This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
SantiagoPlatero
Collaborator
‎2018-10-30 09:48 AM

Extended (detailed) log for Implied Rules

Jump to solution

Hi community, is there a way to enable the extended log (or a log with more information) for the Implied Rules?

I followed the sk110218 and still cannot see some information in the logs generated for implied rules.

Specifically, I need to see which QoS rule match to traffic from our gateway to the Check Point cloud servers, cause I have multiple drops in the URL Filtering categorization and some timeouts in the Threat Emulation Cloud Service.

I also tried using the Implied Policy menu but I cannot edit the track column, maybe through GUIDBEdit?

Thanks!

Labels
1 Solution

Accepted Solutions
SantiagoPlatero
Collaborator
‎2018-10-31 05:43 AM
In response to Vladimir

Jump to solution

Hi Vladimir, as I say in the first post, I followed the sk110218 and still cannot see the QoS rules that match the implied rules traffic.

I've some ideas:

- Right now I'm creating a rules on top the both security and application policies, and setting the extended log track on the application one (EDIT: this one solved the issue).

- If the above doesn't work, I'll trying to create a custom event, but for the logs cards I see the QoS rules (internet browsing rules) aren't correlated so I don't think that is the right way.

Any other ideas are welcome, thanks!

View solution in original post

0 Kudos
3 Replies
Vladimir
Champion
Champion
‎2018-10-30 05:10 PM

Jump to solution

As per sk110218, How to enable logging of informative implied rules on R80.10 Security Gateway 

Temporary Instructions:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  1. Connect to command line on Security Gateway.

  2. Log in to Expert mode.

  3. Enable logging of informative implied rules by setting the value of kernel parameter fw_log_informative_implied_rules_enabled to 1 (one):

    • To check the current value of this kernel parameter:

      [Expert@HostName]# fw ctl get int fw_log_informative_implied_rules_enabled 

    • To set the desired value for this kernel parameter on-the-fly (does not survive reboot):

      [Expert@HostName]# fw ctl set int fw_log_informative_implied_rules_enabled 1 

or permanent:

To set the desired value for this kernel parameter permanently:

Follow sk26202 - Changing the kernel global parameters for Check Point Security Gateway.

  1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

    [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf 

  2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

    [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf 

  3. Add the following line (spaces are not allowed):

    fw_log_informative_implied_rules_enabled=1 

  4. Save the changes and exit from Vi editor. 

  5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

    [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf 

  6. Reboot the Security Gateway. 

  7. Verify that the new value was set:

    [Expert@HostName]# fw ctl get int fw_log_informative_implied_rules_enabled
0 Kudos
SantiagoPlatero
Collaborator
‎2018-10-31 05:43 AM
In response to Vladimir

Jump to solution

Hi Vladimir, as I say in the first post, I followed the sk110218 and still cannot see the QoS rules that match the implied rules traffic.

I've some ideas:

- Right now I'm creating a rules on top the both security and application policies, and setting the extended log track on the application one (EDIT: this one solved the issue).

- If the above doesn't work, I'll trying to create a custom event, but for the logs cards I see the QoS rules (internet browsing rules) aren't correlated so I don't think that is the right way.

Any other ideas are welcome, thanks!

0 Kudos
SantiagoPlatero
Collaborator
‎2018-10-31 05:53 AM
In response to SantiagoPlatero

Jump to solution

Ok, the rules worked like a charm.

I'm not sure if the security rule is necessary as I'm only able to enable the extended log track setting in the application one, but right now if isn't broken...

Thanks community, marked the above as the correct answer.

0 Kudos