This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mk_83
Contributor
14 hours ago

How to filter a established connection logs (request-reply)

Hello everyone,

I'm just deploy a new internal CP Firewall (to control traffic for Server Farm Zone). I'm creating the policy using logs in Firewall.

I to filter a log which established (Log at Session Start - Log at Session Start) connection like Palo Alto Firewall, to except incoming log which have no reply.

PaloAlto-SecurityRule-LogSettings-Highlight.png

(example: Server1 only port 3389 are listening, 443 not enable. User1 scan port 3389, 443 to Server1 => only port 3389 reply, 443 will not reply => I want to filter the log that 3389 request-reply)

I already choose Session at Action-Rules option, but it's still have a log session port 443 although 443 on server is not enable (user access to server:443 failed either)  

z6168707391669_58ca1ed8c4c0c570a04c0d270cbc40c7.jpg

A lot of logs port 443 have duration 3 hours:

z6168703426720_a3206d5dc9e7269b81976b8a57292b73.jpg

Does anyone facing this problem before? Please help me.

Thanks & Best Regards, 

Mk_83

0 Kudos
2 Replies
AkosBakos
Leader Leader
Leader
9 hours ago

Hi,

Interesting, but the webserver can't cause this limit? I mean, the server closes the connection in every 3 hours.

If you switch on "Accounting" in the log column, you will se more details. First try this.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin
3 hours ago

If I'm understanding you correctly, you only want to log TCP SYNs if and only if a SYN/ACK is received for that SYN?
As far as I know, this isn't possible.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events