This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
Tuesday

Question Log

Hi mates,

hope you’re all doing well.

 

I have a question regarding logging.

 

What are the main benefits of switching from Connection to Session log mode?

My understanding is that this feature aggregates multiple logs from the same connection into a single session log, reducing the overall log volume.

 

However, I’d like to clarify if any details are lost in the session log compared to connection logs. Are all the same fields still available, or is some information not recorded?

 

Also, could this approach make troubleshooting more challenging in certain scenarios?

 

Please feel free to correct me if anything is inaccurate or incomplete.

 

Thanks in advance!

0 Kudos
3 Replies
the_rock
MVP Diamond
MVP Diamond
Tuesday

Hey brother,

FWIW, this is what AI says.

*********************************************************

 

You’ve got the core idea right 👍 — but there are some important nuances that matter in real-world troubleshooting.

🔄 Connection vs Session Logging (Quick Context)

  • Connection logging → one log per connection (SYN → FIN lifecycle)

  • Session logging → aggregates multiple connections into a single “session” (based on App/User/IP over time)

Think of session logs as a summary view, not a 1:1 replacement.

Main Benefits of Session Logging

1. 📉 Massive Log Volume Reduction

  • Instead of thousands of short-lived connections (especially with web apps), you get one consolidated session

  • Huge win for:

    • Log storage

    • SIEM ingestion costs

    • SmartConsole performance

2. 👤 Better User/Application Visibility

  • Session logs are identity-aware

  • You see:

    • User (via Identity Awareness)

    • Application (App Control)

    • Overall activity in a session

👉 This is especially useful for SaaS/web browsing visibility.

3. 📊 Cleaner, High-Level View

  • Easier to answer:

    • “What did user X do?”

    • “What apps were accessed?”

  • Instead of digging through hundreds of TCP connections

⚠️ What You LOSE (Important)

Yes — some granularity is lost.

🔍 Missing / Reduced Detail

  1. Per-connection visibility

    • You won’t see every TCP handshake or individual connection

    • Example: multiple HTTP requests → one session log

  2. Precise timing per connection

    • Session log shows duration, but not each micro-event

  3. Low-level network troubleshooting data

    • Harder to track:

      • Packet-level issues

      • Connection resets/retries

      • NAT edge cases per connection

🧠 Troubleshooting Impact

👍 Easier for:

  • User activity analysis

  • Application usage

  • General traffic patterns

👎 Harder for:

  • Deep network debugging

  • Intermittent connection issues

  • Protocol-level problems

👉 In those cases, connection logs are superior

⚖️ Real-World Best Practice

Most environments don’t go “all-in” on one mode.

Common approach:

  • Use Session logging for:

    • Web traffic

    • SaaS / user-based rules

  • Keep Connection logging for:

    • Critical infrastructure

    • VPN / NAT-heavy rules

    • Troubleshooting-sensitive policies

🔧 Key Insight (Often Missed)

Session logs are built from connection logs internally, but:

  • Not all connection-level events are preserved in the final log

  • It’s more like aggregation + summarization, not full fidelity storage

🧩 When NOT to Use Session Logging

Avoid it if you rely heavily on:

  • Detailed forensics

  • Packet/flow-level debugging

  • Regulatory requirements needing full connection traceability

✔️ Bottom Line

  • Your understanding is correct

  • Big win: reduced log volume + better user/app visibility

  • Tradeoff: loss of per-connection granularity

  • Impact: can make deep troubleshooting harder

If you want, I can break this down specifically for Check Point R81/R82 behavior (there are a couple of quirks with HTTPS inspection and App Control that affect session logs).

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
yesterday
In response to the_rock

I didn't know that if you switch to “session” mode, certain fields like “nat” are lost if it's used...

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to RemoteUser

The issue with NAT was fixed recently as described here: https://community.checkpoint.com/t5/Security-Gateways/Session-logs-not-showing-Xlate-information/m-p... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events