This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Advisor
‎2025-07-11 04:45 PM
Jump to solution

Take logging out of the implied rules

Happy Friday everyone.

Always running low on space on our current log server, so i've provisioned a new one with 40T of space and trying to get it receiving logs.  This server is on the inside of my network and privately addressed, so i need the logs to traverse the VPN path.

Management is R82 and gateways are R81.20.

Per the guide, the salient implied rules file is: /opt/CPR8120CMP-R82/lib/implied_rules.def

So i made this change : /* #define ENABLE_FWD_LOG */

After pushing policy to a gateway the logging continues to go out on the implied rule 0.


Any ideas on what i've missed here would be appreciate.

 

Thanks.

 

0 Kudos
1 Solution

Accepted Solutions
D_TK
Advisor
‎2025-07-17 04:25 PM
In response to the_rock
Jump to solution

with the help of a tac case, yeah.  I'm "pretty" sure the order that i did was:  modify implied rules file \ installed database only to the new log server \ and then pushed policy to the gateway.

Tac had me install database on everything  - 2 log servers and management...and then push policy again.  Started working immediately.  

That's why we all have support!

 

 

 

 

View solution in original post

7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-07-12 07:29 AM
Jump to solution

If you go to smart console, security policy -> implied rules, see if its logged or not, you can uncheck it there.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-12 07:33 AM
In response to the_rock
Jump to solution

@D_TK 

I attached short video of what I meant. If this does not work, and what you tried failed as well, I would definitely verify with TAC.

Andy

Best,
Andy
Preview file
3537 KB
0 Kudos
D_TK
Advisor
‎2025-07-12 10:35 AM
In response to the_rock
Jump to solution

Thanks Andy.  I reread my initial post and i probably wasn't very clear.  I don't want to change the actually logging of the traffic that matches the implied rules.  I want to change the way the gateway communicates with the its log server - the actual tcp/257 traffic.  And i only want to change this behavior for logging since i have logs and management separate, the normal management <-> gateway control connections would stay the same.

 

Per what i read and what i've done in the past for LDAP, this implied rule setting should control that.

/* #define ENABLE_FWD_LOG */

I guess i'll open a tac on monday.

Have a great weekend.

 

the_rock
MVP Platinum
MVP Platinum
‎2025-07-12 10:49 AM
In response to D_TK
Jump to solution

I would get an official TAC response, agreed.

Have a good 1, as kids woukd say these days 🙂

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-17 04:19 PM
Jump to solution

Hey @D_TK 

Were you able to figure this out?

Andy

Best,
Andy
0 Kudos
D_TK
Advisor
‎2025-07-17 04:25 PM
In response to the_rock
Jump to solution

with the help of a tac case, yeah.  I'm "pretty" sure the order that i did was:  modify implied rules file \ installed database only to the new log server \ and then pushed policy to the gateway.

Tac had me install database on everything  - 2 log servers and management...and then push policy again.  Started working immediately.  

That's why we all have support!

 

 

 

 

the_rock
MVP Platinum
MVP Platinum
‎2025-07-17 04:26 PM
In response to D_TK
Jump to solution

Great news!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events