Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

Inline Layer - Logging

Hi,

We observed an issue with a shared inline layer In R80.20.

The inline layer  is used multiple times in the same policy for several reasons.

There are now 2 issues:

1. First, the Hitcounter in the inline layer is also shared. In this attached demo example, the Hitcounter for Rule4.1, Rule5.1 and Rule9.1 is identical and has same value.

2. Second, in the log, search for the rule number 5.1 and 9.1 does not show up any result. Everthing is in log for Rule4.1. Which makes troubleshootintg much more difficult.

So, is this correct and by design? Or is this a bug that nothing is showing up in log for R9.1, R5.1 .

Thanks

Best Regards

 

R80.20-inline layer.PNG

 

 

0 Kudos
5 Replies
Highlighted
Admin
Admin

I’m going to guess both issues stem from the fact the rule UID is the same in all cases.
Am curious the precise use case for reusing the same layer multiple times in the same policy.
0 Kudos
Highlighted
Employee+
Employee+

#1. as Phoneboy wisely said, I believe the sharing of the Hitcount is a known limitation due to sharing of the RuleUID - still verifying for sure.

#2. for the Logs issue: That should work, as the inline layer rules are differentiated by their parent layer.

        Example: rule:5.x (or 9.x, like rule:5.1) should work & only show that exact rule's logs.

   Are you absolutely sure that don't have any logs matching the 2nd/3rd inline layers of 4.1 & 5.1?

   Did you check their Lower pane Logs view (Current Rule) -> No Logs at all.

   You're saying that rule:4.1's Current rule shows logs from all 3 layers (including from rules 5.1 & 9.1)?

        

Can you also share a few examples of logs from the 2nd/3rd inline layers showing matches from these rules? (5.x or 9.x?)

# Privately or publicly here, whichever suits you.

# Feel free to email me directly at: drora@checkpoint.com (Dror Aharony).

0 Kudos
Highlighted
Collaborator

#2. for the Logs issue: That should work, as the inline layer rules are differentiated by their parent layer.

        Example: rule:5.x (or 9.x, like rule:5.1) should work & only show that exact rule's logs.

   Are you absolutely sure that don't have any logs matching the 2nd/3rd inline layers of 4.1 & 5.1?

 

YES

 

   Did you check their Lower pane Logs view (Current Rule) -> No Logs at all.

   You're saying that rule:4.1's Current rule shows logs from all 3 layers (including from rules 5.1 & 9.1)?

 

YES, I checked the logs. Traffic appears in Rule4.1 . Not in Rule 5.1. and 9.1

        

 

 
 
0 Kudos
Highlighted
Employee+
Employee+

#1: Hitcount on shared inline layers > Currently a limitation. I'll try to push for a fix.

#2. Matching logs on different uses of same shared inline layer > as I said, It works in general.

      This has to be something specifically on your env. We'll need to investigate it, as there isn't an easy answer here.

      Can you share any logs matching the other inline layer rule uses (5.1 or 9.1)? [privately]

0 Kudos
Highlighted
Employee+
Employee+

Hi,

 

according to your screenshot of the rule base, i'm wondering why do you think you will have hit on rules 5.1 and 9.1?

i'm not sure you should be matched on those rules.

Rule 5 is traffic that goes from External Zone to specific web server so how 5.1 will be matched?

Rule 9 is any any with RDP services how 9.1 will be matched? 

0 Kudos