cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R77.30 Sessions vs R80.10 Logs IPS Events

I have been running SMTP reports in R77.30 showing blocked events for a long time and was getting "Sessions" in the IPS report. Now with R80.10 the same IPS SMTP report shows "Logs". The log number is much lower then the sessions number in R77.30.

What is the difference between a Session vs. Log in the newer version? It is making my metrics look like Checkpiont is not blocking as much traffic. R77.30R80.10

Labels (3)
2 Replies
Admin
Admin

Re: R77.30 Sessions vs R80.10 Logs IPS Events

It's a difference in terminology between the versions. 

In R80.x, the management correlates most connections into sessions (a collection of multiple individual, but related connections), which show up as a single log entry.

In R77.30 and earlier, which does not do this correlation by default, sessions refer to individual connections. 

0 Kudos

Re: R77.30 Sessions vs R80.10 Logs IPS Events

Hi Tony,

There are two factors at work here: Session Logging and Log Suppression.  Please see this content I recently put together explaining the difference in regards to the IPS feature.  Another small excerpt of this new content is located here:  Another SmartConsole Usability Issue 

Module 6 – IPS Logging


Session Logging

    • Although not directly related to IPS logging, R80.10+ management by default will attempt to consolidate individual connection logs into a session log.  This feature is commonly confused with Log Suppression which is quite relevant to IPS logging and covered next.
    • A connection log typically only contains very basic information such as Layer 3 and Layer 4 information, while a session log is a collection (or superset) of individual connections.
    • A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user performs within the session is included in the single session log.  

    • Note the multiple tabs (such as “Matched Rules”) in this single log entry, don’t miss these as they contain valuable information!
    • For more information about session logging see this CheckMates article (from which the above screenshot was taken) by Moti Sagey at:  
    • To determine the actual number of individual connections made during a session, see the Suppressed Logs field of the log (not shown above).

IPS Log Suppression

  •  When a ThreatCloud IPS Protection is matched and Track is set to Log, a log entry is generated.  Within a period of two minutes, if the same IPS Protection is matched again with all the same connection attributes (IP addresses, ports, etc) a second log entry is not generated.  The Suppressed Logs counter of the original log entry is simply incremented.  Note that Log Suppression does not occur for logs generated by Core Activations or Inspection Settings.
  • After two minutes measured from the first detection of this attack, if the same attack is still ongoing a new log entry is created and its Suppressed Logs counter is then incremented.
  • Note that when viewing an IPS Log Entry, numerous actions are available including:
            Viewing the attack attributes at the Check Point ThreatWiki website
            Creating an Exception (covered later in this module)
            Viewing Remediation Options

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com