This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prabulingam_N1
Advisor
‎2018-11-22 12:01 AM

R80.10 Log Track issue

Dear CheckMates,

I have faced below issue and kindly advise.

In R80.10 SmartConsole -

1) In "Network Layer" - given Track column as "NONE" for a Firewall rule 

2) In "App Layer" - given Track column for a Rule as "Log/Detailed/Extended" with "Accounting/Connection/Session"

Now I could see the Logs available in Firewall Rule even though Track was set as "NONE".

Would like to know how this happens.

I did try this as well in Lab environment.

Regards, Prabu

10 Replies
Gomboragchaa
Advisor
‎2018-11-22 12:56 AM

Could you provide more information? For example rule details and log screenshot...

0 Kudos
Prabulingam_N1
Advisor
‎2018-11-22 02:33 AM
In response to Gomboragchaa

Dear Gomboragchaa,

Please find attached log screenshot and Firewall/App rule

Regards, Prabu

Preview file
606 KB
0 Kudos
Gomboragchaa
Advisor
‎2018-11-22 03:34 AM
In response to Prabulingam_N1

Interesting, Have you tried to disable App Layer rule log? 

0 Kudos
Prabulingam_N1
Advisor
‎2018-11-22 03:43 AM
In response to Gomboragchaa

Yes, what I could see as below.

1) When I have only Firewall Blade enabled with Firewall Rule and Track set as "NONE" - No logs found - which is fine condition.

2) When I enable APP/URL blade with App rule and Track set as "log" - I could see Logs -which is weird.

3) When I set Track as "NONE" in both Firewall and App/URL - No logs found - which is fine condition.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-22 10:34 AM

Even though the Network layer didn’t explicitly log, the fact you also accepted and logging in the App layer means a log entry will be generated for that connection.

The fact the connection is accepted in the Network layer is also reflected in that log entry.

This is expected behavior.

0 Kudos
Prabulingam_N1
Advisor
‎2018-11-22 10:23 PM
In response to PhoneBoy

Yes Dameon.

So the reason I used Track as "NONE' in Firewall rule is since Gateways were sending huge logs and unable to pull all logs for weekly basis in mgmt-IP/SmartView tool.

So we have disabled most of rule in Firewall, but we cannot disable Track in App rule.

But no luck in the above.

Any another idea or internal configuration for Firewall Log to be blocked for generation and allow only App rule?

Regards, Prabu

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-23 08:45 AM
In response to Prabulingam_N1

I'm not seeing in your screenshots where log entries are being generated with ONLY the firewall blade.

What you showed were log entries that logged as App Control but reflecting an accept in both layers, which as I said, is expected behavior,

0 Kudos
Prabulingam_N1
Advisor
‎2018-11-24 06:27 AM
In response to PhoneBoy

Attaching

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-24 01:57 PM
In response to Prabulingam_N1

Like I said before, since you are logging the traffic in one of the layers, a log entry will be generated.

It's aware of both layers that accepted the traffic as a result of this.

I'm not convinced the log entries you are seeing in both screenshots are actually different--I believe they are, in fact, the same log entry.

You should visually inspect the log entries to see if they are actually different log entries or if they are, in fact, the same.

If double log entries are getting created, you should see double the number of logs in the Log and Monitor view than when viewing each individual rule.

That said, I did try to reproduce this with R80.20 Management managing a 1490 gateway (R77.20.81) and did not see the same behavior.

My firewall rule that matched had no logs generated, but my App Control layer did.

Only the App Control rule showed as having matched.

But that could easily be a difference between R77.x and R80.10 and you didn't say what version your gateway is. 

0 Kudos
Prabulingam_N1
Advisor
‎2018-11-27 04:36 AM
In response to PhoneBoy

Yes Dameon,

My Old FW was R80.10 where I could see Logs for Firewall NONE entry.

Also tried with R80.20 - which is good as your result.

Let me again try in R80.10 FW itself to reproduce.

Regards, Prabu

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events