This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gerard_van_Lee1
Participant
‎2018-05-09 06:00 AM

viewing LOG - filter on NAT rule #

Hi,

I'm using the Logs & Monitor of Domain Management Server ( R80.10 ) on a VS ( R77.30 ).

I'm looking for the field name of "Xlate (NAT) Source IP"  to use in the query in Logs & Monitor.

(Already tried filtering using the "Copy Rule UID" of the NAT rule and using it with fieldname rule_uid. )

The drop down list of "other fields"

I hope there's a complete list of field names somewhere. 

Thanks in advance.

Kind regards,

Gerard van Leeuwen

16 Replies
Joshua_Hatter
Employee
Employee
‎2018-05-09 06:17 AM

While on the logs page, you can right click the grey columns header and then select 'Edit Profile'. From there you can search for various columns to add, search for Xlate and you should find what you are looking for. Trying to add screenshots but having trouble. Smiley Sad

0 Kudos
Gerard_van_Lee1
Participant
‎2018-05-09 06:20 AM
In response to Joshua_Hatter

I already did add the columns Xlate*. That works well.

But I like to use it as a filter.

0 Kudos
Joshua_Hatter
Employee
Employee
‎2018-05-09 06:27 AM
In response to Gerard_van_Lee1

Typically you can click on the column headers and add filter from there. The option is grayed out for me so I think it is a bad sign. I've asked some other resources, maybe Tomer Sole‌ can have a suggestion.

0 Kudos
XavierBens
Employee
Employee
‎2018-05-09 06:33 AM
In response to Joshua_Hatter

Where could we see indexed fields Joshua Hatter ?

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
Joshua_Hatter
Employee
Employee
‎2018-05-09 07:15 AM
In response to XavierBens

Outside the API my management expertise is limited. My best guess is anything in the "Add a search field:" section once you click in the filter bar. Hoping Tomer or someone else can add some feedback. Russell Seifert

Russell_Seifert
Employee
Employee
‎2018-05-09 08:25 AM
In response to Joshua_Hatter

Hi,

xlatesrc = Xlate (NAT) Source IP
xlatedst = Xlate (NAT) Destination IP
xlatesport = Xlate (NAT) Source Port
xlatedport = Xlate (NAT) Destination Port

Example in filter:

xlatesport:33028

xlatedst:10.1.0.0

0 Kudos
XavierBens
Employee
Employee
‎2018-05-09 08:35 AM
In response to Russell_Seifert

Only available starting R80* ?

(on R77.30 SmartLog)

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
Russell_Seifert
Employee
Employee
‎2018-05-09 11:16 AM
In response to XavierBens

Correct. The NAT fields were not indexed to be searchable on R77.30 and lower due to performance reasons.

0 Kudos
Gerard_van_Lee1
Participant
‎2018-05-09 11:16 AM
In response to Russell_Seifert

I'm sorry Russell. xlatesrc:172.20.0.4 does not work and I'm 100% sure there's such traffic.

I'm aiming the filter for NAT rule number.

The gateways are R77.30 now. Ok I have to wait for this option until those are updated.

venkata_marutur
Contributor
‎2018-06-27 07:16 AM

Hello All,

I am running R80.10 SMS and R77.30 Gateways (Both running latest Jumbo's). I am also having same issue: Added xlate src IP field to my columns by editing the profile but searching xlatesrc: public IP does not work. But, just entering the public IP in the search without any filters does seem to work at times but not all times.

So, my GW's must be on R80+ for this xlate based indexing to work or is it just the SMS needs to be on R80+ ?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-27 08:25 AM
In response to venkata_marutur

This is a management/logging feature, the version of gateway is not that relevant.

0 Kudos
venkata_marutur
Contributor
‎2018-06-27 08:38 AM
In response to PhoneBoy

So, any thoughts on why the issue still exists in R80+ SMS?

Hope this helps other users as well.

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-27 08:55 AM
In response to venkata_marutur

Sounds like an indexing issue, in which case it's probably worth opening a ticket with the TAC to investigate.

0 Kudos
Raj_Khatri
Advisor
‎2018-10-11 08:47 AM

Has anyone figured out how to filter SmartLog for NAT Rule Number?  When filtering for Access Rule Number it uses "rule:" in the query syntax.  However for NAT Rule Number it uses just the rule number in the query syntax which returns no results.

You are able to filter from Smartview Tracker though....   This is on R80.10 management.

Raj_Khatri
Advisor
‎2018-10-18 12:30 PM
In response to Raj_Khatri

So after working with TAC, it appears that the NAT Rule Numbers are not indexed.  The only workaround is to open an individual log file and use the following query - nat_rulenum: 123

An RFE has been submitted for this request.

biskit
Advisor
Advisor
‎2023-07-27 06:50 AM

This still seems to be a problem on R81.10.  I can't figure out a way to apply a filter on the NAT IP. 

I hide tons of traffic behind my LAN interface IP 192.168.1.1.   And of course behind the public interface IP for web access.

If I try  xlatesrc:192.168.1.1  I get zero hits.  Same if I use the public hide IP.

If I filter on just   192.168.1.1  then I get millions of hits for all sorts besides just the NAT.  So it's useless.

There must be a way to filter logs on the NAT fields? 🙄

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events