Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prabulingam_N1
Advisor

R80.10 Log Track issue

Dear CheckMates,

I have faced below issue and kindly advise.

In R80.10 SmartConsole -

1) In "Network Layer" - given Track column as "NONE" for a Firewall rule 

2) In "App Layer" - given Track column for a Rule as "Log/Detailed/Extended" with "Accounting/Connection/Session"

Now I could see the Logs available in Firewall Rule even though Track was set as "NONE".

Would like to know how this happens.

I did try this as well in Lab environment.

Regards, Prabu

10 Replies
Gomboragchaa
Advisor

Could you provide more information? For example rule details and log screenshot...

0 Kudos
Prabulingam_N1
Advisor

Dear Gomboragchaa,

Please find attached log screenshot and Firewall/App rule

Regards, Prabu

0 Kudos
Gomboragchaa
Advisor

Interesting, Have you tried to disable App Layer rule log? 

0 Kudos
Prabulingam_N1
Advisor

Yes, what I could see as below.

1) When I have only Firewall Blade enabled with Firewall Rule and Track set as "NONE" - No logs found - which is fine condition.

2) When I enable APP/URL blade with App rule and Track set as "log" - I could see Logs -which is weird.

3) When I set Track as "NONE" in both Firewall and App/URL - No logs found - which is fine condition.

0 Kudos
PhoneBoy
Admin
Admin

Even though the Network layer didn’t explicitly log, the fact you also accepted and logging in the App layer means a log entry will be generated for that connection.

The fact the connection is accepted in the Network layer is also reflected in that log entry.

This is expected behavior.

0 Kudos
Prabulingam_N1
Advisor

Yes Dameon.

So the reason I used Track as "NONE' in Firewall rule is since Gateways were sending huge logs and unable to pull all logs for weekly basis in mgmt-IP/SmartView tool.

So we have disabled most of rule in Firewall, but we cannot disable Track in App rule.

But no luck in the above.

Any another idea or internal configuration for Firewall Log to be blocked for generation and allow only App rule?

Regards, Prabu

0 Kudos
PhoneBoy
Admin
Admin

I'm not seeing in your screenshots where log entries are being generated with ONLY the firewall blade.

What you showed were log entries that logged as App Control but reflecting an accept in both layers, which as I said, is expected behavior,

0 Kudos
Prabulingam_N1
Advisor

Attaching

0 Kudos
PhoneBoy
Admin
Admin

Like I said before, since you are logging the traffic in one of the layers, a log entry will be generated.

It's aware of both layers that accepted the traffic as a result of this.

I'm not convinced the log entries you are seeing in both screenshots are actually different--I believe they are, in fact, the same log entry.

You should visually inspect the log entries to see if they are actually different log entries or if they are, in fact, the same.

If double log entries are getting created, you should see double the number of logs in the Log and Monitor view than when viewing each individual rule.

That said, I did try to reproduce this with R80.20 Management managing a 1490 gateway (R77.20.81) and did not see the same behavior.

My firewall rule that matched had no logs generated, but my App Control layer did.

Only the App Control rule showed as having matched.

But that could easily be a difference between R77.x and R80.10 and you didn't say what version your gateway is. 

0 Kudos
Prabulingam_N1
Advisor

Yes Dameon,

My Old FW was R80.10 where I could see Logs for Firewall NONE entry.

Also tried with R80.20 - which is good as your result.

Let me again try in R80.10 FW itself to reproduce.

Regards, Prabu

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events