This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nflnetwork29
Advisor
‎2022-07-14 03:01 PM

ICMP traffic is not being logged

I created a rule to explicitly ALLOW and LOG ICMP "PING" traffic . 

 

Any , Any, Allowed, ICMP , Log

 

 

However I am not seeing this traffic in my logs . What gives?

 

Please Help. 

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-07-14 04:13 PM

Is it accepted by implied rules and are those set to log?

CCSM R77/R80/ELITE
0 Kudos
nflnetwork29
Advisor
‎2022-07-14 04:14 PM
In response to Chris_Atkinson

i tried that setting as well and it also did not show up in the logs .

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-07-14 06:01 PM
In response to nflnetwork29

What do you see if using packet mode (sk118592) or fw up_execute to verify the rule matching...

[Expert@MyGW:0]# fw up_execute src=s.s.s.s dst=d.d.d.d ipp=1

CCSM R77/R80/ELITE
0 Kudos
nflnetwork29
Advisor
‎2022-07-14 07:24 PM
In response to Chris_Atkinson

I see it matching rule 1 - this is the any any rule i created for testing . 

 

admin@172.31.255.1's password:
Last login: Thu Jul 14 17:48:10 2022 from 172.31.255.12
ESSN-CP-01> fw up_execute src=172.31.254.2 ipp=1 dst=172.31.255.100
Rulebase execution ended successfully.
Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: ESSN-SHARED-SVCS-MGMT
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 1
Possible rules: 1 11 22 16777215

ESSN-CP-01>

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-07-15 01:18 AM
In response to nflnetwork29

Are there any filters being applied to the log search?

Does the problem persist if you install the policy again?

The bi-directional traffic is visible in a packet capture on the firewall?

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-07-15 04:25 AM

If the ping has been running continuously while you created rule 1 and installed policy, it will not match rule 1 until you stop the ping for about 30 seconds and restart it (or just ping a different address).  That is because the old ICMP "connection" still exists in the state table matching whatever rule (probably implied) was there before allowing it.  

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
cchacons-tech
Explorer
‎2023-03-14 09:04 PM
In response to Timothy_Hall

Still un-resolve ah ?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events