Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Oscar_Bernat
Explorer

Under what circumstances a new log is created within the Session unification timeout?

We work in a BAS technology to test security controls continuously, missing events because of the log suppression (default config) puts us in troubles because our test outcome is filled with false negatives (all suppressed logs)

We would like to know what's the logic behind the creation of a new event under the Session unification timeout (suppressed logs). After some tests we observed that in connections with the same source, destination and application , when an application parameter changes, (like the user agent in an HTTP request) the main event is updated with the new information (user agent), also, the lastupdatetime and the source port, but that does not occur always.

Any documentation or idea here?

0 Kudos
3 Replies
_Val_
Admin
Admin

Quoting from R81 logging and monitoring guide:

By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole from the Manage & Settings view, in Blades > Application & URL Filtering > Advanced Settings > General > Connection unification.

0 Kudos
Oscar_Bernat
Explorer

I'm so sorry, my question was related to the Threat Prevention Unification session timeout and the suppressed logs, not about Application and URL filtering. We used the user-agent in the HTTP connection to test and force the generation of new events for a specific threat, in that case, we worked with the simplest one, making a connection to "http://www.threat-cloud.com/test/files/HighConfidenceBot.html" in order to generate a new anti-bot blade event. The question is that depending on the time between every new connection we can see the main event (anti-bot) updated or not. That's why we would like to know the logic behind creating or updating events when suppressed logs feature is enabled (default).

0 Kudos
Timothy_Hall
Legend Legend
Legend

Better late than never to answer this question.  All Threat Prevention logs have a suppression period of 10 hours (600 minutes).
The suppression period restarts upon Threat Prevention policy reinstallation.  Source: sk115876: Some fields are missing from IPS or Threat Prevention logs

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events