This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Herschel_Liang
Collaborator
‎2020-04-18 04:33 AM

Can we view SNX log(include users access which destination )?

Topology:  Internet -- F5(SNAT&DNAT for CP) -- CP(Mobile access VPN/SNX)

The client auditors found that they can not view log(include which user access which host(destination) in one log) while I only found Remote Access log(including which user access which host(destination)). Due to F5 do SNAT for SNX, we can not view different source access which destination according logs. Look at capture I uploaded. So, the client feel it is not acceptable. Does it expected/designed or other issue? It was a tad confusing.

Preview file
13 KB
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-04-18 08:37 AM

What precisely do you see in the logs versus what do you expect to see?
Concrete examples would be helpful.
If the issue is that the source IP of the F5 is logged versus the client's actual public IP, not sure there's much we can do there as we have no way of knowing that if an intermediary device does NAT on behalf of the Check Point.
0 Kudos
Herschel_Liang
Collaborator
‎2020-04-18 05:11 PM
In response to PhoneBoy

Normal log:
source ip | user | source port -> destination ip | potocol | destination port | action, something like that, it is helpful for audit.
But we found we can not found destination ip in logs. Look at capture. If no logs for view which user access which destination ip, it is unacceptable for audit. Is it expected/designed behavior or other issue?

Preview file
13 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-18 07:09 PM
In response to Herschel_Liang

This looks like the login via SNX.
I would expect logs for other things that client is doing.
You're not seeing those?
Are you using a Legacy or Unified policy here and what precise rules are allowing this group of users to access the specified servers?
0 Kudos
Herschel_Liang
Collaborator
‎2020-04-18 07:13 PM
In response to PhoneBoy

Sure, user login via SNX. No more log for those. They are using Legacy policy and precise rules like that normal user group access native application.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-18 07:57 PM
In response to Herschel_Liang

What are your logging settings?
I suspect you might need to adjust them as it looks like, by default, it may not log all access.
See screenshot below.

Capture.PNG

0 Kudos
Herschel_Liang
Collaborator
‎2020-04-18 08:02 PM
In response to PhoneBoy

See screenshot, 2.

Preview file
18 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-18 08:05 PM
In response to Herschel_Liang

You may want to enable "All access events" for Gateway Resources.
If that doesn't help, this is probably TAC case territory.
0 Kudos
Herschel_Liang
Collaborator
‎2020-04-18 08:18 PM
In response to PhoneBoy

I have requested TAC case, but he remain need some time to test and confirm. 0.0......
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events