This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
meliux
Participant
‎2023-11-26 09:31 PM

CPNotEnoughDataForRuleMatch

Since we upgraded to R81.10 we've noticed that the introduction of the "CPNotEnoughDataForRuleMatch" log entry due to sk113479, and it is now populating our logs with extra events that would otherwise not have any log entry created at all - either for a Security policy rule that is set to Track None, and/or for traffic passing through the separate Application & URL filtering policy layer where the connection is dropped by the client or server during a state of "possible match".

Question: is it possible to disable the creation of the "CPNotEnoughDataForRuleMatch" log entries for possible rule matches in 81.10?

0 Kudos
10 Replies
_Val_
Admin
Admin
‎2023-11-27 12:42 AM

I am not sure these kinds of logs can be disabled. Are they causing you an inconvenience?

0 Kudos
meliux
Participant
‎2023-11-27 03:01 PM
In response to _Val_

yeah, it is inconvenient because all our logs are being exported out to Splunk which has a real cost associated with it... was hoping these unnecessary logs could be removed prior to any manual filtering in the log exporter etc. We're talking millions of additional log entries that weren't there prior to 81.10.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-27 06:21 AM

The reason you're probably seeing this is because one or more rules are possible matches for the traffic (based on source/destination/service) that contain App Control/URLF objects in the Services column.
You may need to create an explicit rule near the top of the rulebase to permit this traffic without logging.

CheckPointerXL
Advisor
‎2023-12-01 03:42 PM
In response to PhoneBoy

Yes, that's the only workaround that it worked for me (sometimes not)

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-01 03:44 PM
In response to CheckPointerXL

If multiple ordered layers are used, make sure to check each layer to ensure the rule that matches the relevant traffic does not include logging.

the_rock
Legend
Legend
‎2023-11-27 06:29 AM

Its essentially a way of telling you that 3-way handshake is not completing properly.

Andy

0 Kudos
meliux
Participant
‎2023-11-27 03:02 PM
In response to the_rock

yep.... so can these be ignored/unlogged?

the_rock
Legend
Legend
‎2023-11-27 03:12 PM
In response to meliux

Thats what TAC told me couple of years back, correct.

Andy

0 Kudos
rzsuarez
Explorer
‎2024-03-14 02:18 AM
In response to the_rock

Should the URL Filtering /App Control be inside the Internet Layer or not?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-14 08:19 AM
In response to rzsuarez

Depends on how your layers are constructed.
A top-level "Firewall Only" layer with one or more inline layers with App Control/URL Filtering enabled is an approach I've used/recommended, particularly for customer moving from R7x releases where there were separate policies (layers) for Firewall and App Control/URL Filtering. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events