This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Ni_c
Contributor
‎2018-08-16 10:57 AM

MAC Info is missing in Log Profile

Hi Mates,

I have a problem seeing MAC address information in the Logs though MAC address feature is added to the profile. Could anyone help me finding it or if I missed anything in here. 

Thanks in advance. 

8 Replies
PhoneBoy
Admin
Admin
‎2018-08-16 06:25 PM

What you're editing is what log fields show.

That does not reflect what information is actually logged.

In the regular Firewall/Access Policy, MAC addresses are not something we filter on nor is it something we log.

The only part of the product that appears to log MAC addresses at all is Mobile Access and even then it is only the client MAC.

Timothy_Hall
Champion
Champion
‎2018-08-17 06:04 AM
In response to PhoneBoy

To further expand on what Dameon said, I'm pretty sure that by the time the Check Point INSPECT driver/engine on the gateway receives the IP packet for inspection, the underlying Gaia/Linux NIC driver has already removed the Ethernet framing containing the MAC addresses.  This is why one must use tcpdump to see MAC addresses (-e option) in a packet capture situation, and they will not be displayed when using fw monitor.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
_Val_
Admin
Admin
‎2018-08-16 11:27 PM

As Dameon mentioned already, logging Layer 2 info is a rare case for Check Point products. Firewalling is done on Layer 3 and above. 

0 Kudos
Scott_Chambers
Participant
‎2019-08-28 08:15 AM
In response to _Val_

What about logging MAC address information in address spoofing alert?    Is that something that is possible to log or is it only possible to run a tcpdump and try to capture in real time?

 

0 Kudos
Murad_Elmgbar
Contributor
‎2019-11-06 05:14 PM

Actually you can find any MAC address by use this tcpdump:

tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv

 

 

0 Kudos
Murad_Elmgbar
Contributor
‎2019-11-06 05:17 PM
In response to Murad_Elmgbar

you can find the MAC address of spoofing address just use the IP & ethx:

tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv

I used it, it's works!!!

0 Kudos
Scott_Chambers
Participant
‎2019-11-11 11:48 AM
In response to Murad_Elmgbar

Murad,

I was looking for the MAC address to be shown in the actual spoof log.....not from a tcpdump 🙂

 

0 Kudos
Wolfgang
Mentor
Mentor
‎2019-11-11 12:37 PM
In response to Scott_Chambers

It‘s not possible to view the MACs in the Longview of Smartconsole.

Wolfgang
0 Kudos