This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mk_83
Contributor
yesterday

How to filter a established connection logs (request-reply)

Hello everyone,

I'm just deploy a new internal CP Firewall (to control traffic for Server Farm Zone). I'm creating the policy using logs in Firewall.

I to filter a log which established (Log at Session Start - Log at Session Start) connection like Palo Alto Firewall, to except incoming log which have no reply.

PaloAlto-SecurityRule-LogSettings-Highlight.png

(example: Server1 only port 3389 are listening, 443 not enable. User1 scan port 3389, 443 to Server1 => only port 3389 reply, 443 will not reply => I want to filter the log that 3389 request-reply)

I already choose Session at Action-Rules option, but it's still have a log session port 443 although 443 on server is not enable (user access to server:443 failed either)  

z6168707391669_58ca1ed8c4c0c570a04c0d270cbc40c7.jpg

A lot of logs port 443 have duration 3 hours:

z6168703426720_a3206d5dc9e7269b81976b8a57292b73.jpg

Does anyone facing this problem before? Please help me.

Thanks & Best Regards, 

Mk_83

0 Kudos
3 Replies
AkosBakos
Leader Leader
Leader
yesterday

Hi,

Interesting, but the webserver can't cause this limit? I mean, the server closes the connection in every 3 hours.

If you switch on "Accounting" in the log column, you will se more details. First try this.

Akos

----------------
\m/_(>_<)_\m/
PhoneBoy
Admin
Admin
yesterday

If I'm understanding you correctly, you only want to log TCP SYNs if and only if a SYN/ACK is received for that SYN?
As far as I know, this isn't possible.

JozkoMrkvicka
Authority
Authority
yesterday
In response to PhoneBoy

Or other way around - log only connections for which the firewall recieved reply from the server.

Interesting idea, since currently Check Point firewall is creating one log entry only for connection which has the same source port+source IP+protocol+destination port+destination IP and which is allowed by rulebase (or implied rules) while Track option in not "None".

It is sometimes not clear from firewall logs if connection is properly working or not. You need to enable Accounting and open log entry to check statistics of sent/recieved packets. Or do live packet capture, or telnet from the firewall.

Such a log feature will help firewall operators identify the problem much faster and speed up problem resolution.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events