This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marki
Contributor
‎2020-12-01 10:19 AM

Service object shown in logging vs policy

Hey there, Maybe someone can point me in the right direction trying to understand logs.

This is what logging on a specific source ip looks like:

  • flow from .107 to .113 on TCP/102 is allowed and shows "ICCP"
  • flow from .107 to .111 on TCP/102 is rejected and shows a custom service definition (don't know why that was set up for the same port)

The custom service is set as "match for Any"

Now the questions are
1) Why does the allowed flow show ICCP as the service while rule 156 contains the custom service definition and not ICCP?
2) Why does the reject flow show the custom service?

Thanks.

c1.jpg

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2020-12-01 12:30 PM

Think of it as a "reverse resolution" issue.
What information is stored for a firewall rule log is the connection 5-tuple (among other meta data).
When SmartView renders the log entry, it has to turn the destination port into a service.
Since you have multiple services defined with the same port, it will pick one of them to display.

I assume the resolution process is different for “accept” traffic versus “reject” traffic thus why you see different results.
You could open a TAC case for this, but I suspect this is expected behavior.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events