This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mk_83
Contributor
‎2024-12-26 03:14 AM
Jump to solution

How to filter a established connection logs (request-reply)

Hello everyone,

I'm just deploy a new internal CP Firewall (to control traffic for Server Farm Zone). I'm creating the policy using logs in Firewall.

I to filter a log which established (Log at Session Start - Log at Session Start) connection like Palo Alto Firewall, to except incoming log which have no reply.

PaloAlto-SecurityRule-LogSettings-Highlight.png

(example: Server1 only port 3389 are listening, 443 not enable. User1 scan port 3389, 443 to Server1 => only port 3389 reply, 443 will not reply => I want to filter the log that 3389 request-reply)

I already choose Session at Action-Rules option, but it's still have a log session port 443 although 443 on server is not enable (user access to server:443 failed either)  

z6168707391669_58ca1ed8c4c0c570a04c0d270cbc40c7.jpg

A lot of logs port 443 have duration 3 hours:

z6168703426720_a3206d5dc9e7269b81976b8a57292b73.jpg

Does anyone facing this problem before? Please help me.

Thanks & Best Regards, 

Mk_83

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-12-27 02:00 PM
In response to JozkoMrkvicka
Jump to solution

A TCP SYN is sent from the client.
A TCP SYN/ACK is sent from the server (the response).
It's basically what was asked.

We do offer TCP state logging, but it is not enabled by default: https://support.checkpoint.com/results/sk/sk101221 
While we cannot log ONLY if a SYNACK is received, we can generate an additional log when it does with option 3: "When connection state changes"

View solution in original post

5 Replies
AkosBakos
Leader Leader
Leader
‎2024-12-26 08:01 AM
Jump to solution

Hi,

Interesting, but the webserver can't cause this limit? I mean, the server closes the connection in every 3 hours.

If you switch on "Accounting" in the log column, you will se more details. First try this.

Akos

----------------
\m/_(>_<)_\m/
PhoneBoy
Admin
Admin
‎2024-12-26 01:34 PM
Jump to solution

If I'm understanding you correctly, you only want to log TCP SYNs if and only if a SYN/ACK is received for that SYN?
As far as I know, this isn't possible.

JozkoMrkvicka
Authority
Authority
‎2024-12-26 10:22 PM
In response to PhoneBoy
Jump to solution

Or other way around - log only connections for which the firewall recieved reply from the server.

Interesting idea, since currently Check Point firewall is creating one log entry only for connection which has the same source port+source IP+protocol+destination port+destination IP and which is allowed by rulebase (or implied rules) while Track option in not "None".

It is sometimes not clear from firewall logs if connection is properly working or not. You need to enable Accounting and open log entry to check statistics of sent/recieved packets. Or do live packet capture, or telnet from the firewall.

Such a log feature will help firewall operators identify the problem much faster and speed up problem resolution.

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-27 02:00 PM
In response to JozkoMrkvicka
Jump to solution

A TCP SYN is sent from the client.
A TCP SYN/ACK is sent from the server (the response).
It's basically what was asked.

We do offer TCP state logging, but it is not enabled by default: https://support.checkpoint.com/results/sk/sk101221 
While we cannot log ONLY if a SYNACK is received, we can generate an additional log when it does with option 3: "When connection state changes"

Mk_83
Contributor
‎2024-12-28 09:14 AM
In response to PhoneBoy
Jump to solution

Many thanks for your information. 
That actually my pain point. I will try the sk.

Thanks & Best Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events