Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herschel_Liang
Collaborator

Can we view SNX log(include users access which destination )?

Topology:  Internet -- F5(SNAT&DNAT for CP) -- CP(Mobile access VPN/SNX)

The client auditors found that they can not view log(include which user access which host(destination) in one log) while I only found Remote Access log(including which user access which host(destination)). Due to F5 do SNAT for SNX, we can not view different source access which destination according logs. Look at capture I uploaded. So, the client feel it is not acceptable. Does it expected/designed or other issue? It was a tad confusing.

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

What precisely do you see in the logs versus what do you expect to see?
Concrete examples would be helpful.
If the issue is that the source IP of the F5 is logged versus the client's actual public IP, not sure there's much we can do there as we have no way of knowing that if an intermediary device does NAT on behalf of the Check Point.
0 Kudos
Herschel_Liang
Collaborator

Normal log:
source ip | user | source port -> destination ip | potocol | destination port | action, something like that, it is helpful for audit.
But we found we can not found destination ip in logs. Look at capture. If no logs for view which user access which destination ip, it is unacceptable for audit. Is it expected/designed behavior or other issue?

0 Kudos
PhoneBoy
Admin
Admin

This looks like the login via SNX.
I would expect logs for other things that client is doing.
You're not seeing those?
Are you using a Legacy or Unified policy here and what precise rules are allowing this group of users to access the specified servers?
0 Kudos
Herschel_Liang
Collaborator

Sure, user login via SNX. No more log for those. They are using Legacy policy and precise rules like that normal user group access native application.
0 Kudos
PhoneBoy
Admin
Admin

What are your logging settings?
I suspect you might need to adjust them as it looks like, by default, it may not log all access.
See screenshot below.

Capture.PNG

0 Kudos
Herschel_Liang
Collaborator

See screenshot, 2.

0 Kudos
PhoneBoy
Admin
Admin

You may want to enable "All access events" for Gateway Resources.
If that doesn't help, this is probably TAC case territory.
0 Kudos
Herschel_Liang
Collaborator

I have requested TAC case, but he remain need some time to test and confirm. 0.0......
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events