Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
meliux
Participant
Jump to solution

CPNotEnoughDataForRuleMatch

Since we upgraded to R81.10 we've noticed that the introduction of the "CPNotEnoughDataForRuleMatch" log entry due to sk113479, and it is now populating our logs with extra events that would otherwise not have any log entry created at all - either for a Security policy rule that is set to Track None, and/or for traffic passing through the separate Application & URL filtering policy layer where the connection is dropped by the client or server during a state of "possible match".

Question: is it possible to disable the creation of the "CPNotEnoughDataForRuleMatch" log entries for possible rule matches in 81.10?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

If multiple ordered layers are used, make sure to check each layer to ensure the rule that matches the relevant traffic does not include logging.

View solution in original post

10 Replies
_Val_
Admin
Admin

I am not sure these kinds of logs can be disabled. Are they causing you an inconvenience?

0 Kudos
meliux
Participant

yeah, it is inconvenient because all our logs are being exported out to Splunk which has a real cost associated with it... was hoping these unnecessary logs could be removed prior to any manual filtering in the log exporter etc. We're talking millions of additional log entries that weren't there prior to 81.10.

0 Kudos
PhoneBoy
Admin
Admin

The reason you're probably seeing this is because one or more rules are possible matches for the traffic (based on source/destination/service) that contain App Control/URLF objects in the Services column.
You may need to create an explicit rule near the top of the rulebase to permit this traffic without logging.

CheckPointerXL
Advisor
Advisor

Yes, that's the only workaround that it worked for me (sometimes not)

0 Kudos
PhoneBoy
Admin
Admin

If multiple ordered layers are used, make sure to check each layer to ensure the rule that matches the relevant traffic does not include logging.

the_rock
Legend
Legend

Its essentially a way of telling you that 3-way handshake is not completing properly.

Andy

0 Kudos
meliux
Participant

yep.... so can these be ignored/unlogged?

the_rock
Legend
Legend

Thats what TAC told me couple of years back, correct.

Andy

0 Kudos
rzsuarez
Explorer

Should the URL Filtering /App Control be inside the Internet Layer or not?

0 Kudos
PhoneBoy
Admin
Admin

Depends on how your layers are constructed.
A top-level "Firewall Only" layer with one or more inline layers with App Control/URL Filtering enabled is an approach I've used/recommended, particularly for customer moving from R7x releases where there were separate policies (layers) for Firewall and App Control/URL Filtering. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events