Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Emil_T
Contributor

Separate log record for each packet of ping / ICMP / Echo

The scenario: multiple pings / icmp / echo requests sent via checkpoint firewall, 

The need: Log each request separately 

Questions:

  1. Should I expect a separate  log record for each ping / ICMP / Echo in traffic logs?
  2. What configuration may be used regarding this topic and what would be the impact? For example icmp virtual session timeout
  3. How can I configure the firewall to log every request?

Thx

0 Kudos
7 Replies
Bob_Zimmerman
Authority
Authority

  1. No, you shouldn't expect a log for each request.
  2. Yes, the timeout which controls this is Global Properties > Stateful Inspection > ICMP virtual session timeout. Note that it is in integer seconds, and there is no way to specify fractional seconds.
  3. There is no good way to cause the firewall to log every ICMP packet.

Why do you think you need to do this? It seems like a very strange goal.

PhoneBoy
Admin
Admin

Do not expect more than one log per minute for any given connection attempt, regardless of method, without adjusting the Excessive Log Grace Period in Global Properties:

image.png

This applies to every type of connection and goes back to the very earliest days of the product.
Any change to this will require a policy installation.
Adjusting this parameter too low will likely have a performance impact and it's not recommended.

(1)
Emil_T
Contributor

I need this to troubleshoot and analyze network issues that recently occurred. 

I need to see whether each echo request sent from server, arrived and allowed via the firewall.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Other tools such as fw monitor / cppcap / tcpdump might be more helpful in this context.

CCSM R77/R80/ELITE
0 Kudos
Emil_T
Contributor

Yes, but such tools are only useful AFTER the you know what to look for. What I needed in this case is backward logs.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As above I wouldn't recommend this, why is it a requirement for you?

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend

Having a separate log for every ICMP packet that is part of the same ping tracked "session" is not generally something that you want; keep in mind that setting Accounting on the rule matching the ping traffic would give you byte and packet totals for the duration of the ping session.

However you could make sure that echo-request is freely allowed by your Access Control policy, then in Threat Prevention create a custom Indicator for ABOT that will match the ping traffic you want (by IP address or whatever) and have it issue a log (and even grab a packet capture) for each ICMP packet.  However this could substantially increase the logging load on the firewall and I'd not recommend trying it.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events