does anyone maybe have some experience with this?  

Edit: I am using SmartConsole R81.10. Screenshots coming soon 

3 Replies
PhoneBoy
Admin
Admin
‎2023-01-20 11:25 AM

Let's start with version/JHF of the management.
Some precise examples with sensitive data redacted might be helpful for discussion purposes.
This includes both API output and screenshots of the relevant log cards.

0 Kudos
iamnzri
Participant
‎2023-01-23 10:13 AM
In response to PhoneBoy

Thank you for your response. 

As mentioned in the edited original post, I am using the version R81.10 with JHF B410 (whatever that means 😅).

I am expecting this output from the show-logs command. 

              
                "__interface": "bond80.3562",
                "action": "Accept",
                "conn_direction": "Incoming",
                "db_tag": "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXB398}",
                "domain": "DE",
                "dst": "000.232.30.1",
                "dst_attr": [
                    {
                        "isCHKPObject": "true",
                        "resolved": "DE-DNS.de.top.com"
                    }
                ],
                "first": "true",
                "fservice": "domain-udp",
                "i_f_dir": "inbound",
                "i_f_name": "bond80.3562",
                "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX00fe",
                "id_generated_by_indexer": "false",
                "layer_name": "SomeLayer Network",
                "log_delay": "1674022657",
                "logid": "0",
                "marker": "@A@@B@1674022009@C@6619901",
                "match_table": [
                    {
                        "layer_name": "SomeLayer Network",
                        "layer_uuid": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXf4e7",
                        "match_id": "36",
                        "parent_rule": "0",
                        "rule": "31.6",
                        "rule_action": "Accept",
                        "rule_uid": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXd8e7"
                    }
                ],
                "orig": "de-aah-ant-dc-f020_de-datac",
                "orig_log_server": "000.178.157.42",
                "orig_log_server_attr": [
                    {
                        "isCHKPObject": "true",
                        "resolved": "mdlog-de1",
                        "uuid": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX64b4"
                    }
                ],
                "policy_date": "2023-01-16T11:44:05Z",
                "policy_mgmt": "fwm1-de1",
                "policy_name": "de_datac",
                "product": "Firewall",
                "product_family": "Access",
                "proto": "17",
                "proto_attr": [
                    {
                        "isCHKPObject": "false",
                        "resolved": "UDP (17)"
                    }
                ],
                "rule": "31.6",
                "rule_uid": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXd8e7",
                "s_port": "50135",
                "sequencenum": "4229",
                "service": "53",
                "service_id": "domain-udp",
                "src": "000.232.194.154",
                "src_attr": [
                    {
                        "isCHKPObject": "true",
                        "resolved": "appliance-de-ops-worker-002-p3-cg1.de.redacted.XXX"
                    }
                ],
                "time": "2023-01-18T06:17:37Z",
                "type": "Connection"

 

As you can see, I can rely upon the fact that there is a matched rule, service id, and src_attr.

Note that there is a corresponding rule to this network traffic. A connection with a matched rule would be a type of this kind of log entry. 
There is also a connection with no matched rule, because for example the participants don't execute the TCP protocol correctly. Then there wouldn't be any matched rule in the response 

 

Then, I also notice the key outzone/inzone. This key-pair also do not appear regularly. From what I understand, it tells whether the connection destination is within the network or outside of the network. If so, Checkpoint could've just provide some regularity by giving the same key-pair in each log entry, couldn't they?

            {
                "__interface": "bond80.3562",
                "action": "Accept",
                "db_tag": "{XXXXXXXX-XXXX-XXXX-XXXX-980BBAA7B398}",
                "domain": "DE",
                "dst": "000.232.30.124",
                "dst_attr": [
                    {
                        "isCHKPObject": "true",
                        "resolved": "wtsfug.de.redacted.xxx"
                    }
                ],
                "first": "true",
                "fservice": "https",
                "i_f_dir": "inbound",
                "i_f_name": "bond80.3562",
                "id": "XXXXXXXX-XXXX-XXXX-XXXX-8f01000000ec",
                "id_generated_by_indexer": "false",
                "inzone": "External",
                "layer_name": "SomeLayer Network",
                "logid": "0",
                "marker": "@A@@B@1674022009@C@6619900",
                "match_table": [
                    {
                        "layer_name": "SomeLayer Network",
                        "layer_uuid": "XXXXXXXX-XXXX-XXXX-XXXX-d8d2070bf4e7",
                        "match_id": "1837",
                        "parent_rule": "0",
                        "rule": "31.1807",
                        "rule_action": "Accept",
                        "rule_name": "Ersatzregel",
                        "rule_uid": "XXXXXXXX-XXXX-XXXX-XXXX-0116356bd3f8"
                    }
                ],
                "orig": "de-aah-ant-dc-f020_de-datac",
                "orig_log_server": "000.178.157.42",
                "orig_log_server_attr": [
                    {
                        "isCHKPObject": "true",
                        "resolved": "mdlog-de1",
                        "uuid": "XXXXXXXX-XXXX-XXXX-XXXX-b895029f64b4"
                    }
                ],
                "outzone": "Internal",
                "policy_date": "2023-01-16T11:44:05Z",
                "policy_mgmt": "fwm1-de1",
                "policy_name": "de_datac",
                "product": "Firewall",
                "product_family": "Access",
                "proto": "6",
                "proto_attr": [
                    {
                        "isCHKPObject": "false",
                        "resolved": "TCP (6)"
                    }
                ],
                "rule": "31.1807",
                "rule_name": "Ersatzregel",
                "rule_uid": "XXXXXXXX-XXXX-XXXX-XXXX-0116356bd3f8",
                "s_port": "51151",
                "sequencenum": "4228",
                "service": "443",
                "service_id": "https",
                "src": "000.252.165.0",
                "time": "2023-01-18T06:17:37Z",
                "type": "Connection"
            },


Any help or comment will be appreciated. 

Regards

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-23 07:49 PM
In response to iamnzri

Did you compare the API results with that of the log cards for the same data?
I suspect you will find them identical.
The issue isn't with the API, the issue is with the specific logs.

Without seeing the exact logs in question, it's going to be difficult to comment much further on this.
Recommend engaging with the TAC. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events