This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2020-02-28 06:59 AM

Log accounting best practice and field explanation

We have enabled "Accounting" on a number of rules on our internet facing gateways in the Security and Application layers (using ordered layers) and I am curious to hear what others have used as a best practice for Accounting settings. In general, we want to know how much data is being uploaded/downloaded by our internal hosts. Should we have Accounting enabled for both the Security rules which are matched and the corresponding Application rules? If only in one layer, which?

Also, I'm looking for an explanation for these log fields:

Client Inbound Bytes

Client Outbound Bytes

Server Inbound Bytes

Server Outbound Bytes

The data in the fields Client Inbound Bytes and Server Outbound Bytes generally match, the data in the fields Client Outbound Bytes and Server Inbound Bytes are close but often do not match.  Seems to me "Client Outbound Bytes" equals what an internal client has downloaded, which is counter-intuitive ti me. Anyone know of detailed documentation about these fields?

 

Thanks

Dave

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-02-28 08:30 AM

Client: Source of connection
Server: Destination of connection
Inbound: Being sent from client/server
Outbound: Being received by client/server

If NAT is involved, the numbers may not match as IPs may be getting modified in the data portion.
Also adding things like an X-Forwarded-For header will add bytes to the connection.

As far as which layer you say "accounting" for, not sure it matters.
Note that App Control rules with Detailed or Extended logs will also tend to include this information.
0 Kudos
David_C1
Advisor
‎2020-02-28 08:39 AM
In response to PhoneBoy

Thank you, that clears it up.

 

Dave

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events