This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kayhan_SAHIN
Contributor
yesterday

HTTPS Inspection logs doesn't show the fqdn when the fqdn bypass rule configured with Network Feed

Hello everyone,

We have a rule in the https inspection policy to bypass certain destination addresses with fqdn and non-fqdn. We created a network feed object to get the list of entries and enforce it in the rule. 

When I check the logs that hiting this rule with its rule UID, I noticed that onyl the network feed name exist in log details. I am not seeing any fqdn information in log details which the request bypassed when accessing that certain fqdn. Is there anything I can do to see this information? It is probably not included current releases but maybe there are some future enhancement requests for this spesific field. It will really increase the log visibility if the RnD add it to the next releases.

Thank you all.

Labels
0 Kudos
9 Replies
the_rock
Legend
Legend
yesterday

Are you able to send screenshot of the rule? One thing I would try is maybe enable below on top of logging and see if it helps after you push policy.

Andy

 

Screenshot_1.png

0 Kudos
Kayhan_SAHIN
Contributor
yesterday
In response to the_rock

Hi @the_rock 

Sorry, I can not share the screenshot. When I check the https inspection policy track options ,there is no options for accounting.In one rule I add the domain object to destination and saw the fqdn information below the destination field of the logs. In other rule which I mentioned in my first post, I added the network feed object to destination which fetch the list of the fqdn and non-fqdn entries, but I didn't see the target fqdn name in the log's destination field. Only IP addresses and feed name is seen. 

Thanks

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Kayhan_SAHIN

No worries. Thats right, it does not give any accounting options in ssl inspection policy. Now, I could be mistaken when I say this, but I believe behavior you see if indeed correct and here is why. Yes, while its true that network feeds use both IPs and fqdns, when it comes to logging, you might not actually see those fqdns in the logs, but with domain object, you usually would, as its either fully qualified domain (by default) or 10 sub-domains if its non fqdn (also by default).

Again, Im not 100% sure about this, but just my logical conclusion based on my previous lab testing as well.

Andy

0 Kudos
Kayhan_SAHIN
Contributor
yesterday
In response to the_rock

Thank you for your detailed explanation, Andy. We are using separate feeds for IP and fqdns. Actually this is not an issue with IP feed. Because when I search the IP address in the logs, I saw it clearly. But with the fqdn feed, we can not search the specific fqdn in the bypassed log. (only category-based bypass logs shows that information)

For the guys from RnD or employee reading this post, please give it a reply if the enhancements are in place for this issue in the coming releases. Because when troubleshooting an issue, it makes the analyze harder when not seeing the fqdn information on the logs. 

Thanks

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Kayhan_SAHIN

No no, Im not saying its an issue with anything in particular, Im saying that behavior might be by default, just my logical thinking, but again, I could be mistaken.

Anyway, hopefully someone else will confirm.

Andy

0 Kudos
Kayhan_SAHIN
Contributor
yesterday
In response to the_rock

Hi @the_rock 

Yes, the word "issue" probably not the correct word in my response. Sorry for that. As you mentioned maybe this default behavior. But to make the troubleshoot easier, it would be perfect if we see the destination fqdn info in the log with specific field when using network feed object. That's why I share the post here.

Thanks.

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Kayhan_SAHIN

Thats 100% totally fair and thats why Im hoping someone else can confirm, for sure. Maybe TAC case to verify would not be a bad idea either.

Andy

0 Kudos
Lloyd_Braun
Collaborator
yesterday

Depending on the site, SNI logging might help. It is nice to enable for logging detail either way.

 

https://support.checkpoint.com/results/sk/sk173633


fw ctl set int up_log_ssl_report_sni 1

 

0 Kudos
Kayhan_SAHIN
Contributor
yesterday
In response to Lloyd_Braun

Hi @Lloyd_Braun 

Maybe SNI might help in other rules. But in my example, when using network feed object which only consists fqnd and non-fqdn (*.example.com) entries in the destination it will probably not help.

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events