Re: Rule set with track none, but still logging #2

erann · ‎2021-08-23

Hi,

There's an existing topic on this from Feb 2021 but no solution.

Rule set with track none, but still logging

I've recently added a policy layer to manage geo protection using updatable objects, I wanted to remove logging for the cleanup rule which is allow any since all non-matched traffic should be forwarded to the 2nd layer which is "Network" so I have duplicate logging showing up.

I am using R81.10 , even though Track is "None" , the logs are showing, I tried the suggestions in the previous post, but to no avail.

Timothy_Hall · ‎2021-08-24

What happens if you delete that explicit cleanup rule and ensure that the Implicit Cleanup Action is set to action Accept under Advanced for that layer? Is there some reason you want to use an explicit cleanup rule without logging it?

Also try deleting everything in the Name column of the explicit rule and see what happens.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

erann · ‎2021-08-24

Hi,

- Deleted the explicit cleanup rule.
- Changed the implicit cleanup rule to accept for that specific layer.
- Changed Global Properties Track settings to not log implied rules
- Installed policy

Still logging of Implicit Cleanup is showing for that particular layer.

One thing I can think of is the cp_log_export configuration we have to send logs to a destination syslog server, but I would expect that setting not to effect my SmartConsole log settings.

Logging in SmartConsole still occurs:

the_rock · ‎2021-08-24

I remember someone posting about exact same issue few months back...let me see if I can find that post and what the solution actually was.

Bob_Zimmerman · ‎2021-08-24

What happens for traffic which matches a rule in the second layer which says not to log? Does it get logged twice, once (if so, on which layer?), or does it not get logged?

I'm wondering if the connection may be logged by all layers if any layer says to log it.

PhoneBoy · ‎2021-08-24

I believe that's what I determined many moons ago when I noticed a similar issue: if a flow matches a rule in any layer that says to log, it will log for all the rules.

the_rock · ‎2021-08-24

Never paid much attention to this problem, but I recall back in R65, whenever I helped someone with this, it always worked when you would set rule not to log. But then, again, there were no layers back then, so not sure if that was the reason why it worked...

erann · ‎2021-08-24

Is it possible to request some hotfix for this? Since I have 2 layers, all allowed traffic passes the cleanup allow rule in the Geo Protection layer and then passes the allow rules in the Network layer. I don't want duplicate logging for the same traffic, and it doesn't help to see logs for the cleanup allow rule, the actual rules which determine access to our network/servers are the ones in the Network layer.

the_rock · ‎2021-08-25

Thats very valid request, for sure.

PhoneBoy · ‎2021-08-25

Not sure, but I have a feeling this is an RFE, which would have to be handled through your local Check Point office.
I'll see if I can confirm with R&D.

erann · ‎2021-08-25

Thank you 🙏🏻

Anyway, I had to rollback the whole 2nd layer Geo Protection thing and stick to 1 layer because of this, the logging was useless otherwise since all traffic hit that 1 cleanup accept rule in the Geo layer and didnt log the actual rules from the Network layer which is the primary/meaningful one.

PhoneBoy · ‎2021-08-26

Just to close the loop on this, what you saw is, in fact, expected behavior.
If a flow matches multiple ordered layers and only one of the matched rules is set to log, you will see a log for all layers.

dphonovation · ‎2022-10-14

I'm in this boat too, except I'm only seeing Single log entries - and they are part of the "Geopolicy" layer". Its cleanup rule allowing pass thru to the next ordered layer has taken over the logs!

Are you a member of CheckMates?

Rule set with track none, but still logging #2