This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oscar_Bernat
Explorer
‎2021-01-25 12:13 AM

Under what circumstances a new log is created within the Session unification timeout?

We work in a BAS technology to test security controls continuously, missing events because of the log suppression (default config) puts us in troubles because our test outcome is filled with false negatives (all suppressed logs)

We would like to know what's the logic behind the creation of a new event under the Session unification timeout (suppressed logs). After some tests we observed that in connections with the same source, destination and application , when an application parameter changes, (like the user agent in an HTTP request) the main event is updated with the new information (user agent), also, the lastupdatetime and the source port, but that does not occur always.

Any documentation or idea here?

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2021-01-27 02:51 AM

Quoting from R81 logging and monitoring guide:

By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole from the Manage & Settings view, in Blades > Application & URL Filtering > Advanced Settings > General > Connection unification.

0 Kudos
Oscar_Bernat
Explorer
‎2021-01-29 12:05 AM
In response to _Val_

I'm so sorry, my question was related to the Threat Prevention Unification session timeout and the suppressed logs, not about Application and URL filtering. We used the user-agent in the HTTP connection to test and force the generation of new events for a specific threat, in that case, we worked with the simplest one, making a connection to "http://www.threat-cloud.com/test/files/HighConfidenceBot.html" in order to generate a new anti-bot blade event. The question is that depending on the time between every new connection we can see the main event (anti-bot) updated or not. That's why we would like to know the logic behind creating or updating events when suppressed logs feature is enabled (default).

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-08-06 12:33 PM
In response to Oscar_Bernat

Better late than never to answer this question.  All Threat Prevention logs have a suppression period of 10 hours (600 minutes).
The suppression period restarts upon Threat Prevention policy reinstallation.  Source: sk115876: Some fields are missing from IPS or Threat Prevention logs

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events