Configuring Tracking Options in Security Policies

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. tracks all necessary rules. When you track multiple rules, the log file is large and requires more disk space and management operations.

To balance these requirements, track rules that can help you improve your cyber security, help you understand of user behavior, and are useful in reports.

To configure tracking in a rule:

1. Right-click in the Track column.

2. Select a tracking option.

3. Install the policy.

Available Tracking Options

These are the available tracking options in the Track column:

• None - Does not generate a log. This is the default option in the Access Control policy.

• Log - This is the default option in the Threat Prevention policy. Shows all the information that the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. used to match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination Port. If there is a match on a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that specifies an application, a session log shows the application name (for example, Dropbox). If there is a match on a rule that specifies a Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade., the session log shows information about the files, and the contents of the files.

• Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time. Browse time is the total duration of a user session, including both active usage and idle time. The session will timeout after the defined idle time. Idle time is the period within a session when there is no user activity, but the connection remains open.

• Alert -

  • None - Do not generate an alert.

  • Alert - Generate a log of type Alert and run a command, such as: Show a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Global Properties.

  • SNMP - Generate a log of type Alert and send an SNMP alert to the SNMP GUI, as defined in the Global Properties.

  • Mail - Generate a log of type Alert and send an email to the administrator, as defined in the Global Properties.

  • User Defined Alert - Generate a log of type Alert and send one of three possible customized alerts. The alerts are defined by the scripts specified in the Global Properties.

  For each alert option, you can define a script in Menu > Global properties > Log and Alert > Alerts.

• Detailed Log and Extended Log - Only available if one or more of these blades are enabled on the Layer: Application & URL Filtering, Content Awareness, or Mobile Access.

  • Detailed Log -Equivalent to the Log option, but also shows the application that matched the connections, even if the rule does not specify an application. Best Practice - Use for a cleanup rule (Any/internet/Accept) of an Applications and URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. Policy Layer that was upgraded from an R77 Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

  • Extended Log -Equivalent to the Detailed option, but also shows a full list of URLs and files in the connection or the session. The URLs and files show in the lower pane of the Logs view.

  Note - The Detailed Log and Extended Log options have a higher performance impact on the Security Gateway than the Log option, because they inspect the packets and connections more thoroughly.

• Log Generation

  • per Connection - Select this to show a different log for each connection in the session. This is the default for rules in a Layer with only Firewall enabled. These are basic Firewall logs.

  • per Session - Select this to generate one log for all the connections in the same session (see Log Sessions). This is the default for rules in a Layer with Application & URL Filtering or Content Awareness enabled. These are basic Application Control logs.