This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jeremy_Boselly
Participant
‎2017-12-13 03:51 PM

What field name do you need to include to have LEA return the rule uid of an inline layer rule when a hit occurs?

I'm trying to be able to identify via LEA when an inline rule is being hit.  Currently LEA is only returning the rule uid of the Parent rule.

For example if you had a policy that looked something like:

Rule 1  Action: Inline_Layer_1 

Rule 1.1

Rule 1.2

Rule 1.3

I'd consider Rule 1 the parent rule and Rule 1.1, 1.2, 1.3 the child rules.

Let's say that Rule 1 and Rule 1.1 were hit.

Currently via LEA we are getting the rule uid of Rule 1.  However we're not getting the rule uid of Rule 1.1.  So we can tell how many hits an entire Inline policy is getting (which equals the number of hits of Rule 1), however we're unable to tell via LEA which of the Inline rules are being utilized.

Since you have to tell LEA what fields to include in the data it sends, what identifier do we need to utilize to get LEA to send the rule uid of a child inline rule when hit.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2017-12-14 03:05 PM

Moving this to https://community.checkpoint.com/community/management/visibility-monitoring?sr=search&searchId=5c7e9...