Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sajgon107
Participant

Filtering tcp packet out of state in views/reports

Hello guys,

I'd like to ask you regarding the filtering out dropped communication which is out of state. Im trying to make custom view where I can check number of TCP out of state logs over some period of time. I got in to the point where Im seeing drops in my view but can not find any way how to filter out only out of state packets. I've tried to type "First packet isn't SYN" or "TCP packet out of state" in to the search bar but no results. When I use same query for standard logs I can filter out out of state logs.

Thanks for help

R80.40,

Appliances 6000

TAKE 197

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Not really sure what you're showing a screenshot of here.
In any case, not every field in a log is indexed, thus you cannot search or create reports on it.

0 Kudos
Scottc98
Advisor

I have been asked to provide the same type of reports for TCP out of sequence fields recently and believe i have the same question as the original requester here.  

Within Smartconsole itself, you can add in the columns of "TCP packet out of state" and "TCP Flags" for log searches.  

Even the problem here with this raw output is that you can't export the CSV as it directs you to use SmartView.    On Smartview, these fields are not selectable (note:   I have add success with 'tcp_flags:" with an exact flag; not wildcard" and a raw search of "First packet isn't SYN" but not with 'tcp_packet_out_of_state' field).

In regards to whether the log field is indexed, it looks like both the 'tcp_flag' and 'tcp_packet_out_of_state' fields are indexed per this SK (https://support.checkpoint.com/results/sk/sk144192).  

 

Is there any possibility for a user to add these two fields to use for a custom report or view?    If so, is there any SK or guide i can reference?

 

 

0 Kudos
PhoneBoy
Admin
Admin

If the fields aren't available with SmartView, then it's probably an RFE to get this functionality.
However, you can also use either fw log or CpLogFilePrint to do a raw ASCII dump of the logs and grep for the relevant lines.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events