Solved: Re: Extended (detailed) log for Implied Rules

SantiagoPlatero · ‎2018-10-30

Hi community, is there a way to enable the extended log (or a log with more information) for the Implied Rules?

I followed the sk110218 and still cannot see some information in the logs generated for implied rules.

Specifically, I need to see which QoS rule match to traffic from our gateway to the Check Point cloud servers, cause I have multiple drops in the URL Filtering categorization and some timeouts in the Threat Emulation Cloud Service.

I also tried using the Implied Policy menu but I cannot edit the track column, maybe through GUIDBEdit?

Thanks!

SantiagoPlatero · ‎2018-10-31

Hi Vladimir, as I say in the first post, I followed the sk110218 and still cannot see the QoS rules that match the implied rules traffic.

I've some ideas:

- Right now I'm creating a rules on top the both security and application policies, and setting the extended log track on the application one (EDIT: this one solved the issue).

- If the above doesn't work, I'll trying to create a custom event, but for the logs cards I see the QoS rules (internet browsing rules) aren't correlated so I don't think that is the right way.

Any other ideas are welcome, thanks!

View solution in original post

Vladimir · ‎2018-10-30

As per sk110218, How to enable logging of informative implied rules on R80.10 Security Gateway

Temporary Instructions:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

Connect to command line on Security Gateway.
Log in to Expert mode.
Enable logging of informative implied rules by setting the value of kernel parameter fw_log_informative_implied_rules_enabled to 1 (one):
- To check the current value of this kernel parameter:
  [Expert@HostName]# fw ctl get int fw_log_informative_implied_rules_enabled
- To set the desired value for this kernel parameter on-the-fly (does not survive reboot):
  [Expert@HostName]# fw ctl set int fw_log_informative_implied_rules_enabled 1

or permanent:

To set the desired value for this kernel parameter permanently:

Follow sk26202 - Changing the kernel global parameters for Check Point Security Gateway.

Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):
[Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:
[Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
Add the following line (spaces are not allowed):
fw_log_informative_implied_rules_enabled=1
Save the changes and exit from Vi editor.
Check the contents of the $FWDIR/boot/modules/fwkern.conf file:
[Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
Reboot the Security Gateway.
Verify that the new value was set:
[Expert@HostName]# fw ctl get int fw_log_informative_implied_rules_enabled

SantiagoPlatero · ‎2018-10-31

Hi Vladimir, as I say in the first post, I followed the sk110218 and still cannot see the QoS rules that match the implied rules traffic.

I've some ideas:

- Right now I'm creating a rules on top the both security and application policies, and setting the extended log track on the application one (EDIT: this one solved the issue).

- If the above doesn't work, I'll trying to create a custom event, but for the logs cards I see the QoS rules (internet browsing rules) aren't correlated so I don't think that is the right way.

Any other ideas are welcome, thanks!

SantiagoPlatero · ‎2018-10-31

Ok, the rules worked like a charm.

I'm not sure if the security rule is necessary as I'm only able to enable the extended log track setting in the application one, but right now if isn't broken...

Thanks community, marked the above as the correct answer.

Are you a member of CheckMates?

Extended (detailed) log for Implied Rules