Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

MAC Info is missing in Log Profile

Hi Mates,

I have a problem seeing MAC address information in the Logs though MAC address feature is added to the profile. Could anyone help me finding it or if I missed anything in here. 

Thanks in advance. 

8 Replies
Highlighted
Admin
Admin

What you're editing is what log fields show.

That does not reflect what information is actually logged.

In the regular Firewall/Access Policy, MAC addresses are not something we filter on nor is it something we log.

The only part of the product that appears to log MAC addresses at all is Mobile Access and even then it is only the client MAC.

Highlighted
Champion
Champion

To further expand on what Dameon said, I'm pretty sure that by the time the Check Point INSPECT driver/engine on the gateway receives the IP packet for inspection, the underlying Gaia/Linux NIC driver has already removed the Ethernet framing containing the MAC addresses.  This is why one must use tcpdump to see MAC addresses (-e option) in a packet capture situation, and they will not be displayed when using fw monitor.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted
Admin
Admin

As Dameon mentioned already, logging Layer 2 info is a rare case for Check Point products. Firewalling is done on Layer 3 and above. 

0 Kudos
Highlighted
Participant

What about logging MAC address information in address spoofing alert?    Is that something that is possible to log or is it only possible to run a tcpdump and try to capture in real time?

 

0 Kudos
Highlighted
Contributor

Actually you can find any MAC address by use this tcpdump:

tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv

 

 

0 Kudos
Highlighted
Contributor

you can find the MAC address of spoofing address just use the IP & ethx:

tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv

I used it, it's works!!!

0 Kudos
Highlighted
Participant

Murad,

I was looking for the MAC address to be shown in the actual spoof log.....not from a tcpdump 🙂

 

0 Kudos
Highlighted
Leader
Leader

It‘s not possible to view the MACs in the Longview of Smartconsole.

Wolfgang
0 Kudos