Solved: Re: Avoid tracking connection but still log sk1134...

frenzetti · ‎2023-11-03

Hi,

We need to allow users to reach a certain site but avoid tracking the connection.
We created a rule setting logging to "none" but the console displays the error Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed. To learn more see sk113479.

Connection starts in http and then switches to https. Only http traffic (with the error) is logged. Https is correctly not tracked

Has anyone found themselves in the same situation and managed to resolve it?

Release is 81.10, blade are firewall and application control

Thx for your support

F

PhoneBoy · ‎2023-11-09

If the rule that is matched in the other layer is set to log, the connection will be logged.
This is expected behavior.
If this isn't the case, I recommend a TAC case: https://help.checkpoint.com

View solution in original post

PhoneBoy · ‎2023-11-03

What does the rule that permits the traffic look like?
Unless it contains http explicitly (the service), this is expected behavior.
To resolve the issue, add http to the the Services for the relevant rule (or create a new one).

frenzetti · ‎2023-11-07

Hi @PhoneBoy , thx for your response.

Rule number 1 (above all) looks like this:

Source = Any
Destination = IP Address Object
Services = http,https
Log = None
Install On = Target Cluster

Still logging

PhoneBoy · ‎2023-11-07

Can you provide a full log card (with sensitive details redacted)?
I suspect this may be a bug of some sort and will require TAC to assist: https://help.checkpoint.com

frenzetti · ‎2023-11-07

Hi @Daphne_Reese , what is exactly needed (when you say 'full log card')

PhoneBoy · ‎2023-11-07

When you double-click on an individual log entry, you will see a screen pop up with more details; This is the log card.

frenzetti · ‎2023-11-08

Hi, today we splitted the rule.

Rule 1 for service HTTP, Drop, No-Log

Rule 2 switched Services to ANY, Accept, No-Log (Any protocol: ping, https, ntp, etc)

Rule Number 1 is matched and no log is present for HTTP - that's ok

For HTTPS, as you can see, matched rule is exactly number 2 but still logging

PhoneBoy · ‎2023-11-08

What is the precise destination here?
Is it the gateway or something else?
What about using the explicit https service in Rule 2?
Are there other ordered Access Policy layers in use or just the one?

frenzetti · ‎2023-11-09

What is the precise destination here? Destination is an IP Address (in rule we put IP Address Object)
Is it the gateway or something else? External WebSite
What about using the explicit https service in Rule 2? Tried without success
Are there other ordered Access Policy layers in use or just the one? URL/App filtering with allow policy but no log about AppControl blade

PhoneBoy · ‎2023-11-09

If the rule that is matched in the other layer is set to log, the connection will be logged.
This is expected behavior.
If this isn't the case, I recommend a TAC case: https://help.checkpoint.com

frenzetti · ‎2023-11-10

Hi @PhoneBoy we will set no-log on all layers and try again.

Otherwise we will open the TAC case.

Thx

F

Are you a member of CheckMates?

Avoid tracking connection but still log sk113479