fw log

Description

Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c <Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> | all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"] [-u <Unification Scheme File>] [-w] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-#] [<Log File>]

Parameters

Parameter

Description

{-h | -help}

Shows the built-in usage.

Note - The built-in usage does not show some of the parameters described in this table.

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-a

Shows only Account log entries.

-b "<Start Timestamp>" "<End Timestamp>"

Shows only entries that were logged between the specified start and end times.

  • The <Start Timestamp> and <End Timestamp> may be a date, a time, or both.

  • If date is omitted, then the command assumes the current date.

  • Enclose the "<Start Timestamp>" and "<End Timestamp> in single or double quotes (-b 'XX' 'YY", or -b "XX" "YY).

  • You cannot use the "-b" parameter together with the "-s" or "-e" parameters.

  • See the date and time format below.

-c <Action>

Shows only events with the specified action. One of these:

  • accept

  • drop

  • reject

  • encrypt

  • decrypt

  • vpnroute

  • keyinst

  • authorize

  • deauthorize

  • authcrypt

  • ctl

Notes:

  • The fw log command always shows the Control (ctl) actions.

  • For login action, use the authcrypt.

-e "<End Timestamp>"

Shows only entries that were logged before the specified time.

Notes:

  • The <End Timestamp> may be a date, a time, or both.

  • Enclose the <End Timestamp> in single or double quotes (-e '...', or -e "...").

  • You cannot use the "-e" parameter together with the "-b" parameter.

  • See the date and time format below.

-f

This parameter:

  1. Shows the saved entries that match the specified conditions.

  2. After the command reaches the end of the currently opened log file, it continues to monitor the log file indefinitely and shows the new entries that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or $FWDIR/log/fw.adtlog

-g

Does not show delimiters.

The default behavior is:

  • Show a colon (:) after a field name

  • Show a semi-colon (;) after a field value

-H

Shows the High Level Log key.

-h <Origin>

Shows only logs that were generated by the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with the specified IP address or object name (as configured in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.).

-i

Shows log UID.

-k {<Alert Name> | all}

Shows entries that match a specific alert type:

  • <Alert Name> - Show only entries that match a specific alert type:

    • alert

    • mail

    • snmp_trap

    • spoof

    • user_alert

    • user_auth

  • all - Show entries that match all alert types (this is the default).

-l

Shows both the date and the time for each log entry.

The default is to show the date only once above the relevant entries, and then specify the time for each log entry.

-m

Specifies the log unification mode:

  • initial - Complete unification of log entries. The command shows one unified log entry for each ID. This is the default.

    If you also specify the -f parameter, then the output does not show any updates, but shows only entries that relate to the start of new connections. To shows updates, use the semi parameter.

  • semi - Step-by-step unification of log entries. For each log entry, the output shows an entry that unifies this entry with all previously encountered entries with the same ID.

  • raw - No log unification. The output shows all log entries.

-n

Does not perform DNS resolution of the IP addresses in the log file (this is the default behavior).

This significantly speeds up the log processing.

-o

Shows detailed log chains - shows all the log segments in the log entry.

-p

Does not perform resolution of the port numbers in the log file (this is the default behavior).

This significantly speeds up the log processing.

-q

Shows the names of log header fields.

-S

Shows the Sequence Number.

-s "<Start Timestamp>"

Shows only entries that were logged after the specified time.

Notes:

  • The <Start Timestamp> may be a date, a time, or both.

  • If the date is omitted, then the command assumed the current date.

  • Enclose the <Start Timestamp> in single or double quotes (-s '...', or -s "...").

  • You cannot use the "-s" parameter together with the "-b" parameter.

  • See the date and time format below.

-t

This parameter:

  1. Does not show the saved entries that match the specified conditions.

  2. After the command reaches the end of the currently opened log file, it continues to monitor the log file indefinitely and shows the new entries that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or $FWDIR/log/fw.adtlog

-u <Unification Scheme File>

Specifies the path and name of the log unification scheme file.

The default log unification scheme file is:

$FWDIR/conf/log_unification_scheme.C

-w

Shows the flags of each log entry (different bits used to specify the "nature" of the log - for example, control, audit, accounting, complementary, and so on).

-x <Start Entry Number>

Shows only entries from the specified log entry number and below, counting from the beginning of the log file.

-y <End Entry Number>

Shows only entries until the specified log entry number, counting from the beginning of the log file.

-z

In case of an error (for example, wrong field value), continues to show log entries.

The default behavior is to stop.

-#

Show confidential logs in clear text.

<Log File>

Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the $FWDIR/log/fw.log log file.

You can specify a switched log file.

Date and Time format

Part of timestamp

Format

Example

Date only

MMM DD, YYYY

June 11, 2018

Time only

Note - In this case, the command assumes the current date.

HH:MM:SS

14:20:00

Date and Time

MMM DD, YYYY HH:MM:SS

June 11, 2018 14:20:00

Output

Each output line consists of a single log entry, whose fields appear in this format:

Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header

Description

Example

HeaderDateHour

Date and Time

12Jun2018 12:56:42

ContentVersion

Version

5

HighLevelLogKey

High Level Log Key

<max_null>, or empty

Uuid

Log UUID

(0x5b1f99cb,0x0,0x3403a8c0,0xc0000000)

SequenceNum

Log Sequence Number

1

Flags

Internal flags that specify the "nature" of the log - for example, control, audit, accounting, complementary, and so on

428292

Action

Action performed on this connection

  • accept

  • dropreject

  • encrypt

  • decrypt

  • vpnroute

  • keyinst

  • authorize

  • deauthorize

  • authcrypt

  • ctl

Origin

Object name of the Security Gateway that generated this log

MyGW

IfDir

Traffic direction through interface:

  • < - Outbound (sent by a Security Gateway)

  • > - Inbound (received by a Security Gateway)

  • <

  • >

InterfaceName

Name of the Security Gateway interface, on which this traffic was logged

If a Security Gateway performed some internal action (for example, log switch), then the log entry shows daemon

  • eth0

  • daemon

  • N/A

LogId

Log ID

0

Alert

Alert Type

  • alert

  • mail

  • snmp_trap

  • spoof

  • user_alert

  • user_auth

OriginSicName

SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. name of the Security Gateway that generated this log

CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x

inzone

Inbound Security Zone

Local

outzone

Outbound Security Zone

External

service_id

Name of the service used to inspect this connection

ftp

src

Object name or IP address of the connection's source computer

MyHost

dst

Object name or IP address of the connection's destination computer

MyFTPServer

proto

Name of the connection's protocol

tcp

sport_svc

Source port of the connection

64933

ProductName

Name of the Check Point product that generated this log

  • VPN-1 & FireWall-1

  • Application Control

  • FloodGate-1

ProductFamily

Name of the Check Point product family that generated this log

Network

Examples

fw log -l

[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"

12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

 

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;

 

... ... ...

 

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'

12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

 

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;

 

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity: 2; status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security Gateway/Management; ProductFamily: Network;

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw log -l -c drop

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw log -l -q -w -c drop

HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292; Action: drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw log -l -x 0 -y 10

... ...

[Expert@MyGW:0]#