Re: Show logged URL instead of Application/Site

D_W

Hi Mates,

something that bugs me a long time.

We use manual created Application/Site-Objects with match by URL List.
Mostly the logs only show now the Application/Site-Object Name instead of one of the matching URLs.

So, Rules match because specific URLs are used ✅.
Search the log for this specific URL - no hits ❌.
Search the log for the IP of this specific URL -> shows hits but with the App-Name 💔.

Best would be to show the matched URL and in WHICH Application/Site-Object (if there is any).
Can we change this behavior or is this an RFE?

Cheers,
Dave

the_rock

Something like below?

Andy

the_rock

Btw, example I gave is from my lab, I just checked one of the logs for "ask" user check rule I created for ssl inspection.

Andy

D_W

Yes.
I sometimes see logs look like this as well. Cannot find one now 😅
In your screenshot you marked the app-name. It shows the URL. I assume there is no object with that URL.
On the right side of your LOG there is a Web Traffic Section. With the URL. That's what I expect.
The various ways of the logs look a like also bugs me 😉 Sometimes one section field is on the lefty sometimes on the righty...

the_rock

Even if I do search appi_name:tsn.ca, I get exact same thing. This is R81.20 jumbo 96 lab.

Andy

D_W

Surfing to tsn.ca looks like this for me on Mgmt R81.20 T84. This is not a new issue but today I felt to report it here 😉

the_rock

I cant see any images, sorry. I cant sadly input any "embedded" images any more myself, as it gives me an error I reached 1000 images upload, so has to be attached 🙂

Andy

D_W

I forgot to add it in the post. But now also added it as attachement too 😁

the_rock

I see it now 🙂

Not sure what to say, sorry. I checked every log regarding this in my lab in the last 6 months and they all show exactly what I sent you.

Dont know if it might be worth doing below sk...

Andy

https://support.checkpoint.com/results/sk/sk64280

D_W

hmmm no will not do that yet.
But thanks for breaking your head with me 😀

the_rock

K, fair enough...I just had that sk in my notes, but maybe not needed here. I would open TAC case if I were you just to double check everything. If you need me to test anything in my lab, let me know.

Andy

Timothy_Hall

Have you tried setting Extended Logging on the rule matching the custom site object? Be warned however that this will log every URL pulled by the browser, and should most definitely NOT be used on generic Internet surfing rules for hundreds or thousands of Internet surfing workstations.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

D_W

Good idea.
Log was set to "Log"+Accounting.
To not kill the system I tried it now with Detailed Log + Accounting. I do not think that change a lot at all. Log Details look the same. Already had details like browsing time and in/out packets/bytes etc.

Will have to create a test rule for this case and the set it to extended log. Will report again when did this.

the_rock

For what its worth, I also tested with extended logging option and logs look exactly the same, but let us know if test rule shows you anything different.

Andy

Are you a member of CheckMates?

Show logged URL instead of Application/Site