This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
Mentor
Mentor
‎2020-05-25 09:48 PM

Misleading logs from APPCL

Hello,

This is R80.40 appliance.

I have a custom application/site group, let's name it "Allowed URL" with list of URLs, for example: *.microsoft.com

I have also another group, let's name it "Allowed APP" with list of apps, for example: Microsoft Services

Important to note, "Allowed URL" is not used anywhere in the policy. I am absolutely sure about this. The other group "Allowed APP" is used.

In the logs however I see Application Name reported as "Allowed URL" and when I open log details it will report a match against "Allowed APP" rule.

This is kind of misleading and causes confusion if you attempt to search the logs. They should not report site groups that are not actually used in policy.

0 Kudos
7 Replies
Amir_Senn
Employee
Employee
‎2020-05-26 12:32 AM

A good way to see why they are originating is to open a log containing this group and navigate to the specific rule/rules they're matched on. Perhaps we could understand more.

Kind regards, Amir Senn
Wolfgang
Authority
Authority
‎2020-05-26 12:48 AM

@HristoGrigorov 

interesting...

Sometimes I can see something similar but with services objects. it looks like the log view does not catch all of the whole name.

I'm not sure, but maybe it's something with the space sign in the name.

And I agree, it is really confusing .

Wolfgang

HristoGrigorov
Mentor
Mentor
‎2020-05-26 01:04 AM
In response to Wolfgang

All right, all right, here are some screenshots for a single log entry:

cpa1.PNG

cpa2.PNG

 

0 Kudos
Wolfgang
Authority
Authority
‎2020-05-26 01:18 AM
In response to HristoGrigorov

@HristoGrigorov 

based on your shown screenshots:

"Allowed URLs" is an application/website.

"Allowed Apps" is a rule name.

Something different ?

Wolfgang

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-05-26 01:21 AM
In response to Wolfgang

The rule is using group "Allowed Apps" (they happen to have the same name) and not "Allowed URL".

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-05-26 01:41 AM
In response to HristoGrigorov

Maybe Allowed URLs are a generic CP comment and not a group name - can you test it by changing the group name to Krambambuli ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-05-26 01:49 AM
In response to G_W_Albrecht

Umm, that's actually a very nice group name, thank you! 😁

I searched through the logs and it is reporting it only for URLs that are indeed on that URL list.

But for everything to be perfect and complete I am going to change it for the next policy install and see what happens.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events