Viewing Rule Logs

You can search for the logs that are generated by a specific ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., from the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. or from the Logs & Monitor > Logs tab.

To see logs generated by a rule (from the Security Policy):

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Security Policies view.

  2. In the Access Control Policy or Threat Prevention Policy, select a rule.

  3. In the bottom pane, click one of these tabs to see:

    • Logs - By default, shows the logs for the Current Rule. You can filter them by Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.

    • History (Access Control Policy only) - List of rule operations (Audit logs) related to the rule in chronological order, with the information about the rule type and the administrator that made the change.

To see logs generated by a rule (by Searching the Logs):

  1. In SmartConsole, go to the Security Policies view.

  2. In the Access ControlPolicy or Threat PreventionPolicy, select a rule.

  3. Right-click the rule number and select Copy Rule UID.

  4. In the Logs & Monitor > Logs tab, search for the logs in one of these ways:

    • Paste the Rule UID into the query search bar and click Enter.

    • For faster results, use this syntax in the query search bar:

      layer_uuid_rule_uuid:*_<UID>

      For example, paste this into the query search bar and click Enter:

      layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10

Excluding a layer from display in the SmartConsole Logs view

Starting from R81.10 Jumbo Hotfix Accumulator Take 158, you can exclude a layer from display in the SmartConsole Logs view.

To exclude a layer from display in the SmartConsole Logs view:

  1. In SmartConsole, go to the Security Policies view, Access Control > right-click the applicable layer and click Edit Policy.

  2. In the window that opens, go to the applicable layer, right-click the drop-down menu, and select Edit Layer.

  3. Add a down arrow ↓ to the layer's name. you can copy the arrow from here or find how to do it in this link.

    Example:

The excluded layers will not be displayed in the Logs view when the action is not blocked or dropped.

The first layer which is not excluded will be displayed instead.

If all the layers are excluded, only the first layer will be displayed.