This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2017-07-14 08:16 AM
Jump to solution

Rules with any Application/Service not logging application in R80.10

Hello everyone,

After upgrading gateway to R80.10 we noticed rules with Application/Service set to Any do not log applications that match the rules. The exact same rules with R77.30 gateway and R80.10 SMS work fine.

We have tried with both shared and separate layers for network and application rules.

We have tried all kinds of tracking and logging, but the result is always the same.

What am I missing?

1 Solution

Accepted Solutions
Eric_Beasley
Employee
Employee
‎2017-07-14 12:27 PM
Jump to solution

What is your clean-up rule in Application ordered layer?  That should be set to Accept and I recommend a Detailed logging with it's default configuration of Accounting and per Connection enabled:

This should log all traffic and applications if there are no other issues.

Obviously, the gateway handling this ordered policy needs to also have Application Control and URLF blades enabled.

Once you've established that you are logging what you need, unchecking the "per Connection" field will reduce the logs by not explicitly logging the Firewall established connections.

Also ensure that you don't have the Application ordered layer defaulting to an implicit Clean-up rule with drop, which is the default for new layers.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2017-07-14 09:03 AM
Jump to solution

"Any" doesn't require the use of Application Control in order to validate.

The log entries you see will therefore show as being accepted by the Firewall and won't have the Application information in it.

The information is still there, but you have to drill into the log entry to find it.

See the following example:

Pedro_Espindola
Advisor
‎2017-07-14 11:59 AM
In response to PhoneBoy
Jump to solution

I do not get this information.

In the Session tab, Blade is always Firewall.

Application/Site section does not show.

SmartEvent shows only YouTube in Accepted Applications list because there is an specific rule accepting it.

I will open an SR, but I believe the problem is in my understanding rather than an issue with my gateway.

Log - Session TabLog - Rules Tab

PhoneBoy
Admin
Admin
‎2017-07-14 12:26 PM
In response to Pedro_Espindola
Jump to solution

In my case, my App Control rule is actually in a sub-policy:

  1. Rule 2 leading to the sub policy is something like:
    • Source: Subnet-A
    • Destination: Internet
    • Service: Any
    • Action: Outbound Policy
  2. Rule 2.4 is a simple "specified hosts/any/any/allow" with Extended Logging enabled.
Pedro_Espindola
Advisor
‎2017-07-14 12:45 PM
In response to PhoneBoy
Jump to solution

I missed the detailed logging option. Thank you, Dameon!

0 Kudos
Eric_Beasley
Employee
Employee
‎2017-07-14 12:27 PM
Jump to solution

What is your clean-up rule in Application ordered layer?  That should be set to Accept and I recommend a Detailed logging with it's default configuration of Accounting and per Connection enabled:

This should log all traffic and applications if there are no other issues.

Obviously, the gateway handling this ordered policy needs to also have Application Control and URLF blades enabled.

Once you've established that you are logging what you need, unchecking the "per Connection" field will reduce the logs by not explicitly logging the Firewall established connections.

Also ensure that you don't have the Application ordered layer defaulting to an implicit Clean-up rule with drop, which is the default for new layers.

Pedro_Espindola
Advisor
‎2017-07-14 12:45 PM
In response to Eric_Beasley
Jump to solution

Detailed logging did the trick! I had only Accounting enabled.

I opened that windows a thousand times and didn't see that. My colleagues neither.

Thank you, Eric!

TheRealDiZ
Collaborator
‎2020-04-08 06:45 AM
In response to Eric_Beasley
Jump to solution

Hi  @Eric_Beasley ,

 

If I put services in a specific rule, will the firewall be able to log the relevant application?

I'm just trying to create new rule set from R77.30 to R80.30 but in this phase of the migration I prefer to leave the configured rule exactly the same and in a second phase to change them with relevant app.

How can I accomplish this? (obviously I cannot put any in the service/app column field and obv the ordered layer will have apcl enabled).

 

Let me know guys if you have any suggestion/tips.

 

D!Z

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events