- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Viewing Rule Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Viewing Rule Logs
Hi All,
Recently, while working on checkpoint logs, I noticed that for some of the app/url blade rules, when I clicked on the Logs tab in the bottom pane for the the current policy logs displayed as expected . However, for certain app/url blade rule logs, I observed that they showed me the access rule number and access rule name of the firewall blade instead.
I was wondering if you could provide some insight into why this discrepancy occurs. Is there a specific reason behind this difference in log display for these particular app/url blade rules?
Thank you for your time and assistance. I greatly appreciate your expertise in this matter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's hard to comment on this without seeing the rules, logs and policy configuration but it may be that the session logs created by URLF and APPC are there, but are being buried somewhat by the connection logs from the FW blade. You are able to configure log generation by either connection, session or both in the log configuration per policy rule. So that needs checking too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming there will be a possibility these happens, could you please provide some clarification on why these firewall blade logs are being reflected within the URLF and APPC rule policy ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version are running?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The software version is r80.40.
If I am not clear let me give you one scenario, I configured an access rule in the firewall blade that is intended to block users web access (HTTP, HTTPS,DNS) services. Additionally, I have also blocked checkpoint.com through Application Control (Appc) and URL Filtering (Urlc). However, when I checked the logs for this particular rule in the Urlc/Appc section, the web access rules log is displayed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access Control Policy applies for both Firewall Blade and Application Control & URL Filtering.
If the "Firewall" rule is matched first the log will be given for it.
If the "Firewall" rule is not matched and then the rule with the relevant Application or URL is matched then you'll see the log for it.
So perhaps the Application Control & URL Filtering rule was not matched?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It truly depends on your policy configuration, what precise services are used in the rules, and what is being matched in the end for the traffic.
Multiple policy layers will also have an impact.