Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

Misleading logs from APPCL

Hello,

This is R80.40 appliance.

I have a custom application/site group, let's name it "Allowed URL" with list of URLs, for example: *.microsoft.com

I have also another group, let's name it "Allowed APP" with list of apps, for example: Microsoft Services

Important to note, "Allowed URL" is not used anywhere in the policy. I am absolutely sure about this. The other group "Allowed APP" is used.

In the logs however I see Application Name reported as "Allowed URL" and when I open log details it will report a match against "Allowed APP" rule.

This is kind of misleading and causes confusion if you attempt to search the logs. They should not report site groups that are not actually used in policy.

0 Kudos
7 Replies
Amir_Senn
Employee
Employee

A good way to see why they are originating is to open a log containing this group and navigate to the specific rule/rules they're matched on. Perhaps we could understand more.

Kind regards, Amir Senn
Wolfgang
Authority
Authority

@HristoGrigorov 

interesting...

Sometimes I can see something similar but with services objects. it looks like the log view does not catch all of the whole name.

I'm not sure, but maybe it's something with the space sign in the name.

And I agree, it is really confusing .

Wolfgang

HristoGrigorov

All right, all right, here are some screenshots for a single log entry:

cpa1.PNG

cpa2.PNG

 

0 Kudos
Wolfgang
Authority
Authority

@HristoGrigorov 

based on your shown screenshots:

"Allowed URLs" is an application/website.

"Allowed Apps" is a rule name.

Something different ?

Wolfgang

0 Kudos
HristoGrigorov

The rule is using group "Allowed Apps" (they happen to have the same name) and not "Allowed URL".

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Maybe Allowed URLs are a generic CP comment and not a group name - can you test it by changing the group name to Krambambuli ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Umm, that's actually a very nice group name, thank you! 😁

I searched through the logs and it is reporting it only for URLs that are indeed on that URL list.

But for everything to be perfect and complete I am going to change it for the next policy install and see what happens.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events