Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bibinpaul
Participant

Session logs not showing Xlate information

Jump to solution

Hello All,

Good day!!

Today I have been troubleshooting and issue and observed the connection logs shows Xlate information but the session log entries are not showing the Xlate information

Is that an expected behavior in Checkpoint logs?

One of my Internal IP is trying to access Azure AD and it is not working. This is a new deployment.

The connection logs shows proper source address translation details but not the session logs

 

Under tracking details we have enabled log generation per session and per connection and per session

 

Thanks and Regards

Bibin

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
6 Replies
PhoneBoy
Admin
Admin

Believe that is expected behavior, yes.
@Timothy_Hall mentioned it in his presentation at CPX this year: https://community.checkpoint.com/t5/Member-Exclusive-Content/Max-Gander-The-Hidden-World-of-Log-Gene...

Timothy_Hall
Champion
Champion

I did mention it in my CPX speech, but credit for bringing this to my attention should go to @Vladimir.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
bibinpaul
Participant

Thanks heaps

Given below is as per the speech 

"Be aware that NAT information will not be added to logs of type Session; only connections logged as type Connection with the "Per Connection" log generation checkbox set will contain NAT information. This seems to be a bug and may well change in the future"

0 Kudos
_Val_
Admin
Admin

I do not think this is a bug. Session logs are in fact aggregation of multiple connection logs. Each one of those has different XLATE data. How would you aggregate those? An exception is with static NAT, but I think the general principle here is not to aggregate NAT data by design

0 Kudos
Timothy_Hall
Champion
Champion

I can see your point Val, but the lack of any NAT information in a log card implies that no NAT occurred at all.  So in the case of a session log one might conclude that there was no NAT performed when in fact there was.  I wouldn't mind seeing a message in a session log when NAT has occurred on any of the connections stating something like "NAT information not included - see connection logs" or something like that; if there was no NAT on any of the connections that message isn't there. 

By the same token it would be nice to see something like "no NAT performed" in a connection log when there are no NAT rules hit instead of just showing nothing at all in the log card.  This would also make it easier to troubleshoot when a connection should have been NATted but wasn't due to a misconfiguration.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
_Val_
Admin
Admin

I certainly understand and agree with your point here

0 Kudos