Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BigHec
Contributor

Firewall setup as Monitor Mode but does not seems to have much logs related to IPS, Anti-Bot&-virus

Hi All,

Recently I have setup a gateway as Monitor Mode and to capture all the traffics within the network.

I have configured the gateway according these guideline:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

The gateway has configured a Monitor port and is connected to a switch port configured as SPAN port to mirror all the traffics.

 

After monitored for 1 day, we can see the firewall logs are working fine, we able to see all the network traffics.
Screenshot 2023-11-22 143244.png

 

But when I try to search for logs related to IPS, Anti-Bot and Anti-Virus (Monitor mode so the threat prevention is set as all "Detect")

1232131132.png

Is this a normal behavior? Because this seems like a little less for IPS logs for me. For what i expect is to see more of the threat prevention related logs.

Is there any settings that I've missed out on the gateway?

Appreciate for all the help

 

Thank you

0 Kudos
7 Replies
BigHec
Contributor

FYI, this gateway previously has internet access but the internet access had been cut off after that. So now the gateway does has Application, IPS, Anti-Bot and Anti-Virus of previous version and not the latest version.

 

Blades Enabled:

Firewall
Application Control
URL Filtering
IPS (Detect Only)
Anti-Bot (Detect Only)
Anti-Virus (Detect Only)

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Starting with the basics what "track" option is set for the policy rules currently, detailed / extended log or other?

Click on the arrow in the track cell and select more to see additional options e.g.

Track.png

Typically in monitor mode we won't have things like HTTPS inspection which will also limit visibility into traffic.

With that said what Threat Prevention Profile is currently used?

 

CCSM R77/R80/ELITE
0 Kudos
BigHec
Contributor

Hi @Chris_Atkinson ,

The "track" option for policy rules are set to "Log".

I might found out the cause of it.

The profile "Optimized" is being used. By following the admin guide to set up the gateway in monitor mode, the "Activation Mode" will be needed to change from "Prevent" to "Detect". When changing the default "Optimized" profile, SmartConsole will prompt automatically asking you to create another cloned profile of the default "Optimized" profile since the default profile cannot be modify.

After modified profile had been cloned out, I did not notice that the "Protection" of the IPS Protection are mostly Inactive. After enabled most of the "Protection" of the IPS Protection of the profile then I am able to see some of IPS logs again. 

Screenshot 2023-11-22 223505.png

 

Appreciate for the help

Thank you

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Indeed the different IPS profiles have varying activation metrics (confidence/performance etc) for protections which ultimately determines which are inactive etc.

If you want to also see AppC / URLF logs you will  need to also adjust that 'log' option.

CCSM R77/R80/ELITE
0 Kudos
BigHec
Contributor

Am I unable to see any logs related to AppC/ URLF if the track option is set to "Log"?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Please refer: https://support.checkpoint.com/results/sk/sk120536

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

Independent of your Threat Prevention configuration, traffic cannot actually be prevented if you’re only receiving the traffic via a span/monitor port.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events