Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jonathan
Collaborator

mobile access portal logs

Hi,
We use a mobile access portal, let's say portal.company.com
Let's say someone tries to attack us like this: portal.company.com/sslvpn<script>

They get an error screen which is provided by the GW:

error.png

I'm trying to find evidence for this request in the logs but can't find it.
Is it being logged? if yes, how can I filter the logs to find it?
Thanks

0 Kudos
15 Replies
PhoneBoy
Admin
Admin

The Access Log won't necessarily show it, though it might show the HTTPS connection without the URL.
You might find it somewhere in $CPVPNDIR/log.

0 Kudos
Jonathan
Collaborator

Hi PhoneBoy,

Couldn't find any log files under $CPVPNDIR (version 81.10).

Tried searching other folders such as "/opt/CPVPNPortal/logs" but couldn't find any relevant logs.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

0 Kudos
Arnon_Azmon
Explorer

Hi G_W_Albrecht,

This is not the issue of this post, we're not having problems with our portal.

I'm just trying to find where are the logs for access attemps to this portal, which also includes the url entered.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I linked the SK because of:

  • SmartView Tracker log shows:
    Product:  Mobile Access
    Reason: The requested destination is not configured for this user's group in the Mobile Access policy.
    Mobile Access Category:	Web
    Access:   	Denied
    Resource:  http://10.x.x.x:80/sig.php

    Here the URL is displayed...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Arnon_Azmon
Explorer

Oh, I see...

unfortunately I can't see such logs in my system (R81.10).

Also, this error page only pops up when you try somehing like "https://portal.company.con/gibrish" but if you try to access the login page and add parameters such as portal.company.com/sslvpn/Login/Login?script<1=1> it just ignores it, but I still want to know about it

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Legacy SVTracker does not show much, too ! i would suggest to call CP TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Have a look at /var/log/opt/CPcvpn-R81.10/log/httpd.log

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator

Already tried that but this log only shows many error and fail messages such as:

[69152][13 Sep 15:18:30][fdt] getCurlCrlOcspDir: failed to create directory: curl_crl_ocsp
[69152][13 Sep 15:18:30] registry_root_reload: Could not reload: Registry file doesn't exists or corrupted. Reverting to old version.
[69152][13 Sep 15:18:30] cpIsDir: Calling cpIsDirEx: Permission denied
[69152][13 Sep 15:18:30] cpFileCopy: failed to fopen64 source file, calling fopen: Permission denied
[69152][13 Sep 15:18:30] cpFileCopy: failed to fopen source file: Permission denied
[69152][13 Sep 15:18:30] registry_revert_to_old_version: Revert error: failed to copy /opt/CPshrd-R81.10/registry/HKLM_registry.data.old -> /opt/CPshrd-R81.10/registry/HKLM_registry.data_69152.tmp: Permission denied
[69152][13 Sep 15:18:30] registry_root_reload: Could not reload: Revert failed, file doesn't exists or corrupted.
[69152][13 Sep 15:18:30] registry_root_reload: Could not reload: Registry file doesn't exists or corrupted. Reverting to old version.
[69152][13 Sep 15:18:30] cpIsDir: Calling cpIsDirEx: Permission denied

0 Kudos
G_W_Albrecht
Legend Legend
Legend

YOu have to record the exact time you open the link in browser and  find that in log !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator

Well I did that of course, but the lines I pasted in my previous reply are the only ones I see in this log.

I don't know if it's supposed to be like this...

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Open a SR# with TAC to get to the logs !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator

Hi,

Quick update - I contacted TAC but after many investigation they came to the conclusion that for these logs I need to enable some other blades that we don't have, and they redircted me to our account owner at Checkpoint...

 

Thank you for trying to help

 

 

0 Kudos
PhoneBoy
Admin
Admin

Can you send me the TAC SR in a private message?

0 Kudos
Jonathan
Collaborator

Sure, I've sent it in PM

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events