Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vengatesh-SR
Explorer

Return traffic in checkpoint

Hi, 

We would like to know if we can have the see return traffic entries in the logs.

 

As we aware once we have the connection matches the policy, it logs the traffic and been written in the connection table.

 

And the return traffic matches the existing connection table entry and been allowed / dropped. And we cannot see the return traffic logs in the checkpoint.

 

1) Apart from TCPDUMP, do we have any way to find the historical return traffic logs ?
2) If secureXL is disabled, can we see the return traffic logs ?

 

Regards,

Vengatesh SR

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

The closest you can get is to enable "Accounting" in the Track field along with "Log" to get this information.  Every 10 minutes or when the connection ends (whichever comes first), additional information is added to the log entry including firewall egress interface, connection time, and bytes/sent and received.  If these values are nonzero two-way connectivity is working. 

Modifying the state of SecureXL won't change this, but if you want to use fw monitor to capture accelerated traffic in R80.20+ check out the -F 0,0,0,0,0 filtering syntax for fw monitor.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Nagesh_Aithal
Explorer

Hi Timothy, 

Thank you for quick reply. 

The reason of this requirement is to randomly check if return traffic flow was complete or not for the existing connections. 

Can we enable the accounting on all the policies in rulebase in production network ? Is it cause any impact ?

Apart from accounting do we have any other way to view the historical data for the return traffic. 

Regards,

Vengatesh SR

 

0 Kudos
Timothy_Hall
Champion
Champion

A Track of "Log" only tells you what happened when the first packet of the connection was received, unless the log was added on to later by another blade like APCL.  Enabling Accounting will cause some additional memory and especially logging overhead on the gateway.  I'd try enabling it for a few rules in your policy and assess the impact; if your SMS/Log Server is already somewhat overwhelmed by regular logs, setting Accounting will certainly not help.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events