Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ihenock101
Collaborator

Viewing Rule Logs

Hi All,

Recently, while working on checkpoint logs, I noticed that for some of the app/url blade rules, when I clicked on the Logs tab in the bottom pane for the the current policy logs displayed  as expected . However, for certain app/url blade rule logs, I observed that they showed me the access rule number and access rule name of the firewall blade instead.

I was wondering if you could provide some insight into why this discrepancy occurs. Is there a specific reason behind this difference in log display for these particular app/url blade rules?

Thank you for your time and assistance. I greatly appreciate your expertise in this matter.

0 Kudos
6 Replies
emmap
Employee
Employee

It's hard to comment on this without seeing the rules, logs and policy configuration but it may be that the session logs created by URLF and APPC are there, but are being buried somewhat by the connection logs from the FW blade. You are able to configure log generation by either connection, session or both in the log configuration per policy rule. So that needs checking too. 

0 Kudos
ihenock101
Collaborator

Assuming there will be a possibility these happens, could you please provide some clarification on why these firewall blade logs are being reflected within the URLF and APPC rule policy  ?

0 Kudos
Tal_Paz-Fridman
Employee
Employee

What version are running? 

0 Kudos
ihenock101
Collaborator

The software version is r80.40. 

If I am not clear let me give you one scenario, I configured an access rule in the firewall blade that is intended to block users web access (HTTP, HTTPS,DNS) services. Additionally, I have also blocked checkpoint.com through Application Control (Appc) and URL Filtering (Urlc). However, when I checked the logs for this particular rule in the Urlc/Appc section, the web access rules log is displayed. 

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Access Control Policy applies for both Firewall Blade and Application Control & URL Filtering. 

If the "Firewall" rule is matched first the log will be given for it.

If the "Firewall" rule is not matched and then the rule with the relevant Application or URL is matched then you'll see the log for it.

So perhaps the Application Control & URL Filtering rule was not matched? 

PhoneBoy
Admin
Admin

It truly depends on your policy configuration, what precise services are used in the rules, and what is being matched in the end for the traffic.
Multiple policy layers will also have an impact.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events