Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ni_c
Contributor

MAC Info is missing in Log Profile

Hi Mates,

I have a problem seeing MAC address information in the Logs though MAC address feature is added to the profile. Could anyone help me finding it or if I missed anything in here. 

Thanks in advance. 

8 Replies
PhoneBoy
Admin
Admin

What you're editing is what log fields show.

That does not reflect what information is actually logged.

In the regular Firewall/Access Policy, MAC addresses are not something we filter on nor is it something we log.

The only part of the product that appears to log MAC addresses at all is Mobile Access and even then it is only the client MAC.

Timothy_Hall
Legend Legend
Legend

To further expand on what Dameon said, I'm pretty sure that by the time the Check Point INSPECT driver/engine on the gateway receives the IP packet for inspection, the underlying Gaia/Linux NIC driver has already removed the Ethernet framing containing the MAC addresses.  This is why one must use tcpdump to see MAC addresses (-e option) in a packet capture situation, and they will not be displayed when using fw monitor.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
_Val_
Admin
Admin

As Dameon mentioned already, logging Layer 2 info is a rare case for Check Point products. Firewalling is done on Layer 3 and above. 

0 Kudos
Scott_Chambers
Participant

What about logging MAC address information in address spoofing alert?    Is that something that is possible to log or is it only possible to run a tcpdump and try to capture in real time?

 

0 Kudos
Murad_Elmgbar
Contributor

Actually you can find any MAC address by use this tcpdump:

tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv

 

 

0 Kudos
Murad_Elmgbar
Contributor

you can find the MAC address of spoofing address just use the IP & ethx:

tcpdump -n -e -i ethXX host XX.XX.XX.XX -vv

I used it, it's works!!!

0 Kudos
Scott_Chambers
Participant

Murad,

I was looking for the MAC address to be shown in the actual spoof log.....not from a tcpdump 🙂

 

0 Kudos
Wolfgang
Authority
Authority

It‘s not possible to view the MACs in the Longview of Smartconsole.

Wolfgang
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events