Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ChoiYunSoo
Contributor

When I enable Drop Template, the smartconsole log looks strange.

Hi

 

Aggressive traffic frequently occurs in customer firewalls.

So I enabled Drop Template, but logs from smart console are not common

 

Fields such as src ip and dst ip are not displayed in the log of the smart console.

And 5 logs are combined and displayed.

 

As a result of my internal testing, when a specific threshold is exceeded for one template, the logs seem to be aggregated and displayed.

 

Is there a way to output the logs without consolidating them?

 

 

1.png2.png3.png4.png

 

0 Kudos
8 Replies
G_W_Albrecht
Legend
Legend

I would say that makes sense if you look at it from a performance point of view - also other logs drop repeating lines (but give a count instead). In the case of high load on GW, security and stability are prior to detailed logging 😎

CCSE CCTE CCSM SMB Specialist
0 Kudos
ChoiYunSoo
Contributor

Consolidating logs is good for performance, but can cause problems for troubleshooting in issue situations.

What I'm having trouble with is that because the logs are consolidated, it results in unsearchable logs.

 

For example, above, I tried to attack with an IP of 40.40.40.1, and the logs were consolidated into one log when a certain threshold was exceeded.

And after log consolidation started, I made an additional attack with the IP of 40.40.40.2, and 40.40.40.2 also remained as a consolidated log, but a single log did not exist, so I could not query it from the smart console.

 

So I would like to know how to not consolidate logs via DBedit or parameter change

 

0 Kudos
_Val_
Admin
Admin

This is by design. For more details, look into sk90941

0 Kudos
ChoiYunSoo
Contributor

Can you tell me where the part I asked is in sk90941?

No matter how you look at it, you can't see the same part

0 Kudos
_Val_
Admin
Admin

SmartView Tracker logs

The following logs will appear in the SmartView Tracker:

  • Sent every 5 minutes while Optimized Drops feature is active:

    Average window dropped packets per second X, Average total dropped packets per second Y

    where

    • X = average number of drops/sec during the last 30 sec
    • Y = total average number of drops/sec for the entire traffic


  • Sent when Optimized Drops feature is dynamically activated:

    Optimized drops is now active, dropped packets rate is over Z packets per second

    where Z = [(optimize_drops_activation_threshold) x (total average number of drops/sec for the entire traffic)]

  • Sent when Optimized Drops feature is dynamically deactivated:

    Optimized drops is now not active, dropped packets rate is below W packets per second

    where W = [(optimize_drops_deactivation_threshold) x (total average number of drops/sec for the entire traffic)]

 

Notes

  • Calculation of drop rate is per CPU core, therefore also the dynamic activation/deactivation is per CPU core.

  • Setting the values of kernel parameters on-the-fly with fw ctl set int command must be done twice - for IPv4 (with fw ctl set int command) and for IPv6 (with fw6 ctl set int command), unless you want to set the value of a kernel parameter only to specific IP flavor.
0 Kudos
ChoiYunSoo
Contributor

The symptom you posted seems to be different from the one you mentioned.

What you posted is a kind of reporting system of checkpoints.

And just turning off that reporting feature doesn't solve the problem I'm experiencing right now

 

 

 

 

Timothy_Hall
Legend Legend
Legend

Optimized drops were introduced in R70 and while they work, Check Point's roll-up of the mismash of quota/deny list/drop template/rate limiting/HLQoS features in R80.20 in my opinion makes this old feature obsolete.  Use the SecureXL Penalty Box instead; much better logging, granularity, and performance improvement: sk74520: What is the SecureXL penalty box mechanism for offending IP addresses?

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
ChoiYunSoo
Contributor

I want to use the penalty box, but I can't specify the attack IP

Therefore, we are experiencing overall difficulties such as rule segmentation.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events