cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Ivory

Interpretation of Network Activity report

How do you exactly correctly interpret this report?

 

Interpret1 has only 269 accept logs on internal firewall, which i hardly can believe given the amount of people that work here. Drop and Reject is a lot, which looks normal to me.

Interpret2 same -> low accept logs on internal firewall, although i know there is a lot of internall traffic.
Failover happened on this day, that's the reason why you see also high activity on IFW02. Normally IFW01 is the primary active one.

Interpret3 is report of 5 days, still low accept logs in internal firewall, Drop and Reject is a lot, which again looks normal to me

How is this possible when we log all rules in the policy where traffic has been accepted? Or how do i have to interpret this?

 

0 Kudos
3 Replies
Highlighted
Admin
Admin

Re: Interpretation of Network Activity report

What does the Track field for the rules that accept the traffic say?
If it says Log and/or don't include Session info, they won't get indexed and won't appear in the reports.
0 Kudos
Highlighted
Ivory

Re: Interpretation of Network Activity report

Screenshot shows how it looks in our policy, quite normal i guess.

When looking at some log entries, indeed i could see that a lot of them don't have a Session tab.

I would have expected when you log your rules in your policy, that this would fully reflect in the Network Activity Report.
Is there a way to literally see all accept hits in the report?

0 Kudos
Highlighted
Admin
Admin

Re: Interpretation of Network Activity report

You’d have to Right-Click on each instance of Log in the Track field, select More, then tick the Log Generation Per Session checkbox.
Some additional discussion around this here: https://community.checkpoint.com/t5/Logging-and-Reporting/Creating-reports-with-tracking-quot-per-co...
0 Kudos