Solved: Enable tracking all rule not working after upgrade...

cdrik · ‎2020-01-23

Hello,

Our clusterXl gateways are configured to send their tracked rules logs to our management servers and we have also enabled to send all rule logs to another dedicated log server. (configured in Reporting tool).

Everything is working as expected in R77.30 but we have upgraded one of our cluster to r80.20 and since then this cluster does only logs rules with the track option set to 'log'. On our management server and also on our dedicated log server...

Is it still possible to keep logs of all rule in R80.20 without being force to set all rule in 'log'?

regards,

Cedric

Norbert_Bohusch · ‎2020-01-24

I assume he is talking about the "complimentary log" feature:

Reporting Tools Reporting Tools

This is not supported since R80.10 sk122486:

sk122486 sk122486

This information was published after a case of our customer, where we got the following information:
- The complementary log was supported in R80.10, but did not work due to bug.
- We can confirm that this feature is not supported in R80.20 and R80.30 - the sk122486 is correct.
- This feature hopefully will be brought back in next releases, but there is no concrete plan.

Btw. this customer used this feature for the following:
- Log specific rules for audit purpose to one log server with long retention period
- Log all rules for troubleshooting purpose to other log server with really short retention period

View solution in original post

PhoneBoy · ‎2020-01-23

From your description, it sounds like this was configured in SmartReporter, which definitely no longer exists in R80.x.
In which case, I don't believe this function exists in R80.x.

Lari_Luoma · ‎2020-01-23

You said that you'll have to turn the tracking option to "log" in order for the rule to generate logs. This is correct. If you have application control/URL filtering enabled in the policy you can also use extended or detailed logging types.

Can you explain how the logging was configured in R77.30?

Norbert_Bohusch · ‎2020-01-24

I assume he is talking about the "complimentary log" feature:

Reporting Tools Reporting Tools

This is not supported since R80.10 sk122486:

sk122486 sk122486

This information was published after a case of our customer, where we got the following information:
- The complementary log was supported in R80.10, but did not work due to bug.
- We can confirm that this feature is not supported in R80.20 and R80.30 - the sk122486 is correct.
- This feature hopefully will be brought back in next releases, but there is no concrete plan.

Btw. this customer used this feature for the following:
- Log specific rules for audit purpose to one log server with long retention period
- Log all rules for troubleshooting purpose to other log server with really short retention period

cdrik · ‎2020-01-28

thanks for your reply.
It is indeed the feature that I was looking for. We use this for troubleshooting.
I guess I will have to put all rules in 'log' to keep this option.

Martin_Hofbauer · ‎2020-01-28

I ran across this limitation after upgrading to R80.10, too and contacted TAC. At the beginning, they had no idea that this feature was not working(...). At the end of this SR they stated, it will be supported in R80.20

After the upgrade to R80.20 I recognized that this feature is still not working: so I contacted TAC again.

The final answer:

"Here is the statement we received from the R&D Group Manager regarding this feature:
   - The complementary log was supported in R80.10, but did not work due to bug.
   - We can confirm that this feature is not supported in R80.20 and R80.30 - the sk122486 is correct.
   - This feature hopefully will be brought back in next releases, but there is no concrete plan."

Are you a member of CheckMates?

Enable tracking all rule not working after upgrade to R80.20 ?