Solved: Rules with any Application/Service not logging app...

Pedro_Espindola · ‎2017-07-14

Hello everyone,

After upgrading gateway to R80.10 we noticed rules with Application/Service set to Any do not log applications that match the rules. The exact same rules with R77.30 gateway and R80.10 SMS work fine.

We have tried with both shared and separate layers for network and application rules.

We have tried all kinds of tracking and logging, but the result is always the same.

What am I missing?

Eric_Beasley · ‎2017-07-14

What is your clean-up rule in Application ordered layer? That should be set to Accept and I recommend a Detailed logging with it's default configuration of Accounting and per Connection enabled:

This should log all traffic and applications if there are no other issues.

Obviously, the gateway handling this ordered policy needs to also have Application Control and URLF blades enabled.

Once you've established that you are logging what you need, unchecking the "per Connection" field will reduce the logs by not explicitly logging the Firewall established connections.

Also ensure that you don't have the Application ordered layer defaulting to an implicit Clean-up rule with drop, which is the default for new layers.

View solution in original post

PhoneBoy · ‎2017-07-14

"Any" doesn't require the use of Application Control in order to validate.

The log entries you see will therefore show as being accepted by the Firewall and won't have the Application information in it.

The information is still there, but you have to drill into the log entry to find it.

See the following example:

Pedro_Espindola · ‎2017-07-14

I do not get this information.

In the Session tab, Blade is always Firewall.

Application/Site section does not show.

SmartEvent shows only YouTube in Accepted Applications list because there is an specific rule accepting it.

I will open an SR, but I believe the problem is in my understanding rather than an issue with my gateway.

PhoneBoy · ‎2017-07-14

In my case, my App Control rule is actually in a sub-policy:

Rule 2 leading to the sub policy is something like:
- Source: Subnet-A
- Destination: Internet
- Service: Any
- Action: Outbound Policy
Rule 2.4 is a simple "specified hosts/any/any/allow" with Extended Logging enabled.

Pedro_Espindola · ‎2017-07-14

I missed the detailed logging option. Thank you, Dameon!

Eric_Beasley · ‎2017-07-14

What is your clean-up rule in Application ordered layer? That should be set to Accept and I recommend a Detailed logging with it's default configuration of Accounting and per Connection enabled:

This should log all traffic and applications if there are no other issues.

Obviously, the gateway handling this ordered policy needs to also have Application Control and URLF blades enabled.

Once you've established that you are logging what you need, unchecking the "per Connection" field will reduce the logs by not explicitly logging the Firewall established connections.

Also ensure that you don't have the Application ordered layer defaulting to an implicit Clean-up rule with drop, which is the default for new layers.

View solution in original post

Pedro_Espindola · ‎2017-07-14

Detailed logging did the trick! I had only Accounting enabled.

I opened that windows a thousand times and didn't see that. My colleagues neither.

Thank you, Eric!

TheRealDiZ · ‎2020-04-08

Hi @Eric_Beasley ,

If I put services in a specific rule, will the firewall be able to log the relevant application?

I'm just trying to create new rule set from R77.30 to R80.30 but in this phase of the migration I prefer to leave the configured rule exactly the same and in a second phase to change them with relevant app.

How can I accomplish this? (obviously I cannot put any in the service/app column field and obv the ordered layer will have apcl enabled).

Let me know guys if you have any suggestion/tips.

D!Z

Rules with any Application/Service not logging application in R80.10