Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
YvheniiK
Explorer

Event types in checkpoint logs

Good Day Everyone!

We have some logs, but not sure that we understand them correctly.

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Encrypt|echo-request|Unknown|act=Encrypt cn2Label=ICMP Type cn2=8 cn3Label=ICMP Code cn3=0 cs2Label=Peer Gateway cs2=10.25.1.33 deviceDirection=0 duser=User1 rt=171436202000 cs2Label=Rule Name cs2=Implied Rule cs2=Implied Rule cs2=VPN Client Analysis cs2=Implied Rule layer_name=GlobalTrafficDrop...

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Detect|Address spoofing|Unknown|act=Detect deviceDirection=0 msg=Address spoofing rt=171436202000 spt=50740 dpt=53 ifname=eth1-01.7 loguid={0x663270c7,0x3f,0xf76511ac,0x1b933721} origin=172.17.11.241 originsicname=CN\\=user ,O\\=user.com sequencenum=679 version=5 dst=172.17.101.41 product=VPN-1 & FireWall-1 proto=17 src=192.168.10.9

My question is what means |Encrypt| and |Detect| values in the log samples? Is it event type?

As I correctly understand the value Enrypt it's a type of event that relates to S2S VPN. Does this event can be related only to S2S VPN? Can be related to RA VPN?

I am wondering which type of events can be on checkpoint except Encrypt and Log. I couldn't find a full list of event types in any documentation.

In most cases I see type: Log

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|echo-request...

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Encrypt can apply to S2S and C2S VPN, I believe.
Detect is, in this case, referring to the fact that this particular connection would have violated Anti-Spoofing settings if were not set to detect.

0 Kudos
the_rock
Legend
Legend

First log means traffic was encrypted inside the vpn community and 2nd one refers to anti spoofing itself, or specifically address spoofing, which is really well explained in below link.

Best,

Andy

https://support.checkpoint.com/results/sk/sk115276

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events