Show logged URL instead of Application/Site

D_W · ‎2025-02-09

Hi Mates,

something that bugs me a long time.

We use manual created Application/Site-Objects with match by URL List.
Mostly the logs only show now the Application/Site-Object Name instead of one of the matching URLs.

So, Rules match because specific URLs are used ✅.
Search the log for this specific URL - no hits ❌.
Search the log for the IP of this specific URL -> shows hits but with the App-Name 💔.

Best would be to show the matched URL and in WHICH Application/Site-Object (if there is any).
Can we change this behavior or is this an RFE?

Cheers,
Dave

the_rock · ‎2025-02-09

Something like below?

Andy

the_rock · ‎2025-02-09

Btw, example I gave is from my lab, I just checked one of the logs for "ask" user check rule I created for ssl inspection.

Andy

D_W · ‎2025-02-09

Yes.
I sometimes see logs look like this as well. Cannot find one now 😅
In your screenshot you marked the app-name. It shows the URL. I assume there is no object with that URL.
On the right side of your LOG there is a Web Traffic Section. With the URL. That's what I expect.
The various ways of the logs look a like also bugs me 😉 Sometimes one section field is on the lefty sometimes on the righty...

the_rock · ‎2025-02-09

Even if I do search appi_name:tsn.ca, I get exact same thing. This is R81.20 jumbo 96 lab.

Andy

D_W · ‎2025-02-09

Surfing to tsn.ca looks like this for me on Mgmt R81.20 T84. This is not a new issue but today I felt to report it here 😉

the_rock · ‎2025-02-09

I cant see any images, sorry. I cant sadly input any "embedded" images any more myself, as it gives me an error I reached 1000 images upload, so has to be attached 🙂

Andy

D_W · ‎2025-02-09

I forgot to add it in the post. But now also added it as attachement too 😁

the_rock · ‎2025-02-09

I see it now 🙂

Not sure what to say, sorry. I checked every log regarding this in my lab in the last 6 months and they all show exactly what I sent you.

Dont know if it might be worth doing below sk...

Andy

https://support.checkpoint.com/results/sk/sk64280

D_W · ‎2025-02-09

hmmm no will not do that yet.
But thanks for breaking your head with me 😀

the_rock · ‎2025-02-09

K, fair enough...I just had that sk in my notes, but maybe not needed here. I would open TAC case if I were you just to double check everything. If you need me to test anything in my lab, let me know.

Andy

Timothy_Hall · ‎2025-02-09

Have you tried setting Extended Logging on the rule matching the custom site object? Be warned however that this will log every URL pulled by the browser, and should most definitely NOT be used on generic Internet surfing rules for hundreds or thousands of Internet surfing workstations.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

D_W · ‎2025-02-09

Good idea.
Log was set to "Log"+Accounting.
To not kill the system I tried it now with Detailed Log + Accounting. I do not think that change a lot at all. Log Details look the same. Already had details like browsing time and in/out packets/bytes etc.

Will have to create a test rule for this case and the set it to extended log. Will report again when did this.

the_rock · ‎2025-02-09

For what its worth, I also tested with extended logging option and logs look exactly the same, but let us know if test rule shows you anything different.

Andy

PhoneBoy · ‎2025-02-10

The only way to get the URLs accessed is via Extended Logging on the relevant rule(s).

the_rock · ‎2025-02-11

Hey @D_W

Did you ever end up opening TAC case for this?

Andy

Chris_Atkinson · ‎2025-02-11

So we have the full picture...

Do you currently inspect HTTPS traffic, how is QUIC handled?

Note sk131712 & sk178845 are typically relevant here.

CCSM R77/R80/ELITE

Are you a member of CheckMates?

Show logged URL instead of Application/Site