This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Westlund
Collaborator
Collaborator
‎2019-06-21 08:21 AM

Unable to filter out Network Access Rule Number in logs

I'm trying to migrate a customer into using an inline policy. To do this, I've added the inline rules, and kept the Application layer there as well to catch what I missed. Now I need to remove the Application layer. To do that, I click on a rule, look at the logs for the rule, and filter on the column Access Rule Number in order to see if I missed any inline rules.

accept-log1.jpg

The problem is that for drops, which are the most important, the Access Rule Number column doesn't show the Network Rule, but the Application Rule.

drop-log1.jpg

I know this info (the Network rule) is there because if I drill down into the log, I see it in the Matched Rules tab.

drop-log-match-rules.JPG

But, there are millions of logs so rather than look into each one, I'd like a way to filter them out like I filter the accepts by Access Rule Number in the first screenshot. I've looked at the columns available in the profiles and don't see anything that would give me the Network Rule the traffic is using when it gets dropped on the Application Rule.  If I don't add an inline drop for the relevant rules, like 144 above, then users can get out to blocked sites.  If I keep the Application layer in place, then the Inline rules are not making the policy more efficient.  Any ideas how I can find the rules that I need to add the block rule on inline?

0 Kudos
2 Replies
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2019-06-23 02:43 AM

Hi Daniel (Nickel),

You can easily filter-out the FW layer rules by using either the NOT <rule_name> or the NOT rule:<no.>

using the rule_name is better, as it’s more specific, assuming you have unique names to your rules.

‘Current Rule Box’ (of relevant APPI rule) NOT <rule_name_in_free_text>

example: ‘Current Rule Box’ NOT "FW Accept rule 1"

This way, you can just open 1 log for each such rule. Check the matching FW rule name in Matched-Rules tab & easily filter all these rules’ logs out & continue to next rule.

Daniel_Westlund
Collaborator
Collaborator
‎2019-06-24 10:14 AM
In response to Dror_Aharony

Great call on this.  I couldn't get it to work with rule name, but it worked on rule number for me.  Thanks for the help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events