cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Extended (detailed) log for Implied Rules

Jump to solution

Hi community, is there a way to enable the extended log (or a log with more information) for the Implied Rules?

I followed the sk110218 and still cannot see some information in the logs generated for implied rules.

Specifically, I need to see which QoS rule match to traffic from our gateway to the Check Point cloud servers, cause I have multiple drops in the URL Filtering categorization and some timeouts in the Threat Emulation Cloud Service.

I also tried using the Implied Policy menu but I cannot edit the track column, maybe through GUIDBEdit?

Thanks!

Labels (1)
1 Solution

Accepted Solutions

Re: Extended (detailed) log for Implied Rules

Jump to solution

Hi Vladimir, as I say in the first post, I followed the sk110218 and still cannot see the QoS rules that match the implied rules traffic.

I've some ideas:

- Right now I'm creating a rules on top the both security and application policies, and setting the extended log track on the application one (EDIT: this one solved the issue).

- If the above doesn't work, I'll trying to create a custom event, but for the logs cards I see the QoS rules (internet browsing rules) aren't correlated so I don't think that is the right way.

Any other ideas are welcome, thanks!

0 Kudos
3 Replies
Vladimir
Pearl

Re: Extended (detailed) log for Implied Rules

Jump to solution

As per sk110218, How to enable logging of informative implied rules on R80.10 Security Gateway 

Temporary Instructions:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  1. Connect to command line on Security Gateway.

  2. Log in to Expert mode.

  3. Enable logging of informative implied rules by setting the value of kernel parameter fw_log_informative_implied_rules_enabled to 1 (one):

    • To check the current value of this kernel parameter:

      [Expert@HostName]# fw ctl get int fw_log_informative_implied_rules_enabled 

    • To set the desired value for this kernel parameter on-the-fly (does not survive reboot):

      [Expert@HostName]# fw ctl set int fw_log_informative_implied_rules_enabled 1 

or permanent:

To set the desired value for this kernel parameter permanently:

Follow sk26202 - Changing the kernel global parameters for Check Point Security Gateway.

  1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

    [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf 

  2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

    [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf 

  3. Add the following line (spaces are not allowed):

    fw_log_informative_implied_rules_enabled=1 

  4. Save the changes and exit from Vi editor. 

  5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

    [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf 

  6. Reboot the Security Gateway. 

  7. Verify that the new value was set:

    [Expert@HostName]# fw ctl get int fw_log_informative_implied_rules_enabled
0 Kudos

Re: Extended (detailed) log for Implied Rules

Jump to solution

Hi Vladimir, as I say in the first post, I followed the sk110218 and still cannot see the QoS rules that match the implied rules traffic.

I've some ideas:

- Right now I'm creating a rules on top the both security and application policies, and setting the extended log track on the application one (EDIT: this one solved the issue).

- If the above doesn't work, I'll trying to create a custom event, but for the logs cards I see the QoS rules (internet browsing rules) aren't correlated so I don't think that is the right way.

Any other ideas are welcome, thanks!

0 Kudos

Re: Extended (detailed) log for Implied Rules

Jump to solution

Ok, the rules worked like a charm.

I'm not sure if the security rule is necessary as I'm only able to enable the extended log track setting in the application one, but right now if isn't broken...

Thanks community, marked the above as the correct answer.

0 Kudos