Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Runan_Chaung
Participant

Traffic calculations question

environment:

R80.20 on HP Server Gen10

bridge mode

 

I have some question about traffic log and calculations.

1. When Application Name is "Unknown Traffic" , traffic log display wrong 

2. And I found some log display nothing about traffic

3. I use view or report to calculate traffic, can not calculate by destination ip address

    log:

  view:

 

How could I change my configuration and make it right ?

15 Replies
PhoneBoy
Admin
Admin

While I'm not 100% sure what you're asking with all of these questions, I believe they are all variants of:

  • How sessions are tracked
    • By default, related traffic is automatically summarized into a single session.
    • If there is a pause in traffic (over 15 minutes, I believe), you will see a new session
  • How applications are tracked.
    • The things you highlight in question #2 should show at the very least as Web Traffic, but it depends on exactly what rule matched the traffic, what blades were active in the relevant policy layer, and if Extended or Detailed logging is used in the rule.
  • Comparing log data versus SmartEvent data
    • Logs will only show individual sessions.
    • If you want to see aggregate data, SmartEvent is the correct tool. 
Runan_Chaung
Participant

The rule is " any to any"  pass and extended logging is used

Active Blades: NGTX Package

question #1 : One session categorized "Unknown Traffic" , total bytes is 394.8 KB.

                     It has 12 connection, summarized total bytes more than 1.3GB

question #2: One session categorized "Weiyun" , total bytes is nothing.

                     It has 2 connection, summarized total bytes is 19.1KB

I don't think it's normal behavior.

question #3: One session categorized "Windows Update" , destination is "52.175.39.99"

                     SmartEvent aggregate data by Application only , can't aggregate data by destination (connection detination ip address)

                       Is it normal ?

0 Kudos
PhoneBoy
Admin
Admin

Those blades can be active on the gateway but not active in the layer where the traffic was matched.

Not clear from the information you've provided so far this is the case.

Given we probably need to see sensitive data to troubleshoot this, it's probably best to work with the TAC on this (at least for #1 and #2).

See: How To Open a Case with TAC and/or Account Services

For #3, I don't believe the default reports will do this, but I think you can create one that does this.

Curious why you want the specific destination IP and doing by application isn't quite enough, though (especially if you're using Windows Update as an example).

0 Kudos
Runan_Chaung
Participant

Update Status!

Already TAC through my support over 30 days, but still don't get any response. 

Another vendor should be better ?

0 Kudos
PhoneBoy
Admin
Admin

If you can tell me what the SR is, I can have someone look into it.
0 Kudos
Runan_Chaung
Participant

Over 8 months, the question still not resolved.
My support told me checkpoint R&D confirm the question but won't fix it.
If you still use checkpoint, do not upgrade to R80.
just tell the truth, believe it or not denpend on your lab
0 Kudos
PhoneBoy
Admin
Admin

R77.30 is End of Support now, so I wouldn't recommend this course of action.
Can you provide the SR number (perhaps in a Private Message) so I can investigate this?
0 Kudos
Runan_Chaung
Participant

I don't know SR number. My support is Systex in Taiwan. Discuss this issue with CheckPoint Taiwan engineer (even with CheckPoint R&D) .

R&D say : Logs are 99% accuracy , but my case is not and another is  the same.

Tested R80.20 and R80.30 (both kernel 2.6 & 3.1) not resolved.

0 Kudos
PhoneBoy
Admin
Admin

When you says "logs are 99% accuracy but my case is not" what evidence are you using to support that statement?
Also, am still really curious why you want to do this by destination IP...can you explain why this is interesting?

0 Kudos
Runan_Chaung
Participant

1. All evidence I have already submitted to CheckPoint.  The response I received is " won't fix the issue" by my support.

2. Why I am interested in destination IP ? Because I can not get right traffic value by Application ( because this issue ) , so I think  maybe I have another solution to get right traffic. Unfortunately,  the answer is no.

0 Kudos
PhoneBoy
Admin
Admin

Your support partner should be able to provide the relevant SR number they opened with Check Point.

Why is the amount of traffic to a specific destination IP interesting at all?
Or more importantly, what is the real question you're trying to answer and why?

0 Kudos
Runan_Chaung
Participant

The problem is "Traffic calculation by "Application Name" is not correct . "

Try fo find another way to get the right value , for example I use destination IP address .

If traffic calculation by "Application Name" is  correct , destination IP address is not a problem

0 Kudos
PhoneBoy
Admin
Admin

Destination IP is one way to approach it, but how do you know the traffic is entirely the application you care about?
Or is that just an assumption on your part?

In any case, the data from the SR is probably needed to go much further on this.
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Runan_Chaung

"Unknown traffic" is non-HTTP traffic that does not match anything via PSL (more to PSL read here R80.x - Security Gateway Architecture (Logical Packet Flow) or R80.x - Security Gateway Architecture (Content Inspection)  in your current application database. Logs for unknown traffic should be examined carefully to understand what is behind them. Traffic that results in such a log could be a product of a protocol that is not yet supported, anonymized traffic which uses a proprietary protocol, or even a mis-detected supported protocol or application.

In general, once the unknown traffic has been inspected and categorized correctly, it is recommended you block such traffic facing the Internet and continue to monitor internal traffic.

Note: 

Unknown traffic will be matched on rules containing "Any Recognized" in addition to specific rules.

---

Did you install the last hotfix?

---

I think it's a problem with your service partner. If nothing happens here for several days, he can press the escalation button. Now the escalation manager should look at the case:-) If still nothing happens, contact your local Check Point partner.

 

➜ CCSM Elite, CCME, CCTE
Gantogtokh
Explorer

What does it mean Unknown Traffic?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events