This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
evlad
Participant
‎2021-12-21 04:00 AM
Jump to solution

Cann't query and find IPv6 adresses in Log on R80.40

Hi everybody!
The point is: I cannot find expected IPv6 addresses when I query the Log on the Internet FW. (May be I don't use the right syntax for IPv6 querying?)
I'm sure that IPv6 support is enabled. I know that some IPv6 clients successfully gets access from web to our published Sites.
For example, I get access through the Firewall from my own devices:

2a02:6680:1130:ea41:8cf7:8421:bf19:dc1a 
2a10:8003:5c3d:0:b62e:99ff:fecf:5f48

As You can see, both IP have "2a" prefix. I try to find in the LOG all possible IPv6 addresses begins with 2a.
When I'm looking for src:2a00::0/8 in my Query I get nothing, when I'm looking for 2a00::0/8 the FW returns smth very strange -
You can see it at screenshot attached. I cannot understand how the records returned by the query relates with requested 2a00::0/8 address range?

ipv6-not-inLog.JPG
Preview file
69 KB
0 Kudos
1 Solution

Accepted Solutions
Tobias_Moritz
Advisor
‎2021-12-23 06:42 AM
Jump to solution

I've tried it in an IPv6 enabled (and using) environment here and it works just fine.

When using src:2a00::/8 (or like in your example the longer syntax src:2a00::0/8), I get only logs with packets from that sources.

Version: SMS R80.40 JHF T120 and Smart Console R80.40 Build 994000424

HTTPSi_ExtendedLogging.png

That you get unwanted results when omitting the field name (and quering just for 2a00::0/8) is quite normal, because this is some kind of full text search. Not sure how it works exactly.

View solution in original post

0 Kudos
2 Replies
Tobias_Moritz
Advisor
‎2021-12-23 06:42 AM
Jump to solution

I've tried it in an IPv6 enabled (and using) environment here and it works just fine.

When using src:2a00::/8 (or like in your example the longer syntax src:2a00::0/8), I get only logs with packets from that sources.

Version: SMS R80.40 JHF T120 and Smart Console R80.40 Build 994000424

HTTPSi_ExtendedLogging.png

That you get unwanted results when omitting the field name (and quering just for 2a00::0/8) is quite normal, because this is some kind of full text search. Not sure how it works exactly.

0 Kudos
evlad
Participant
‎2021-12-27 12:38 AM
In response to Tobias_Moritz
Jump to solution

Hi! You absolutely right Tobias about omitting the field name. And I've sign Your answer as solution. Thank You!

But now I see my main mistake: I am trying to find something in the log that cannot be there. The fact is that although the firewall supports IPv6, all our server resources are published in IPv4. Clients simply cannot contact us with IPv6 addresses, because IPv6 and IPv4 are incompatible. They are required to do some sort of NAT64 conversion of their original address to an IPv4 address. I don’t know where and how, most likely on the ISP .
This is particular problem for customer support for clients who encounter errors on our site. Clients tell us their IP, but we cannot find them in the log, because their IPv6 address has been changed to IPv4.
But this is another (and more common) issue

Regards,
Evgeni

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top