This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ihenock101
Collaborator
‎2023-07-03 10:51 PM

Viewing Rule Logs

Hi All,

Recently, while working on checkpoint logs, I noticed that for some of the app/url blade rules, when I clicked on the Logs tab in the bottom pane for the the current policy logs displayed  as expected . However, for certain app/url blade rule logs, I observed that they showed me the access rule number and access rule name of the firewall blade instead.

I was wondering if you could provide some insight into why this discrepancy occurs. Is there a specific reason behind this difference in log display for these particular app/url blade rules?

Thank you for your time and assistance. I greatly appreciate your expertise in this matter.

0 Kudos
6 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-03 11:52 PM

It's hard to comment on this without seeing the rules, logs and policy configuration but it may be that the session logs created by URLF and APPC are there, but are being buried somewhat by the connection logs from the FW blade. You are able to configure log generation by either connection, session or both in the log configuration per policy rule. So that needs checking too. 

0 Kudos
ihenock101
Collaborator
‎2023-07-04 01:03 AM
In response to emmap

Assuming there will be a possibility these happens, could you please provide some clarification on why these firewall blade logs are being reflected within the URLF and APPC rule policy  ?

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-07-04 06:13 AM
In response to ihenock101

What version are running? 

0 Kudos
ihenock101
Collaborator
‎2023-07-04 10:32 PM
In response to Tal_Paz-Fridman

The software version is r80.40. 

If I am not clear let me give you one scenario, I configured an access rule in the firewall blade that is intended to block users web access (HTTP, HTTPS,DNS) services. Additionally, I have also blocked checkpoint.com through Application Control (Appc) and URL Filtering (Urlc). However, when I checked the logs for this particular rule in the Urlc/Appc section, the web access rules log is displayed. 

 

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-07-04 11:33 PM
In response to ihenock101

Access Control Policy applies for both Firewall Blade and Application Control & URL Filtering. 

If the "Firewall" rule is matched first the log will be given for it.

If the "Firewall" rule is not matched and then the rule with the relevant Application or URL is matched then you'll see the log for it.

So perhaps the Application Control & URL Filtering rule was not matched? 

PhoneBoy
Admin
Admin
‎2023-07-05 06:58 AM

It truly depends on your policy configuration, what precise services are used in the rules, and what is being matched in the end for the traffic.
Multiple policy layers will also have an impact.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events