This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
erann
Contributor
‎2021-08-23 10:59 PM

Rule set with track none, but still logging #2

Hi,

There's an existing topic on this from Feb 2021 but no solution.

Rule set with track none, but still logging 

I've recently added a policy layer to manage geo protection using updatable objects, I wanted to remove logging for the cleanup rule which is allow any since all non-matched traffic should be forwarded to the 2nd layer which is "Network" so I have duplicate logging showing up.

I am using R81.10 , even though Track is "None" , the logs are showing, I tried the suggestions in the previous post, but to no avail.

111.jpg222.jpg333.jpg

Labels
12 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2021-08-24 04:47 AM

What happens if you delete that explicit cleanup rule and ensure that the Implicit Cleanup Action is set to action Accept under Advanced for that layer?  Is there some reason you want to use an explicit cleanup rule without logging it?

Also try deleting everything in the Name column of the explicit rule and see what happens.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
erann
Contributor
‎2021-08-24 06:31 AM
In response to Timothy_Hall

Hi,

- Deleted the explicit cleanup rule.
- Changed the implicit cleanup rule to accept for that specific layer.
- Changed Global Properties Track settings to not log implied rules
- Installed policy

Still logging of Implicit Cleanup is showing for that particular layer.

One thing I can think of is the cp_log_export configuration we have to send logs to a destination syslog server, but I would expect that setting not to effect my SmartConsole log settings.

111.jpg


222.jpg


333.jpg


444.jpg

Logging in SmartConsole still occurs:
555.jpg

 

 

 

 

 

 

 

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2021-08-24 06:54 AM
In response to erann

I remember someone posting about exact same issue few months back...let me see if I can find that post and what the solution actually was.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-08-24 11:16 AM
In response to erann

What happens for traffic which matches a rule in the second layer which says not to log? Does it get logged twice, once (if so, on which layer?), or does it not get logged?

I'm wondering if the connection may be logged by all layers if any layer says to log it.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-24 03:53 PM
In response to Bob_Zimmerman

I believe that's what I determined many moons ago when I noticed a similar issue: if a flow matches a rule in any layer that says to log, it will log for all the rules.

the_rock
MVP Gold
MVP Gold
‎2021-08-24 04:33 PM
In response to PhoneBoy

Never paid much attention to this problem, but I recall back in R65, whenever I helped someone with this, it always worked when you would set rule not to log. But then, again, there were no layers back then, so not sure if that was the reason why it worked...

0 Kudos
erann
Contributor
‎2021-08-24 10:38 PM
In response to PhoneBoy

Is it possible to request some hotfix for this? Since I have 2 layers, all allowed traffic passes the cleanup allow rule in the Geo Protection layer and then passes the allow rules in the Network layer.  I don't want duplicate logging for the same traffic, and it doesn't help to see logs for the cleanup allow rule, the actual rules which determine access to our network/servers are the ones in the Network layer.

the_rock
MVP Gold
MVP Gold
‎2021-08-25 04:19 AM
In response to erann

Thats very valid request, for sure.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-25 08:36 AM
In response to erann

Not sure, but I have a feeling this is an RFE, which would have to be handled through your local Check Point office.
I'll see if I can confirm with R&D.

0 Kudos
erann
Contributor
‎2021-08-25 12:06 PM
In response to PhoneBoy

Thank you 🙏🏻 

Anyway, I had to rollback the whole 2nd layer Geo Protection thing and stick to 1 layer because of this, the logging was useless otherwise since all traffic hit that 1 cleanup accept rule in the Geo layer and didnt log the actual rules from the Network layer which is the primary/meaningful one. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-26 09:16 AM
In response to erann

Just to close the loop on this, what you saw is, in fact, expected behavior.
If a flow matches multiple ordered layers and only one of the matched rules is set to log, you will see a log for all layers.

0 Kudos
dphonovation
Collaborator
‎2022-10-14 12:45 PM
In response to PhoneBoy

I'm in this boat too, except I'm only seeing Single log entries - and they are part of the "Geopolicy" layer". Its cleanup rule allowing pass thru to the next ordered layer has taken over the logs!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events