This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
2 weeks ago

SNIFFERS in the absence of LOGS

Hello,
Are there SNIFFERS in the CLI of a Check Point, in the absence of logs in your SmartConsole?
I have a Smart-1 Cloud that, due to licensing issues, doesn't let me view logs in real time, and the administrative process is taking too long. So, with the urgent need to run online tests for web traffic that passes through a rule with APP+URLF enabled, is there an option to run SNIFFERS in the GW's CLI, which would allow me to see which rule the traffic is passing through when a user visits a web page that is categorized as pornography and it's not being blocked, even though the category is blocked in our FW rule?
With other vendors, sniffers sometimes help.
Does Check Point have any alternative when you don't have LOGS?
Thanks.

0 Kudos
32 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago

Can you share more about the gateway configuration? Version/JHF, HTTPSi enabled etc?

Some additional related commands:

fw up_execute, cppcap, tcpdump

 

CCSM R77/R80/ELITE
Lesley
MVP Gold
MVP Gold
2 weeks ago
In response to Chris_Atkinson

This is a difficult question, I was thinking more about fw monitor. If you see o O (outbound) you can pretty safely assume traffic was send out and allowed by rulebase. tcpdump cppcap could also help if you capture the outgoing interface. But if NAT or VPN is active on the traffic it makes it even more complex. 

Use https://tcpdump101.com/# to build your filters for above tools. 

Other then that I would recommend to optimize the amount of traffic that is logged. Split up rules and disable logs if it is not important like DNS. You can also right click the logging option and change from log per connection to log per session. This will decrease the amount of logs. I think this is your best pick.

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Chris_Atkinson

Definitely good commands to try.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events