Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor
Advisor
Jump to solution

START_CONNECTION or END_CONNECTION

Does check point log START_CONNECTION or END_CONNECTION in their logs?    I'm just seeing SSH version2 traffic, but NOT START or END_CONNECTION.  Am I missing something?    I may need more extensive logging (accounting) or a capture packet for that, correct?

 

Id: c107fa67-d9a7-b6fc-66be-cd5d00010006
Marker: @A@@B@1723776012@C@2042288
Log Server Origin: 172.bb.XX.XX
Time: 2024-08-16T03:54:05Z
Interface Direction: inbound
Interface Name: eth10
Id Generated By Indexer: false
First: true
Sequencenum: 125
Source Zone: External
Destination Zone: Internal
Service ID: ssh_version_2
Source: IPa
Source Port: 39892
Destination: IPb
Destination Port: 22
IP Protocol: 6
Xlate (NAT) Destination IP: someIP
Xlate (NAT) Source Port: 0
Xlate (NAT) Destination Port:0
NAT Rule Number: 165
NAT Additional Rule Number: 0
Nat Rule Uid: a56039b0-dc01-4b9a-896d-cc5f00aa0511
Action: Accept
Type: Connection
Policy Name: policy
Policy Management: colorm
Db Tag: {68C9D707-6C15-F940-88CE-0A3F4A66CC6F}
Policy Date: 2024-08-15T15:26:06Z
Blade: Firewall
Origin: colorN
Service: TCP/22
Product Family: Access
Logid: 0
Access Rule Name: autoloader transfers
Access Rule Number: 26
Policy Rule UID: c0209209-a428-4dbb-88f8-2b89c774cf72
Layer Name: Security
Interface: eth10
Description: ssh_version_2 Traffic Accepted from someIP  to aIP

Id: 78f4c07f-b81c-6cdf-66be-cd5d00010004
Marker: @A@@B@1723776012@C@2042219
Log Server Origin: IPA
Time: 2024-08-16T03:54:05Z
Interface Direction: inbound
Interface Name: eth10
Id Generated By Indexer: false
First: true
Sequencenum: 107
Source Zone: External
Destination Zone: Internal
Service ID: ssh_version_2
Source: IPB
Source Port: 38657
Destination: IPC
Destination Port: 22
IP Protocol: 6
Xlate (NAT) Destination IP: someIP
Xlate (NAT) Source Port: 0
Xlate (NAT) Destination Port:0
NAT Rule Number: 165
NAT Additional Rule Number: 0
Nat Rule Uid: a56039b0-dc01-4b9a-896d-cc5f00aa0511
Action: Accept
Type: Connection
Policy Name: pname
Policy Management: colorM
Db Tag: {68C9D707-6C15-F940-88CE-0A3F4A66CC6F}
Policy Date: 2024-08-15T15:26:06Z
Blade: Firewall
Origin: colorN
Service: TCP/22
Product Family: Access
Logid: 0
Access oader transfers
Access Rule Number: 26
Policy Rule UID: c0209209-a428-4dbb-88f8-2b89c774cf72
Layer Name: rity
Interface: eth10
Description: ssh_version_2 Traffic Accepted from 1 to 2

 

0 Kudos
1 Solution

Accepted Solutions
AkosBakos
Leader Leader
Leader

From Phoneboy:

"When you enable accounting on a rule (which must be done per rule), it logs the bytes/duration of the relevant flow.
In general this data is updated every 10 minutes and after the connection closes."

https://community.checkpoint.com/t5/Security-Gateways/Log-accounting/m-p/110407#M15221

Akos

----------------
\m/_(>_<)_\m/

View solution in original post

3 Replies
AkosBakos
Leader Leader
Leader

From Phoneboy:

"When you enable accounting on a rule (which must be done per rule), it logs the bytes/duration of the relevant flow.
In general this data is updated every 10 minutes and after the connection closes."

https://community.checkpoint.com/t5/Security-Gateways/Log-accounting/m-p/110407#M15221

Akos

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend

Never seen that link, thats super USEFUL.

Thanks brother 🙂

Andy

the_rock
Legend
Legend

Hey bud, for the context, I figured would also share this link.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events