This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tony_Moriarty
Explorer
‎2018-10-30 08:59 AM

R77.30 Sessions vs R80.10 Logs IPS Events

I have been running SMTP reports in R77.30 showing blocked events for a long time and was getting "Sessions" in the IPS report. Now with R80.10 the same IPS SMTP report shows "Logs". The log number is much lower then the sessions number in R77.30.

What is the difference between a Session vs. Log in the newer version? It is making my metrics look like Checkpiont is not blocking as much traffic. R77.30R80.10

2 Replies
PhoneBoy
Admin
Admin
‎2018-11-02 09:12 AM

It's a difference in terminology between the versions. 

In R80.x, the management correlates most connections into sessions (a collection of multiple individual, but related connections), which show up as a single log entry.

In R77.30 and earlier, which does not do this correlation by default, sessions refer to individual connections. 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-11-03 07:04 AM

Hi Tony,

There are two factors at work here: Session Logging and Log Suppression.  Please see this content I recently put together explaining the difference in regards to the IPS feature.  Another small excerpt of this new content is located here:  Another SmartConsole Usability Issue 

Module 6 – IPS Logging


Session Logging

    • Although not directly related to IPS logging, R80.10+ management by default will attempt to consolidate individual connection logs into a session log.  This feature is commonly confused with Log Suppression which is quite relevant to IPS logging and covered next.
    • A connection log typically only contains very basic information such as Layer 3 and Layer 4 information, while a session log is a collection (or superset) of individual connections.
    • A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user performs within the session is included in the single session log.  

    • Note the multiple tabs (such as “Matched Rules”) in this single log entry, don’t miss these as they contain valuable information!
    • For more information about session logging see this CheckMates article (from which the above screenshot was taken) by Moti Sagey at: https://community.checkpoint.com/message/6279 
    • To determine the actual number of individual connections made during a session, see the Suppressed Logs field of the log (not shown above).

IPS Log Suppression

  •  When a ThreatCloud IPS Protection is matched and Track is set to Log, a log entry is generated.  Within a period of two minutes, if the same IPS Protection is matched again with all the same connection attributes (IP addresses, ports, etc) a second log entry is not generated.  The Suppressed Logs counter of the original log entry is simply incremented.  Note that Log Suppression does not occur for logs generated by Core Activations or Inspection Settings.
  • After two minutes measured from the first detection of this attack, if the same attack is still ongoing a new log entry is created and its Suppressed Logs counter is then incremented.
  • Note that when viewing an IPS Log Entry, numerous actions are available including:
            Viewing the attack attributes at the Check Point ThreatWiki website
            Creating an Exception (covered later in this module)
            Viewing Remediation Options

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top