This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Max_Baumgarten
Contributor
‎2020-01-30 09:01 AM

1550 - Syslog Server - Where's the "Action"?

Hey All,

I'm currently using a checkpoint 1550 configured to send System and Security logs to a simple Ubuntu server running rsyslog.

Going through the logs on the Ubuntu server, it seems like the 1550 is not sending any "Action" information for any of the logs, whether its Drop or Accept.  

Simple Ping that should be Dropped:

Jan 30 11:16:14 Jan 30 11:16:11--5:00 
10.x.x.x
inzone="External" 
outzone="Local" 
service_id="ICMP" 
ICMP="Echo Request" 
src="207.xxx.xxx.xxx" 
dst="128.xxx.xxx.xxx" 
proto="1" 
ICMP Type="8" 
ICMP Code="0" 
user="" 
src_user_name="" 
src_machine_name="" 
src_user_dn=""
snid="" 
dst_user_name="" 
dst_machine_name="" 
dst_user_dn="" 
UP_match_table="TABLE_START" 
ROW_START="0" 
match_id="5" 
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal" 
rule_uid="00000780-0000-0000-0000-000000000000" 
rule_name="Incoming/Internal Default Policy"
ROW_END="0"
UP_match_table="TABLE_END" 
ProductName="VPN-1 & FireWall-1" 
ProductFamily=""

 Simple Ping that should be Accepted:

Jan 30 11:24:34 Jan 30 11:24:33--5:00
10.x.x.x 
inzone="Internal" 
outzone="Local" 
service_id="ICMP" 
ICMP="Echo Request" 
src="10.x.x.x" 
dst="10.x.x.x" 
proto="1" 
ICMP Type="8"
ICMP Code="0" 
user="" 
src_user_name=""
src_machine_name=""
src_user_dn=""
snid=""
dst_user_name=""
dst_machine_name=""
dst_user_dn=""
UP_match_table="TABLE_START"
ROW_START="0"
match_id="5"
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal"
rule_uid="00000780-0000-0000-0000-000000000000"
rule_name="Incoming/Internal Default Policy"
ROW_END="0" 
UP_match_table="TABLE_END"
ProductName="VPN-1 & FireWall-1"
ProductFamily=""

 

Am I missing something here? Shouldn't there be a field for "Action="?  Perhaps my syslog server has a formatting issue?  Others have told me they can't find the Action field either when looking at syslog files for their 1550.

I plan on using these logs in an Elastic Stack, but without having Action in the logs, it makes the data extremely difficult (and possibly pointless) to use.

0 Kudos
4 Replies
Max_Baumgarten
Contributor
‎2020-01-30 04:16 PM

Also this is a locally managed firewall.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-31 04:19 PM

Might be worth a TAC case to investigate if this is expected behavior or not.
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-02-04 04:28 AM

Is the Action shown if you look at the log entry in WebGUI logs ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Max_Baumgarten
Contributor
‎2020-02-04 05:07 AM
In response to G_W_Albrecht

The action is shown perfectly fine in the GUI.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top