- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Harmony Mobile 4:
New Version, New Capabilities
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi Mates,
I have a problem seeing MAC address information in the Logs though MAC address feature is added to the profile. Could anyone help me finding it or if I missed anything in here.
Thanks in advance.
What you're editing is what log fields show.
That does not reflect what information is actually logged.
In the regular Firewall/Access Policy, MAC addresses are not something we filter on nor is it something we log.
The only part of the product that appears to log MAC addresses at all is Mobile Access and even then it is only the client MAC.
To further expand on what Dameon said, I'm pretty sure that by the time the Check Point INSPECT driver/engine on the gateway receives the IP packet for inspection, the underlying Gaia/Linux NIC driver has already removed the Ethernet framing containing the MAC addresses. This is why one must use tcpdump to see MAC addresses (-e option) in a packet capture situation, and they will not be displayed when using fw monitor.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
As Dameon mentioned already, logging Layer 2 info is a rare case for Check Point products. Firewalling is done on Layer 3 and above.
What about logging MAC address information in address spoofing alert? Is that something that is possible to log or is it only possible to run a tcpdump and try to capture in real time?
Actually you can find any MAC address by use this tcpdump:
tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv
you can find the MAC address of spoofing address just use the IP & ethx:
tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv
I used it, it's works!!!
Murad,
I was looking for the MAC address to be shown in the actual spoof log.....not from a tcpdump 🙂
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY