This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HappyByte
Participant
‎2021-03-31 03:35 AM

Missing Log on Log server

Hello,

does anyone experience the following scenario:

TEST SCENARIO:

Logging on VPN server (Mobile Access Blade, 80.30) with Endpoint Security VPN.
t(0) time - Log In with timestamp in Logs
t(1) time - after VPN session timeout (10hours 30min) Re-Authenticated in less than 60 seconds
t(2) time - Log Out with timestamp in Logs

TEST SCENARIO RESULTS:

Checking logs on log server there is missing t(0) timestamp with Log In information
t(1) time - shows Log In with t(1) timestamp in Logs
t(2) time - shows Log Out with t(2) timestamp in Logs

EXPECTED:

t(0) time - Log In with t(0) timestamp
t(1) time - Log In Re-Authenticated with t(1) timestamp
t(2) time - Log Out with t(2) timestamp

In basic scenario, using VPN session for less than VPN Re-authenticate sesson timeout, both LogIn and LogOut are in log results.

GlobalProperties, Remote Access:
Re-authenticate user every: 630min (10h 30min)


thank you.

9 Replies
PhoneBoy
Admin
Admin
‎2021-04-03 03:51 PM

Remote Access VPN can actually be served by either Mobile Access Blade or the VPN blade.
Are you looking for both types of logs when you check for this?
If you have Identity Awareness enabled with Remote Access as one of the identity sources, there should be a log for that association as well.

HappyByte
Participant
‎2021-04-05 12:07 AM
In response to PhoneBoy

Hello PhoneBoy,

yes, both are checked. Normally LogIn and LogOut are logged as part of Mobile Access Blade.

Interesting part is that LogIn in t(0) timestamp was visible in first hours (during 10hours30min period).

Although the LogIn t(0) timestamp is missing there are visible 'Key Install' logs on VPN Blade after t(0) timestamp.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-05 01:51 PM
In response to HappyByte

If you can consistently reproduce this, it might be worth a TAC case.

0 Kudos
HappyByte
Participant
‎2021-04-07 09:30 AM
In response to PhoneBoy

Tested and successfully reproduced.

Logged In, t(0) timestamp visible in logs before Re-authentication.

After Re-authentication at t(1), t(0) timestamp disappeared, t(1) visible.

Screenshot: missing LogIn timestamp at 7:35:59

Preview file
35 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-07 02:10 PM
In response to HappyByte

I think what's actually happening here is that we are updating the original log entry with the new Log In time.
Believe you can confirm this by opening the log card and reviewing it. 

0 Kudos
HappyByte
Participant
‎2021-04-07 11:10 PM
In response to PhoneBoy

Possible. But as stated, expected is to keep original LogIn at t(0) as valuable information.

Solved, using external log server infrastructure.

PhoneBoy
Admin
Admin
‎2021-04-08 08:07 AM
In response to HappyByte

Can you open the log card and confirm what I'm saying?
Whether it should do that or not is a separate question, but I believe this is the intended behavior.

0 Kudos
HappyByte
Participant
‎2021-04-08 08:40 AM
In response to PhoneBoy

I can confirm both log cards (missing one from t(0) and Re-Authenticated at t(1)) have the same Mobile Access Session UID.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-04-03 06:53 PM

I think what you wrote makes sense, but I also do agree with phoneboy's response as well.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events