Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
S_E_
Advisor

Inline Layer - Logging

Hi,

We observed an issue with a shared inline layer In R80.20.

The inline layer  is used multiple times in the same policy for several reasons.

There are now 2 issues:

1. First, the Hitcounter in the inline layer is also shared. In this attached demo example, the Hitcounter for Rule4.1, Rule5.1 and Rule9.1 is identical and has same value.

2. Second, in the log, search for the rule number 5.1 and 9.1 does not show up any result. Everthing is in log for Rule4.1. Which makes troubleshootintg much more difficult.

So, is this correct and by design? Or is this a bug that nothing is showing up in log for R9.1, R5.1 .

Thanks

Best Regards

 

R80.20-inline layer.PNG

 

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

I’m going to guess both issues stem from the fact the rule UID is the same in all cases.
Am curious the precise use case for reusing the same layer multiple times in the same policy.
0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus

#1. as Phoneboy wisely said, I believe the sharing of the Hitcount is a known limitation due to sharing of the RuleUID - still verifying for sure.

#2. for the Logs issue: That should work, as the inline layer rules are differentiated by their parent layer.

        Example: rule:5.x (or 9.x, like rule:5.1) should work & only show that exact rule's logs.

   Are you absolutely sure that don't have any logs matching the 2nd/3rd inline layers of 4.1 & 5.1?

   Did you check their Lower pane Logs view (Current Rule) -> No Logs at all.

   You're saying that rule:4.1's Current rule shows logs from all 3 layers (including from rules 5.1 & 9.1)?

        

Can you also share a few examples of logs from the 2nd/3rd inline layers showing matches from these rules? (5.x or 9.x?)

# Privately or publicly here, whichever suits you.

# Feel free to email me directly at: drora@checkpoint.com (Dror Aharony).

0 Kudos
S_E_
Advisor

#2. for the Logs issue: That should work, as the inline layer rules are differentiated by their parent layer.

        Example: rule:5.x (or 9.x, like rule:5.1) should work & only show that exact rule's logs.

   Are you absolutely sure that don't have any logs matching the 2nd/3rd inline layers of 4.1 & 5.1?

 

YES

 

   Did you check their Lower pane Logs view (Current Rule) -> No Logs at all.

   You're saying that rule:4.1's Current rule shows logs from all 3 layers (including from rules 5.1 & 9.1)?

 

YES, I checked the logs. Traffic appears in Rule4.1 . Not in Rule 5.1. and 9.1

        

 

 
 
0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus

#1: Hitcount on shared inline layers > Currently a limitation. I'll try to push for a fix.

#2. Matching logs on different uses of same shared inline layer > as I said, It works in general.

      This has to be something specifically on your env. We'll need to investigate it, as there isn't an easy answer here.

      Can you share any logs matching the other inline layer rule uses (5.1 or 9.1)? [privately]

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi,

 

according to your screenshot of the rule base, i'm wondering why do you think you will have hit on rules 5.1 and 9.1?

i'm not sure you should be matched on those rules.

Rule 5 is traffic that goes from External Zone to specific web server so how 5.1 will be matched?

Rule 9 is any any with RDP services how 9.1 will be matched? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events