This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Emil_T
Contributor
‎2023-11-02 02:30 AM

Separate log record for each packet of ping / ICMP / Echo

The scenario: multiple pings / icmp / echo requests sent via checkpoint firewall, 

The need: Log each request separately 

Questions:

  1. Should I expect a separate  log record for each ping / ICMP / Echo in traffic logs?
  2. What configuration may be used regarding this topic and what would be the impact? For example icmp virtual session timeout
  3. How can I configure the firewall to log every request?

Thx

0 Kudos
7 Replies
Bob_Zimmerman
Authority
Authority
‎2023-11-02 06:33 AM

  1. No, you shouldn't expect a log for each request.
  2. Yes, the timeout which controls this is Global Properties > Stateful Inspection > ICMP virtual session timeout. Note that it is in integer seconds, and there is no way to specify fractional seconds.
  3. There is no good way to cause the firewall to log every ICMP packet.

Why do you think you need to do this? It seems like a very strange goal.

PhoneBoy
Admin
Admin
‎2023-11-02 11:20 AM
In response to Bob_Zimmerman

Do not expect more than one log per minute for any given connection attempt, regardless of method, without adjusting the Excessive Log Grace Period in Global Properties:

image.png

This applies to every type of connection and goes back to the very earliest days of the product.
Any change to this will require a policy installation.
Adjusting this parameter too low will likely have a performance impact and it's not recommended.

(1)
Emil_T
Contributor
‎2023-11-02 01:35 PM
In response to Bob_Zimmerman

I need this to troubleshoot and analyze network issues that recently occurred. 

I need to see whether each echo request sent from server, arrived and allowed via the firewall.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-11-02 09:08 PM
In response to Emil_T

Other tools such as fw monitor / cppcap / tcpdump might be more helpful in this context.

CCSM R77/R80/ELITE
0 Kudos
Emil_T
Contributor
‎2023-11-03 01:49 PM
In response to Chris_Atkinson

Yes, but such tools are only useful AFTER the you know what to look for. What I needed in this case is backward logs.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-11-02 06:36 AM

As above I wouldn't recommend this, why is it a requirement for you?

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-11-02 07:53 AM

Having a separate log for every ICMP packet that is part of the same ping tracked "session" is not generally something that you want; keep in mind that setting Accounting on the rule matching the ping traffic would give you byte and packet totals for the duration of the ping session.

However you could make sure that echo-request is freely allowed by your Access Control policy, then in Threat Prevention create a custom Indicator for ABOT that will match the ping traffic you want (by IP address or whatever) and have it issue a log (and even grab a packet capture) for each ICMP packet.  However this could substantially increase the logging load on the firewall and I'd not recommend trying it.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events