This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Denis_Ruzicka
Participant
‎2024-02-07 12:50 AM

Gaia R80.40 While installing a policy on a gateway I see 5 changes but no audit logs

Hello, 

 

while installing policy I wanted to review changes but my audit log is empty. Are there changes which are excluded from audit log?

User account is super user and I am viewing the logs within specified time.

installation-policy.pnginstallation-policy-audit log.png

Is there any way to check differences from last revision.

Cheers

  

Labels
0 Kudos
18 Replies
PhoneBoy
Admin
Admin
‎2024-02-07 05:43 AM

While most changes generate an audit log (e.g. to objects and rules), there are a few changes that do not.
Changes to Global Properties is the most common culprit here, but there may be a few others.

the_rock
Legend
Legend
‎2024-02-07 05:46 AM

I agree with Phoneboy. I know this as a fact actually, becaise I tested it in the lab and could not find any audit log. Any time I would do this in R80.20, R80.30, R80.40, R81.10 and R81.20, it was exact same behavior.

Best,

Andy

the_rock
Legend
Legend
‎2024-02-07 07:08 AM
In response to the_rock

@Denis_Ruzicka Ok, I take my statement back. Maybe thats not 100% true. I just tried on R81.20 Azure mgmt server and changed global property setting and it actually show in the audit log. What was the change you made?

Andy

 

Screenshot_2.png

0 Kudos
Denis_Ruzicka
Participant
‎2024-02-07 07:27 AM
In response to the_rock

I will be honest I don't know.

I know I was hovering around objects and access rules at the end I was focused on VRRP addresses. But in the end of my session I chose to not touch them during production time. When I was closing the session I saw 5 changes which I though were some tiding changes like names of objects and so on. I published them with the plan to review changes upon installation (irresponsible, I am going to abandon the  practice ). 

And when I was about to install the policy I saw nothing in the audit log. 

My plan is to do backup and revert to revision before the last Publish.

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 09:26 AM
In response to Denis_Ruzicka

Thats fair. Do you remember EXACTLY what you had changed? If yes, can you please let us know, so I can test it in the lab.

Best,

Andy

0 Kudos
Denis_Ruzicka
Participant
‎2024-02-07 09:41 AM
In response to the_rock

I am very grateful that you want to find what exactly isn't being logged in audit log. This is beneficiary for me and the community.

But that is my issue in this case I don't know what exactly I have changed. What I think might cause this is that I might have opened some properties renamed something but later in the session I changed it back... to original name therefore it might not be logged because there is no change between revision? That might be worth a try.

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 01:40 PM
In response to Denis_Ruzicka

Yes, no problem, always happy to help. Let me try that, I will change something random in global properties, save, then change it back. Will report if I see audit log about it.

 

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 02:33 PM
In response to Denis_Ruzicka

K, just changed random setting in global properties, saved, changed it back, saved and I see the audit logs for it

Andy

 

Screenshot_1.png

0 Kudos
(1)
Denis_Ruzicka
Participant
‎2024-02-08 06:23 AM
In response to the_rock

Thank you. When I get this fixed I will try some changes related to the task I was doing and see if they create log.  Only now I will note what exactly I do. 

I will be reverting to previous revision this weekend. Do you have any recommendation if I should check something before reverting?

 

Thank you for your help it is appreciated.

Denis 

the_rock
Legend
Legend
‎2024-02-08 06:24 AM
In response to Denis_Ruzicka

Any time mate 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-07 08:57 AM
In response to the_rock

It may be this is fixed in R81.20 (or some version past R80.40).

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 09:25 AM
In response to PhoneBoy

Its weird, cause last time I did it in R81.20, definitely did not show any audit logs. Cant recall now exactly what I changed in glonal properties...

Andy

0 Kudos
Denis_Ruzicka
Participant
‎2024-02-14 07:52 AM

Ok so in the end we created backups and then installed the new policy. Everything works and I haven't noticed anything.

Today I tested and found out that on R80.40 if you open Gateway Cluster Properties  -> Network Management -> double click network interface -> click "Ok" while changing nothing -> click "Ok" in Gateway Cluster Properties window.

The smart console freezes for a while then the properties window closes then it freezes again.

In that moment I see 3 changes in session. When install them I see in audit log  

The  change : "@Interface Index: '1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11', '12', '13', '14', '15', '16', '17', '18', '19', '20', '21', '22', '23', '24', '25', '26'...."

Which I presume is automatic Index updates which would happen if I were to change an interface (though I didn't)

I have tried few other things but I always generate some kind of update for given box or cluster I can see some audit logs.

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-14 08:10 AM
In response to Denis_Ruzicka

So all good now, you can see audit logs as expected?

Andy

0 Kudos
Denis_Ruzicka
Participant
‎2024-02-14 09:04 AM
In response to the_rock

Yes everything works now and I can see audit logs. However, there are clearly actions which will cause changes but no audit logs. I just didn't find them.

0 Kudos
the_rock
Legend
Legend
‎2024-02-14 09:07 AM
In response to Denis_Ruzicka

Sorry brother, wish I had R80.40 to test with, but I dont : - (

Andy

0 Kudos
Denis_Ruzicka
Participant
‎2024-02-14 09:06 AM
In response to the_rock

Thanks for consultations. We will be upgrading to newer version hopefully I won't get into same situation in future.

0 Kudos
the_rock
Legend
Legend
‎2024-02-14 09:10 AM
In response to Denis_Ruzicka

I am positive that in R81.20 you would never have this issue. I changed so many things as a test in last week and every time audit logs showed up.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events