This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sarm_Chanatip
Collaborator
‎2019-03-25 01:05 AM

Report show spam category with "accept" actions but not blocking

Hi Everyone,

I'm doubting about the High-Risk Applications report was showing different action, although the application name was showing as the same category  

I have 2 highlights, one is the red margin and another one is the green margin.  Look at the red margin is shown to accept but not blocking. but the green margin is to show status alternately ( accept then block ) but some only show block

Block Anti Spam.jpg

Does anyone describe above to me?

 

Really appreciate every comment

 

Regards,

Sarm

0 Kudos
23 Replies
Norbert_Bohusch
Advisor
‎2019-03-25 01:49 AM

You have different rules in your policy which allow the same URL/category for some user/source-ip and deny it for others. That's why it is reported that way.

Drill-Down to see the logs related to the entries and look on the matched rules!

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-25 02:17 AM
In response to Norbert_Bohusch

Hi Norbert

Look at rule no.22 and 23 these should be blocked spam, right?

Block Anti Spam_2.jpg

Regards,

Sarm

0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-25 02:21 AM
In response to Sarm_Chanatip

Rule 22 is negated in application column, so this is not relevant for spam.
Please show details of the logs allowing or blocking the same destination traffic. Then I might be able to tell you why the action is different.

 

e.g. double-click this line in the view:

2019-03-25_10-24-34.png

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-25 08:48 AM
In response to Norbert_Bohusch

Hi Norbert

Okay, let me check if I can see the log entries that relevant spam in the reports due to that report was correct since Nov 2018 - Jan 2019

I will update two of you again.

By the way, Is there any way to filter out with application name in the log entries view?

Thank you.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-25 06:43 AM

Like Norbert said, we need to see the log entries to find out which rule it is accepting on.
Some sites/URLs have multiple categories and the traffic may be getting matched on a different (earlier) rule.
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-25 08:51 AM
In response to PhoneBoy

Hi Admin,

I will provide you the log entries here once I find them.

Thank you
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-25 11:53 AM
In response to Sarm_Chanatip

Hi All,

 

Please see the log entries that I was able to find some of them below.

For example, "stat.tracker.ared.re

2019-03-26_011345.jpg2019-03-26_011313.jpg2019-03-26_011355.jpg2019-03-26_011628.jpg2019-03-26_011714.jpg 

0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-25 12:17 PM
In response to Sarm_Chanatip

The rule matched on application layer was rule number 23, but it looks like it was a different then the one you showed with block. The rule name is different, it is „Allow WiFi VIP.....“.

Click the rule name in the log and you will get to the matching rule.

0 Kudos
Wolfgang
Authority
Authority
‎2019-03-25 01:13 PM

The logs you are showing are from 30 Jan 2019. The installed policy is from some hours earlier.

Today we had March 25. Maybee you changed something in the rulebase and as a result the shown rulenumbers doesn‘t match.

As the other checkmates members wrote, clicking the rule entry in the logs brings up the matching rules.

The rule UIDs are not changing over time, but the rule numbers at the beginning of a rule line.

Wolfgang

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-25 11:05 PM
In response to Wolfgang

Hi All

I tried to click the rule entry that problematic, found an error "failed to perform navigation" when clicking both rule number and a rule name column. They might be changed something but not sure this would be related to my report showing since 1Nove2018 - 31Jan 2019. As a result, we saw a spam site allowing in the report.

new 1.jpg

Please kindly advise me if I'm wrong.

 

Thank you.

Sarm

0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-26 12:06 AM
In response to Sarm_Chanatip

Looks like the rule doesn't exist anymore.

You could try to find the rule by opening a revision from the history looking at the timeframe of the log entries.

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-26 02:38 AM
In response to Norbert_Bohusch

Hi Norbert

Thank you for your recommendation, I will try to and update you again.
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-26 10:47 PM
In response to Norbert_Bohusch

Hi Nortbert,

 

I just checked on the previous revision at the timeframe of the log entries, found that the rule number 23  which was previously set to allow but it supposed to fall the rule number 22 first then next to rule 23 respectively.

2019-03-27_121738.jpg

Any ideas?

Thank you

Sarm

Preview file
183 KB
0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-26 11:45 PM
In response to Sarm_Chanatip

How come you think it should match rule 22.
The category in your log entry is "Spam" which is not covered by rule 22.
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-26 11:54 PM
In response to Norbert_Bohusch

Hi Nortbert

Sorry, it was my fault I did not notice that there was no spam category in by rule 22.

But anyway, Can you clarify me regarding some application name that displayed in the reports shown action with accept then block in the same column?

Thank you
Sarm
0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-27 12:13 AM
In response to Sarm_Chanatip

Now we know why we have the Accept. Now focus on Block.
Which rule is matching for Block? again look at the relevant log entry!
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-27 12:52 AM
In response to Norbert_Bohusch

How can we filter the application with xl-trk.com? Because I need to retrieve the historical data that relevant to this log entry. It will help me faster to query.

1553231240280.jpg

0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-27 12:57 AM
In response to Sarm_Chanatip

Easiest way is double-clicking the view on the relevant row.

But you can try free text search...

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-27 01:53 AM
In response to Norbert_Bohusch

Hi Norbert

 

Please see screenshots as below

2019-03-27_153436.jpg2019-03-27_153517.jpg2019-03-27_153627.jpg2019-03-27_153746.jpg

0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-27 01:59 AM
In response to Sarm_Chanatip

So as we see now, the Allow came from a rule matching only for 2 of your WiFi networks with Any Application and other sources are blocked from a rule further down, which Blocks the Spam category (besides others).
So that's why you see both actions in your view/report, because some were Allowed and others Blocked. So everything correct!
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-27 02:36 AM
In response to Norbert_Bohusch

Maybe you're right. I will give you an example to check if my understanding is correct.

If I create the application rules one for source A to dest Z with action allow and one for source B to dest Z with action drop, where Z is spam site or else this means I will see application name (Z), category "Spam" with both action in my report, right?
0 Kudos
Norbert_Bohusch
Advisor
‎2019-03-27 02:53 AM
In response to Sarm_Chanatip

correct
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-04-01 06:02 AM
In response to Norbert_Bohusch

Hi Norbert

Thank you for your great help and clarifying
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events