This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mille
Contributor
‎2024-04-04 03:05 PM
Jump to solution

Logging with limited log samples?

Hi Mate,

Do you know any way to enable limited logging on an access rule, say 5% rule hits are logged and the rest is not logged?

Why?
A typical access rule will have log enabled and all matches for that rule will be logged.
Some types of trafic (like DNS, NTP, SNMP and NETBIOS) will generate a lot of hits and you may opt to disable log for this 'noise'.
However that will leave you 'blind' both in terms of the direct trafic and in terms of statical reporting and other data processing.

BR Mille

Labels
0 Kudos
1 Solution

Accepted Solutions
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-05 12:57 AM
Jump to solution

Actually, there is a feature that is specifically meant for this use-case and allows you to reduce the noise of highly repeating logs.

It's not called "partial logging", but "Session Logs".

If you open the Track settings on your rule with logging, you will see the default logging configuration:

Track Settings - Default.png

These default settings tell the gateway to create a new log for each connection attempt. In the case of DNS, indeed that means many logs that look the same as machines create a DNS request (and connection) for every DNS resolving.

You can of course switch that rule to Track=None, but that indeed leaves you blind to all this traffic and requests.

Instead, you can modify the Track settings to look like the below:

Track Settings - Session Logs.png

Deactivate "per Connection" logs and activate "per Session" logs.

Session logs are an aggregation of all connection logs that have the same significant parameters (source, destination, port, action, user, ...). Once a new connection is opened a session log will be sent. Subsequent connections (that share the same significant parameters) will not send another log, instead every 10 minutes a log update will be sent on the session to state how many connections were seen in that time period. That way, if you double click a session log, you can still see how many connection, without having a dedicated log row for each connection.

This reduces the noise and also reduces the load on your log server. We've seen customers reduce their total logging by 30%-60% by utilizing Session logs on noisy rules.

View solution in original post

7 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-04-07 08:07 AM
Jump to solution

There is no partial logging.

Best suggestions I can offer are:

a. You can create build in filter that will filter unwanted logs from results

b. Identify all the features of the noisy logs and instead of the current rule, replace action with layer. Under this layer, create the first rules with a combo of source, destination and service and don't log those. If you keep it well defined I don't think you should have issues.

Kind regards, Amir Senn
Mille
Contributor
‎2024-04-08 05:18 AM
In response to Amir_Senn
Jump to solution

Amir Senn, Thank you for the suggestions. I was hoping for some kind of partial logging.

/Mille

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-04-09 04:45 AM
In response to Mille
Jump to solution

You can also change the tracking options on layer suggestion to be session instead of connection. Should lower number of all logs that match the rule.

Kind regards, Amir Senn
0 Kudos
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-05 12:57 AM
Jump to solution

Actually, there is a feature that is specifically meant for this use-case and allows you to reduce the noise of highly repeating logs.

It's not called "partial logging", but "Session Logs".

If you open the Track settings on your rule with logging, you will see the default logging configuration:

Track Settings - Default.png

These default settings tell the gateway to create a new log for each connection attempt. In the case of DNS, indeed that means many logs that look the same as machines create a DNS request (and connection) for every DNS resolving.

You can of course switch that rule to Track=None, but that indeed leaves you blind to all this traffic and requests.

Instead, you can modify the Track settings to look like the below:

Track Settings - Session Logs.png

Deactivate "per Connection" logs and activate "per Session" logs.

Session logs are an aggregation of all connection logs that have the same significant parameters (source, destination, port, action, user, ...). Once a new connection is opened a session log will be sent. Subsequent connections (that share the same significant parameters) will not send another log, instead every 10 minutes a log update will be sent on the session to state how many connections were seen in that time period. That way, if you double click a session log, you can still see how many connection, without having a dedicated log row for each connection.

This reduces the noise and also reduces the load on your log server. We've seen customers reduce their total logging by 30%-60% by utilizing Session logs on noisy rules.

Mille
Contributor
‎2024-05-07 01:35 AM
In response to Tomer_Noy
Jump to solution

Thanks for the solution. It work for me.

In my case I also had to make the same adjustment in both the Network access rule and in the Application rule as the policy does not use Layes.

0 Kudos
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-07 01:41 AM
In response to Mille
Jump to solution

Great to hear 😀

I'm curious, by how much did that reduce your logging on those rules?

For example, from 100K logs per day to 10K?

0 Kudos
Mille
Contributor
‎2024-05-07 04:47 AM
In response to Tomer_Noy
Jump to solution

Work in progress. An early result is 30K DNS connection logs is reduced to 6K session logs for 24/hours. It's about 80% reduction.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events