This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_W
Advisor
‎2025-02-09 12:47 PM

Show logged URL instead of Application/Site

Hi Mates,

something that bugs me a long time.

We use manual created Application/Site-Objects with match by URL List.
Mostly the logs only show now the Application/Site-Object Name instead of one of the matching URLs.

So, Rules match because specific URLs are used .
Search the log for this specific URL - no hits .
Search the log for the IP of this specific URL -> shows hits but with the App-Name 💔.image.png

Best would be to show the matched URL and in WHICH Application/Site-Object (if there is any).
Can we change this behavior or is this an RFE?

Cheers,
Dave

0 Kudos
16 Replies
the_rock
Legend
Legend
‎2025-02-09 01:02 PM

Something like below?

Andy

 

Screenshot_1.png
Preview file
147 KB
0 Kudos
the_rock
Legend
Legend
‎2025-02-09 01:04 PM

Btw, example I gave is from my lab, I just checked one of the logs for "ask" user check rule I created for ssl inspection.

Andy

0 Kudos
D_W
Advisor
‎2025-02-09 01:13 PM
In response to the_rock

Yes.
I sometimes see logs look like this as well. Cannot find one now 😅
In your screenshot you marked the app-name. It shows the URL. I assume there is no object with that URL.
On the right side of your LOG there is a Web Traffic Section. With the URL. That's what I expect.
The various ways of the logs look a like also bugs me 😉 Sometimes one section field is on the lefty sometimes on the righty...

0 Kudos
the_rock
Legend
Legend
‎2025-02-09 01:16 PM
In response to D_W

Even if I do search appi_name:tsn.ca, I get exact same thing. This is R81.20 jumbo 96 lab.

Andy

 

0 Kudos
D_W
Advisor
‎2025-02-09 01:26 PM
In response to the_rock

image.png
Surfing to tsn.ca looks like this for me on Mgmt R81.20 T84. This is not a new issue but today I felt to report it here 😉

 

 

tsn.jpg
Preview file
47 KB
0 Kudos
the_rock
Legend
Legend
‎2025-02-09 01:47 PM
In response to D_W

I cant see any images, sorry. I cant sadly input any "embedded" images any more myself, as it gives me an error I reached 1000 images upload, so has to be attached 🙂

Andy

0 Kudos
D_W
Advisor
‎2025-02-09 01:52 PM
In response to the_rock

I forgot to add it in the post. But now also added it as attachement too 😁

0 Kudos
the_rock
Legend
Legend
‎2025-02-09 01:58 PM
In response to D_W

I see it now 🙂

Not sure what to say, sorry. I checked every log regarding this in my lab in the last 6 months and they all show exactly what I sent you. 

Dont know if it might be worth doing below sk...

Andy

https://support.checkpoint.com/results/sk/sk64280

0 Kudos
D_W
Advisor
‎2025-02-09 02:04 PM
In response to the_rock

hmmm no will not do that yet.
But thanks for breaking your head with me 😀

0 Kudos
the_rock
Legend
Legend
‎2025-02-09 02:11 PM
In response to D_W

K, fair enough...I just had that sk in my notes, but maybe not needed here. I would open TAC case if I were you just to double check everything. If you need me to test anything in my lab, let me know.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-02-09 02:08 PM

Have you tried setting Extended Logging on the rule matching the custom site object?  Be warned however that this will log every URL pulled by the browser, and should most definitely NOT be used on generic Internet surfing rules for hundreds or thousands of Internet surfing workstations.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
D_W
Advisor
‎2025-02-09 02:24 PM
In response to Timothy_Hall

Good idea.
Log was set to "Log"+Accounting.
To not kill the system I tried it now  with Detailed Log + Accounting. I do not think that change a lot at all. Log Details look the same. Already had details like browsing time and in/out packets/bytes etc.

Will have to create  a test rule for this case and the set it to extended log. Will report again when did this.

0 Kudos
the_rock
Legend
Legend
‎2025-02-09 02:39 PM
In response to D_W

For what its worth, I also tested with extended logging option and logs look exactly the same, but let us know if test rule shows you anything different.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-10 11:53 AM

The only way to get the URLs accessed is via Extended Logging on the relevant rule(s).

0 Kudos
the_rock
Legend
Legend
‎2025-02-11 08:39 AM

Hey @D_W 

Did you ever end up opening TAC case for this?

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-02-11 02:31 PM
In response to the_rock

So we have the full picture...

Do you currently inspect HTTPS traffic, how is QUIC handled?

Note sk131712 & sk178845 are typically relevant here.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top