This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan
Collaborator
‎2022-08-25 01:55 AM

mobile access portal logs

Hi,
We use a mobile access portal, let's say portal.company.com
Let's say someone tries to attack us like this: portal.company.com/sslvpn<script>

They get an error screen which is provided by the GW:

error.png

I'm trying to find evidence for this request in the logs but can't find it.
Is it being logged? if yes, how can I filter the logs to find it?
Thanks

Labels
0 Kudos
15 Replies
PhoneBoy
Admin
Admin
‎2022-09-01 04:23 PM

The Access Log won't necessarily show it, though it might show the HTTPS connection without the URL.
You might find it somewhere in $CPVPNDIR/log.

0 Kudos
Jonathan
Collaborator
‎2022-09-12 12:54 AM
In response to PhoneBoy

Hi PhoneBoy,

Couldn't find any log files under $CPVPNDIR (version 81.10).

Tried searching other folders such as "/opt/CPVPNPortal/logs" but couldn't find any relevant logs.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-12 06:52 AM

sk115110: "Access denied. The destination of your request has not been configured or you do not have...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Arnon_Azmon
Explorer
‎2022-09-13 02:49 AM
In response to G_W_Albrecht

Hi G_W_Albrecht,

This is not the issue of this post, we're not having problems with our portal.

I'm just trying to find where are the logs for access attemps to this portal, which also includes the url entered.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-13 02:51 AM
In response to Arnon_Azmon

I linked the SK because of:

  • SmartView Tracker log shows: 
    Product:  Mobile Access
Reason: The requested destination is not configured for this user's group in the Mobile Access policy.
Mobile Access Category:	Web
Access:   	Denied
Resource:  http://10.x.x.x:80/sig.php

    Here the URL is displayed...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Arnon_Azmon
Explorer
‎2022-09-13 03:29 AM
In response to G_W_Albrecht

Oh, I see...

unfortunately I can't see such logs in my system (R81.10).

Also, this error page only pops up when you try somehing like "https://portal.company.con/gibrish" but if you try to access the login page and add parameters such as portal.company.com/sslvpn/Login/Login?script<1=1> it just ignores it, but I still want to know about it

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-13 04:00 AM
In response to Arnon_Azmon

Legacy SVTracker does not show much, too ! i would suggest to call CP TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-13 04:49 AM
In response to G_W_Albrecht

Have a look at /var/log/opt/CPcvpn-R81.10/log/httpd.log

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator
‎2022-09-13 05:24 AM
In response to G_W_Albrecht

Already tried that but this log only shows many error and fail messages such as:

[69152][13 Sep 15:18:30][fdt] getCurlCrlOcspDir: failed to create directory: curl_crl_ocsp
[69152][13 Sep 15:18:30] registry_root_reload: Could not reload: Registry file doesn't exists or corrupted. Reverting to old version.
[69152][13 Sep 15:18:30] cpIsDir: Calling cpIsDirEx: Permission denied
[69152][13 Sep 15:18:30] cpFileCopy: failed to fopen64 source file, calling fopen: Permission denied
[69152][13 Sep 15:18:30] cpFileCopy: failed to fopen source file: Permission denied
[69152][13 Sep 15:18:30] registry_revert_to_old_version: Revert error: failed to copy /opt/CPshrd-R81.10/registry/HKLM_registry.data.old -> /opt/CPshrd-R81.10/registry/HKLM_registry.data_69152.tmp: Permission denied
[69152][13 Sep 15:18:30] registry_root_reload: Could not reload: Revert failed, file doesn't exists or corrupted.
[69152][13 Sep 15:18:30] registry_root_reload: Could not reload: Registry file doesn't exists or corrupted. Reverting to old version.
[69152][13 Sep 15:18:30] cpIsDir: Calling cpIsDirEx: Permission denied

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-13 05:33 AM
In response to Jonathan

YOu have to record the exact time you open the link in browser and  find that in log !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator
‎2022-09-13 05:39 AM
In response to G_W_Albrecht

Well I did that of course, but the lines I pasted in my previous reply are the only ones I see in this log.

I don't know if it's supposed to be like this...

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-13 05:52 AM
In response to Jonathan

Open a SR# with TAC to get to the logs !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jonathan
Collaborator
‎2022-10-24 12:38 AM

Hi,

Quick update - I contacted TAC but after many investigation they came to the conclusion that for these logs I need to enable some other blades that we don't have, and they redircted me to our account owner at Checkpoint...

 

Thank you for trying to help

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-24 11:17 AM
In response to Jonathan

Can you send me the TAC SR in a private message?

0 Kudos
Jonathan
Collaborator
‎2022-10-24 11:01 PM
In response to PhoneBoy

Sure, I've sent it in PM

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events