This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Sykora
Participant
‎2025-07-16 06:20 AM

Spark does not log NATed traffic

Hi.

On a 1595 cluster I have a manual NAT rule created that forwards Incoming traffic from the Internet that uses a custom port to a an internal IP address running a web service. I have a corresponding rule in access policy. Traffic flow is as expected and the rules does their job. However although the access policy rule is set to log, I do not see any logs of the accepted/NATted traffic.

The NAT and access policy rules have not been created by the server wizard. However by default in the wizard there is an unchecked box for logging accepted connections. It seems to me  that this is the functionality I am looking, but I cannot find any checkbox for enabling this when rule is generated manually.

Do you have any idea how to get the logs working with manually created rules?

10 Replies
_Val_
Admin
Admin
‎2025-07-16 06:23 AM

Can you share some screenshots? Also, what version? Local or central management?

0 Kudos
Martin_Sykora
Participant
‎2025-07-17 12:14 AM
In response to _Val_

 

We are using local management with cloud connected features for backups and extended monitoring. We are using R81.10.17 (996004653)

This is how the NAT rules look like:
Manual NAT rules.jpgThis is the corresponding access policy rule:
Access Policy rule.jpg

Traffic is flowing according to rules confirmed with TCPdump. But the related logs are not in the local security logs, nor int the cloud based Quantum Spark Management

In the sever wizard, which we did not use, there is this option:
Wizzard sample.jpg
I assume that when creating the rules manually, the "accepted connections" are not logged but I cannot find such an option/checkbox within the manually created rules that could enable this

PhoneBoy
Admin
Admin
‎2025-07-17 07:03 AM
In response to Martin_Sykora

Servers are not exactly NAT rules
Can you not go to Users and Objects > Network Resources > Servers and change the definition to log the connections?
Here’s my configuration for a server object:

IMG_3203.jpeg

0 Kudos
Martin_Sykora
Participant
‎2025-07-18 05:24 AM
In response to PhoneBoy

Well I have tried now to do it both via single IP network objects and and via new server server object (like in your screenshot). Both times the traffic flow worked as expected, But I do not get any logs for the traffic.

9001 logs missing.jpg

There should be a bunch of accepted logs with the service 9001 with the same pair of source/destination IP addresses, which was clearly working, but nothing shows up

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-22 06:10 AM
In response to Martin_Sykora

Have you opened a TAC case on this?

0 Kudos
Martin_Sykora
Participant
‎2025-07-23 02:19 AM
In response to PhoneBoy

Not yet. I wanted to run this through the community first, just to see if it's not a config error on mi side.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-16 05:05 PM

Is your Access Policy Control set to Strict?
This is in Access Policy > Firewall > Blade Control

0 Kudos
Martin_Sykora
Participant
‎2025-07-17 12:15 AM
In response to PhoneBoy

Policy is set to standard with "log all" for both blocked and allowed traffic

0 Kudos
Ashley_C
Explorer
‎2025-07-24 10:05 PM

I second this question... have multiple custom inbound rules that work as expected. However, do not see any logged inbound traffic. Only rules where inbound TCP port is not redirected to a different port shows logs for outbound traffic. All other inbound rules redirect a custom TCP port to a different port (eg. TCP 1650 on WAN interface to TCP 22 on internal server); none of these rules log any traffic, despite logging enabled. All allowed traffic is logged and all denied traffic is logged.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-25 06:42 AM
In response to Ashley_C

I recommend opening a TAC case if this isn't working as expected.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events