This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-09-30 07:46 AM

Traffic is not visible on management.

Hi Mates.

The customer pointed out something unusual:

We can see traffic on the firewall via tcpdump, but no corresponding logs appear in SmartConsole (management).

Additional, the latest logs available in date back to a week ago, although traffic is clearly flowing through the firewall.

Do you have any ideas on what could be causing this behavior on S1C R82?

Thanks,

0 Kudos
40 Replies
PhoneBoy
Admin
Admin
‎2025-10-06 10:01 AM
In response to RemoteUser

What explicit rules do you have that involve SIP (i.e. where SIP or related services are mentioned)?
Relevant to the following, which may help: https://support.checkpoint.com/results/sk/sk65072 

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-10-06 01:47 PM

voice is data stream, now rule is set to ''any'' try to create a rule above the any rule with a specific service that you need. 

Maybe use custom service and make sure to disable match for any under the service. 

second, not sure if this traffic applies to this but check global properties in Smart Console -> firewall -> enable log implied rules (if there are any enabled)

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
RemoteUser
Advisor
‎2025-10-12 11:56 PM
In response to Lesley

Hi Lesley,

We tried adding a rule with a specific service, following the ATRG: VoIP guidelines.
However, it seems that the rule is not appearing in the logs.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-13 12:29 AM
In response to RemoteUser

Bro, did you check with TAC?

Best,
Andy
0 Kudos
RemoteUser
Advisor
‎2025-10-13 12:30 AM
In response to the_rock

yes, we're working togheter 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-13 12:30 AM
In response to RemoteUser

Hope its fixed soon!

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
‎2025-10-14 10:52 AM
In response to RemoteUser

Hey bro,

Please do share how this gets solved.

Thanks so much in advance.

Andy

Best,
Andy
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2025-10-14 12:09 PM

If the connection is using all the time same source port, same source IP, same destination port, same destination IP and same protocol, then the only log connection you see is very first 3-way handshake. Even if it happened 2 months ago, but connection was never removed from connection table.

It is seen for long-lasting services like NTP and syslog. It makes sense as it will kill logserver with heavy log volume for the same connection.

The only way how to see fresh log is to cut the connection from connection table or force the client to use new source port (restart the service).

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-14 12:11 PM
In response to JozkoMrkvicka

Its still odd Jozko that its ONLY for voip traffic...

Andy

Best,
Andy
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2025-10-14 12:30 PM
In response to the_rock

If this is a case then yeah, strange indeed ...

Kind regards,
Jozko Mrkvicka
the_rock
MVP Platinum
MVP Platinum
‎2025-10-14 12:33 PM
In response to JozkoMrkvicka

Indeed... @RemoteUser has TAC case going, so will let us know once they have a solution.

Best,

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events