This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marco_Valenti
Advisor
‎2018-02-16 03:57 AM
Jump to solution

audit log

Hey all

Has anyone encountered this issue before? searching through the changes in audit log seems that the number of security rule involved by the change is not reported , if you copy the entire message from the audit log you can have a rule uid but is not a very "fast way" to retrieve this information.

Thanks in advance

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2018-02-17 10:40 PM
Jump to solution

We decided not to show rule numbers in the audit logs - by design. And I'd like to share this decision.

Remembering a rule number may not be a good practice. Because at any given time, someone can place a rule above it, and then the number is changed.

So this is why when discussing change history, we try not to give the rule number as the "most important property" but rather name, UID, and the policies that hold this rule.  

If you are still interested with what was the number of the rule, you can use this script - https://community.checkpoint.com/thread/6867-how-to-get-all-the-information-about-a-deleted-rule  

Hope this helps

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2018-02-16 09:28 AM
Jump to solution

Perhaps not all the log fields are indexed... 

Are you trying to find what rules changed in a given session?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-02-17 10:40 PM
Jump to solution

We decided not to show rule numbers in the audit logs - by design. And I'd like to share this decision.

Remembering a rule number may not be a good practice. Because at any given time, someone can place a rule above it, and then the number is changed.

So this is why when discussing change history, we try not to give the rule number as the "most important property" but rather name, UID, and the policies that hold this rule.  

If you are still interested with what was the number of the rule, you can use this script - https://community.checkpoint.com/thread/6867-how-to-get-all-the-information-about-a-deleted-rule  

Hope this helps

Marco_Valenti
Advisor
‎2018-02-21 12:21 AM
In response to Tomer_Sole
Jump to solution

Thanks Tomer for the reply , will push customer to name their rule for better understanding of the changes made to a rulebase

0 Kudos
Richard_Carson
Contributor
‎2019-08-14 10:57 PM
In response to Marco_Valenti
Jump to solution

@Tomer_Sole  I can under to a degree not including the rule UID and not the number due the the possibility of the display rule number changing, make some sense. That said, i see other UID with seem to obfuscate troubleshooting or audit actions that have been performed, why for instance would this be necessary

ActionSettings.action: Changed from '6c488338-8eec-xxxx-xxxx-xxxxxxxxxxxx' to '6c488338-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

Where the action has been changed from drop to accept. It doesnt make it easy to see what went on with this particular edit.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top