This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Contributor
‎2019-11-22 02:34 AM

Interpretation of Network Activity report

How do you exactly correctly interpret this report?

 

Interpret1 has only 269 accept logs on internal firewall, which i hardly can believe given the amount of people that work here. Drop and Reject is a lot, which looks normal to me.

Interpret2 same -> low accept logs on internal firewall, although i know there is a lot of internall traffic.
Failover happened on this day, that's the reason why you see also high activity on IFW02. Normally IFW01 is the primary active one.

Interpret3 is report of 5 days, still low accept logs in internal firewall, Drop and Reject is a lot, which again looks normal to me

How is this possible when we log all rules in the policy where traffic has been accepted? Or how do i have to interpret this?

 

Interpret1.png
Preview file
55 KB
Interpret2.png
Preview file
70 KB
Interpret3.png
Preview file
69 KB
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-11-22 08:09 PM

What does the Track field for the rules that accept the traffic say?
If it says Log and/or don't include Session info, they won't get indexed and won't appear in the reports.
0 Kudos
Dave
Contributor
‎2019-11-24 11:55 PM
In response to PhoneBoy

Screenshot shows how it looks in our policy, quite normal i guess.

When looking at some log entries, indeed i could see that a lot of them don't have a Session tab.

I would have expected when you log your rules in your policy, that this would fully reflect in the Network Activity Report.
Is there a way to literally see all accept hits in the report?

Interpret4.png
Preview file
13 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-25 09:03 AM
In response to Dave

You’d have to Right-Click on each instance of Log in the Track field, select More, then tick the Log Generation Per Session checkbox.
Some additional discussion around this here: https://community.checkpoint.com/t5/Logging-and-Reporting/Creating-reports-with-tracking-quot-per-co...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top