This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
andy_currigan
Contributor
‎2018-04-30 01:49 AM

fw rule set to track none but still logging

Hey all,

I want to disable the logs on a http/https firewall rule that generate tons of log, the goal is to get only the logs generated by the application control and url filtering blades.

I simply configure the firewall rule track action to "none" but I'm still get the logs of that rules.

someone can explain me why?

thank you.

18 Replies
Vladimir
Champion
Champion
‎2018-04-30 06:41 AM

Check if the traffic you are seeing being logged belongs to any of the "Implied" rules and if you have "Log Implied Rules" setting enabled:

andy_currigan
Contributor
‎2018-04-30 12:26 PM
In response to Vladimir

i’ts not an implied rule because on the log i see the rule number that is configured to not log

Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-04-30 12:06 PM

what does the "rule number" column in the log card say?

andy_currigan
Contributor
‎2018-04-30 12:24 PM
In response to Tomer_Sole

i see the rule number that i set to no logging.

0 Kudos
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-04-30 12:34 PM
In response to andy_currigan

Are you sure that you installed that particular policy on that particular gateway?

If you did, please open a ticket so that Check Point Support will be able to investigate. 

andy_currigan
Contributor
‎2018-05-02 12:07 AM
In response to Tomer_Sole

I have only one cluster of gw, I'll open a tac.

thank you.

G_W_Albrecht
Legend
Legend
‎2018-05-02 02:07 AM
In response to andy_currigan

Please first check your logs and rulebase regardless of the presented rule number - it may well be that a wrong rule number is reported in the logs, so please double-check with source and dest of the packets.

CCSE CCTE SMB Specialist
PhoneBoy
Admin
Admin
‎2018-04-30 03:22 PM
In response to andy_currigan

I'm with Tomer, please open a TAC case so we can investigate.

Contact Support | Check Point Software 

0 Kudos
Danny
Champion
Champion
‎2018-04-30 03:01 PM

Astardzhiev
Contributor
‎2018-05-03 11:18 PM

Try to install database to sync the rule number from the policy with the number represented in the logs. I am not sure if it will help, but I believe it is something that definitely need to do first and will not cost you anything.

R77.30  - Go to SmartDashboard -> Menu (top left corner)-> Policy -> Install Database
R80.10 - Go to SmartConsole -> Menu (top left corner) -> Install Database

Ni_c
Contributor
‎2018-05-04 05:47 AM
In response to Astardzhiev

FYI,

This rule number mismatch in the logs is fixed in R80 and later versions. Install database not required. 

James_Simmons
Participant
‎2018-10-26 02:58 PM

Has anyone fixed this issue. I also have a rule that I changed the "Track" from Log to None. I have tried multiple things without success. Here is what I have tried and what I am seeing:

I have (2) Gateways- One is a 2200 (having issues) and other is 3200 (no issue)

I have separate policies for each Gateway

Changed the Track on Both policies from LOG to NONE for DNS Traffic.

Pushed both policies 2200 still logging DNS traffic under Rule#2

Tried DELETING rule and Re-Creating in thinking there was a database issue or something hung, still didn't fix it.

Any advice would be greatly appreciated.

0 Kudos
Vladimir
Champion
Champion
‎2018-10-26 03:33 PM
In response to James_Simmons

Just for kicks, please create a duplicate rule by hand under the one that is misfiring.

Disable original rule and install the policy.

Let us know if you are seeing the DNS traffic logged and if number of hits on the new rule is incrementing.

James_Simmons
Participant
‎2018-10-27 10:07 PM
In response to Vladimir

Yeah I have already tried that and it adopted the new rule # while logging. I also moved it down the policy a few columns and it followed as well. I am not sure what is going on with it this firewall policy. 

Just weird I have the 3200 working fine but the 2200 is not. The only other thing I have noticed is with the HFA's. I have them scheduled to download auto with manual install, but on the 2200 I am still on HFA 70 and when I search either through CPUSE on WebUI or CLI it says I am current???  While the 3200 is at HFA154.

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-10-28 05:39 AM
In response to James_Simmons

Please post the full log card with the IP addresses (and any other identifying information) redacted.  Make sure to expand all sections and show everything on all tabs.  Wondering if these logs are coming from some other part of the Access Policy such as Inspection Settings, Geo Policy, Mobile Access, or QoS; perhaps even Implied Rules although Danny mentioned those earlier in the thread.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
James_Simmons
Participant
‎2018-10-27 10:09 PM

I don't know if I should do a manual update of CPUSE Agent and HFA or is there some sort of limitation on the 2200. I did notice the build are the same along with the Kernel. 

0 Kudos
Baya_007
Participant
‎2021-08-03 05:22 AM

Hi,

I just faces this problem on my system, and fix it like this:

1. I deleted CleanUp rule and I get next message on bottom of Access List (firewall policy): Missing cleanup rule - Unmatched traffic will be dropped and not be logged.

After this, there is no more logs on Clean Up rule

BTW: This happen on Check Point Maestro system.

Bye,

Petar

0 Kudos
Baya_007
Participant
‎2021-08-03 05:26 AM

Hi,

I just faces this problem on my system, and fix it like this:

1. I deleted CleanUp rule and I get next message on bottom of Access List (firewall policy): Missing cleanup rule - Unmatched traffic will be dropped and not be logged.

After this, there is no more logs on Clean Up rule

BTW: This only valid when you have unwanted logging on cleanup rule.

Bye,

Petar

0 Kudos