Our goal is having the queried domain name in the DNS logs, so as we can export it to a SIEM (via logexporter) and have the DNS request information, not only the connection.

We have some internal applications that tries to access different services (rare or custom protocols) and URLF/APP CONTROL does not show that information, but if we could log that in the DNS, at least we could see the domain name requested.

Thanks

any tip on how to achieve that, @PhoneBoy? 

I thought there was an App Control signature that did this, but it doesn't appear there is one.
This is probably an RFE, but it might be worth a TAC case to confirm.

@CheckPoint

Come on,

years go by and such a simple issue is not resolved yet? Top next gen firewall can't cope with so trivial task as DNS queries logging? Are You serious?

Have you requested a RFE for this?

Yes, I have - right after Your question.

Thanks for hint.

what issue? can you please be more specific?

It's all about DNS transactions logging - mainly queries. It's simple UDP 53 plain text. Is there any way to show them in logs? Any sk number or something else? 

Maybe this: https://support.checkpoint.com/results/sk/sk116694

Version is EOL but worth a shot.

Although DNS is getting more and more encrypted (the request). Then firewall cannot see it anymore. 

Hi,
I have version R82. How can I make the "dns_query" field appear in the domain-udp query logs?
I tried the solutions from sk116694 and sk183647 without success, but it works in R81.20.

i checked around, i dont see any related open bugs. It is not on the known limitations for r82. sk183647 states also R82, so I expect it to be supported. I would open TAC case. Or you can open a topic for your issue and hope someone on the community has more info. 

Got it. Please open a TAC request for this.

Let me ask what kind of SIEM do You have? Don't You have network sensor listening on the wire (TAP, port mirroring or promiscous)? Is Your issue resolved by now?