This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2020-02-04 07:36 AM
Jump to solution

SMB syslog doesn't log action

So I'm rather shocked by this but I've just learned syslog from a SMB (and possibly none SMB as well) will not log the action field to syslog. I was pointed to sk164514 which I can't seem to access. Not sure if this is internal or not. 

I don't even know what to say about this. I have a firewall that isn't logging via syslog if anything is accepted or denied. Its just saying.. stuff happened... I'm going to take a stab at a log exporter but I have no idea if thats possible without a management server. This is @%^$@#% ridiculous. 

I sure am glad all these items below are getting logged instead of action. I don't know what I would do without knowing where the start or end of the table is (or what that even means). Good to know that the snid is unknown.

Awesome.

 

user="" 
src_user_name="" 
src_machine_name="" 
src_user_dn=""
snid="" 
dst_user_name="" 
dst_machine_name="" 
dst_user_dn="" 
UP_match_table="TABLE_START" 
ROW_START="0" 
match_id="5" 
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal" 
rule_uid="00000780-0000-0000-0000-000000000000" 
rule_name="Incoming/Internal Default Policy"
ROW_END="0"
UP_match_table="TABLE_END"

 I  

1 Solution

Accepted Solutions
John_Fleming
Advisor
‎2020-02-12 02:17 AM
Jump to solution

It only took a public shaming but it looks like this has been resolved.

fw1_vx_dep_R80_992000913_20.img (basically build 913)

contains the fix.

 

Thanks to everyone involved in getting this addressed!

 

View solution in original post

26 Replies
Max_Baumgarten
Contributor
‎2020-02-04 07:43 AM
Jump to solution

Wow. Glad to see its not just me (my post) .  Seems almost inexcusable to have syslogs for a firewall and not have it report the Action.   These logs are completely useless for customers who want to use these logs for any analysis.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-02-04 08:16 AM
In response to Max_Baumgarten
Jump to solution

Which firewalls you know of do send their security logs including Accept / Deny / Reject actions using syslog ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Max_Baumgarten
Contributor
‎2020-02-04 08:26 AM
In response to G_W_Albrecht
Jump to solution

Of other vendors: Fortinet, PfSense, Ubiquti Edgerouters...  Pretty sure Cisco ASAs and Palo Altos do this as well.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-02-04 08:41 AM
In response to Max_Baumgarten
Jump to solution

Come on, take it easy. This is apparently some negligence from our lovely vendor. Open SR and they will fix it right away!

0 Kudos
Max_Baumgarten
Contributor
‎2020-02-04 09:44 AM
In response to HristoGrigorov
Jump to solution

🤣🤣🤣🤣🤣🤣🤣

0 Kudos
John_Fleming
Advisor
‎2020-02-04 10:16 AM
In response to HristoGrigorov
Jump to solution

Yeah, I did open a ticket. The reply was R&D will not be fixing this, its a known issue and i'll need to submit a RFE.

Also I can't use log exporter because there is no mgmt server involved (this is local mgmt).

0 Kudos
John_Fleming
Advisor
‎2020-02-04 10:23 AM
In response to G_W_Albrecht
Jump to solution

yeah that's a bit strange (to say which do log action). It would make more sense to say of the ones that do send syslog which "don't" indicate what the action was. I mean I can't see why the action would be more or less valuable then the source / destination if the concern was somehow information leakage. As it stands I see no way to get logs off a local manged SMB that are of any use.

Its like I need to pay a management server tax to have external logs. I mean the webui is basically useless for any in depth research since the query language only supports a single element. (src, dst, product etc).

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-02-04 10:33 AM
In response to John_Fleming
Jump to solution

I do not remember quite well but I think in R77.20 GE there is action field in syslog records. 

0 Kudos
John_Fleming
Advisor
‎2020-02-04 02:23 PM
In response to HristoGrigorov
Jump to solution

You are %100 correct. Just tested R77.30 open server.

Syslog logs accept and drop messages.

R80.20 open server. Not it doesn't, yes we know, we're not fixing it, go get RFEed.

0 Kudos
Max_Baumgarten
Contributor
‎2020-02-04 02:46 PM
In response to John_Fleming
Jump to solution

Obviously, you don't need that syslog information to protect against GEN 6 attacks....

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-02-04 08:22 PM
In response to Max_Baumgarten
Jump to solution

There must be a technical explanation as to why it was dropped. May be because of the layered policy... I hope R&D is monitoring this thread and will provide some details about this.

0 Kudos
Pedro_Espindola
Advisor
‎2020-02-05 09:49 AM
Jump to solution

My 14XX with R77.20.87 are working fine.

Are you using 15XX appliances? Must be an issue with the new R80.20 generation.

 

0 Kudos
Max_Baumgarten
Contributor
‎2020-02-05 09:53 AM
In response to Pedro_Espindola
Jump to solution

We've confirmed it does not work in r80.xx, but used to work in r77.  For some unknown reason, this was removed and apparently there are no plans to ever add it back.

0 Kudos
John_Fleming
Advisor
‎2020-02-05 09:55 AM
In response to Pedro_Espindola
Jump to solution

Correct, it think the core issue is R80.20. I would down grade to R77.20 if that was an option at this point. I'm reaching out to some folks deeper in the org. If this can't be fixed I'm replacing these SMB devices with a different vendor.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-02-05 11:10 AM
In response to John_Fleming
Jump to solution

Go for PaloAlto Networks. These guys have some impressive syslogging:

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...

0 Kudos
John_Fleming
Advisor
‎2020-02-05 11:55 AM
In response to HristoGrigorov
Jump to solution

yes they do. That is a lot of data though. I wonder if they're using tcp syslog to avoid fragmenting the messages.

0 Kudos
Barel_Tkach
Employee
Employee
‎2020-02-05 03:23 PM
Jump to solution

Thank for raising this issue.

From a quick internal investigation it seems this limitation was inherited from R80.20 enterprise version syslog feature.

We are learning it in order to provide a solution.

 

John_Fleming
Advisor
‎2020-02-05 03:34 PM
In response to Barel_Tkach
Jump to solution

That is awesome and thank you so much for the update. Should my SR be re-opened?

0 Kudos
Barel_Tkach
Employee
Employee
‎2020-02-06 06:59 AM
In response to John_Fleming
Jump to solution

Yes.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-07 12:38 AM
In response to Barel_Tkach
Jump to solution

You talking about the kernel-level syslog feature or something else?
0 Kudos
John_Fleming
Advisor
‎2020-02-07 04:44 AM
In response to PhoneBoy
Jump to solution

I assume you mean fwsyslog_enable? If so no, i'm not using that. 

I'm talking about..

logs & monitoring -> External Log Servers -> Add a syslog server. This is local mgmt so no SMS/MDS.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-09 07:17 PM
In response to John_Fleming
Jump to solution

The question was to @Barel_Tkach, not you. 😬
I figured it was enabled in the UI somehow.

0 Kudos
Barel_Tkach
Employee
Employee
‎2020-02-10 12:49 AM
In response to PhoneBoy
Jump to solution

There's no issue with OS related syslog,

Missing action is only part of security logs.

0 Kudos
John_Fleming
Advisor
‎2020-02-12 02:17 AM
Jump to solution

It only took a public shaming but it looks like this has been resolved.

fw1_vx_dep_R80_992000913_20.img (basically build 913)

contains the fix.

 

Thanks to everyone involved in getting this addressed!

 

Max_Baumgarten
Contributor
‎2020-02-12 05:49 AM
In response to John_Fleming
Jump to solution

WooHoo!

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-12 09:09 AM
In response to John_Fleming
Jump to solution

I prefer to think of it as "bringing the truth to light" and addressing it.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events