This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
andquesada
Participant
‎2020-05-07 10:59 AM

Remote vpn login logs are rewrite after authentication timeout (R80.20)

 

Hi,

I hope someone can help me with the next issue;

When remote vpn users connect to office, we can see the login log; however when authentication timeout is reached and they put back the credentials they can connect without problem; but the first login log doesn´t  appers and just appers the new login connection; is like the log was rewrited.

 This log was from 5/5/2020 (first login)

image.png

and then, after reauthentication the first login log doesn´t appear just the new login.

image.png

In firewall rule I´m using all the track options but still not working.

image.png

Is a distributed environment with a dedicated smartevent server all in R80.20.

Thanks in advance

 

 
 
 
 

 

Labels
0 Kudos
10 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-05-08 07:06 AM

Try unchecking "Per Session" in your Track options for that rule, I think that is what is consolidating/amending your logs.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
andquesada
Participant
‎2020-05-08 09:07 AM
In response to Timothy_Hall

Thanks Timonthy;
I´ve already tried the following combinations:
1) Log + per connection : Failed
2) Log + per connection + per session : Failed
3) and the last one was: Log + per connection + per ssesion :Failed
Now I´m gonna use your suggestion and wait for reauthentication time waiting a good new.
0 Kudos
andquesada
Participant
‎2020-05-12 01:11 PM
In response to andquesada

Hi @Timothy_Hall ;

I did what you suggested; but the log still is being overwritten.

First Login was yesterday at 7:49:39; 

image.png

Then after user´s reauthentication the log is overwritten

image.png

Any other recommendation?

Thanks in advance for your help

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-12 07:49 PM
In response to andquesada

Sounds like expected behavior but it might be worth a TAC case.
0 Kudos
lucafabbri365
Collaborator
‎2020-05-14 09:57 AM
In response to PhoneBoy

Hello guys,
I'm experiencing (it seems) the same behavior posted here: Mobile Access Log In and Log Out.

I opened a support ticket because, even if "expected", it doesn't make sense to me: why re-writing a past log entry ?!? Logs, in general, shouldn't be touched once written, isn't it ?

Bye,
Luca

0 Kudos
andquesada
Participant
‎2020-05-15 05:26 PM
In response to lucafabbri365

Hi @lucafabbri365 

I apologize because I put the SmartEvent was in R80.20; the SmartEvent version is R80.10; the cluster and mgmt are in R80.20

Anyway, before open a TAC case I put the last Jumbo hotfix for R80.10 (take_272) and today I did a the same test and now it works  as it should.

image.png

 The first  login log

image.png

And now I see the login action of the re-authentication. I´m not sure why it appers as correlated and not as simple log but now the log is not overwrite.

image.png

 I suggest you to do the same; Jumbo HF Take_141 is the last jumbo HF for R80.20 and you said you has Take 80; so maybe  It could help you.

lucafabbri365
Collaborator
‎2020-05-16 05:09 AM
In response to andquesada

Hello @andquesada,
thank you for your suggestion.

We planned to install last Hotfix in GA (141) next 20th of May; there are some bug fixed routing around "log" world, so maybe it will be solved too.

I'll update this post.

Thank you,
Luca

 

lucafabbri365
Collaborator
‎2020-05-20 06:09 AM
In response to andquesada

Hello All,
just an update regarding this post: I finished to install hotfix 141 (Check Point R80.20); I'll monitor the behavior for a couple of days: I'll let you know if it solved.
I'm still waiting for an answer by Check Point support.

Bye,
Luca

0 Kudos
lucafabbri365
Collaborator
‎2020-05-21 01:02 AM
In response to lucafabbri365

Hello Community,

this morning I didn't find log-in event (blade:"Mobile Access") occurred yesterday morning for a user; maybe substituted by log-in event occurred yesterday afternoon. This issue doesn't occur every day: looking at previous events, for the same user, log-ins events are there, untouched: I can find occurred both in the morning and in the afternoon.

However hotfix 141 didn't fix the issue. I updated support ticket with these information and waiting for an answer.

Bye,
Luca

0 Kudos
lucafabbri365
Collaborator
‎2020-05-21 06:57 AM
In response to lucafabbri365

Hello guys,

I have another question regarding logs in general (let me know if it would be better to open another CheckMates post): referring to Mobile Access logs (blade:"Mobile Access") I see "duplicated" log entries (same Time, same Source, same User, same Mobile Access Session UID) coming from both active and standby firewall nodes  (Origin column); it happens for SOME users only, WHY ? I don't think it is a "normal" behavior because it happens for SOME users only (not ALL), not always.

Thank you,
Luca

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events