This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
YvheniiK
Explorer
‎2024-06-10 11:02 AM

Event types in checkpoint logs

Good Day Everyone!

We have some logs, but not sure that we understand them correctly.

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Encrypt|echo-request|Unknown|act=Encrypt cn2Label=ICMP Type cn2=8 cn3Label=ICMP Code cn3=0 cs2Label=Peer Gateway cs2=10.25.1.33 deviceDirection=0 duser=User1 rt=171436202000 cs2Label=Rule Name cs2=Implied Rule cs2=Implied Rule cs2=VPN Client Analysis cs2=Implied Rule layer_name=GlobalTrafficDrop...

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Detect|Address spoofing|Unknown|act=Detect deviceDirection=0 msg=Address spoofing rt=171436202000 spt=50740 dpt=53 ifname=eth1-01.7 loguid={0x663270c7,0x3f,0xf76511ac,0x1b933721} origin=172.17.11.241 originsicname=CN\\=user ,O\\=user.com sequencenum=679 version=5 dst=172.17.101.41 product=VPN-1 & FireWall-1 proto=17 src=192.168.10.9

My question is what means |Encrypt| and |Detect| values in the log samples? Is it event type?

As I correctly understand the value Enrypt it's a type of event that relates to S2S VPN. Does this event can be related only to S2S VPN? Can be related to RA VPN?

I am wondering which type of events can be on checkpoint except Encrypt and Log. I couldn't find a full list of event types in any documentation.

In most cases I see type: Log

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|echo-request...

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2024-06-14 04:43 PM

Encrypt can apply to S2S and C2S VPN, I believe.
Detect is, in this case, referring to the fact that this particular connection would have violated Anti-Spoofing settings if were not set to detect.

0 Kudos
the_rock
Legend
Legend
‎2024-06-14 04:58 PM

First log means traffic was encrypted inside the vpn community and 2nd one refers to anti spoofing itself, or specifically address spoofing, which is really well explained in below link.

Best,

Andy

https://support.checkpoint.com/results/sk/sk115276

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events