Working with Logs

Choosing Rules to Track

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. tracks all necessary rules. When you track multiple rules, the log file is large and requires more disk space and management operations.

To balance these requirements, track rules that can help you improve your cyber security, help you understand of user behavior, and are useful in reports.

Configuring Tracking in a Policy Rule

To configure tracking in a rule:

1. Right-click in the Track column.

2. Select a tracking option.

3. Install the policy.

Tracking Options

Select these options in the Track column of a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

• None - Do not generate a log.

• Log -This is the default Track option. It shows all the information that the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. used to match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination Port. If there is a match on a rule that specifies an application, a session log shows the application name (for example, Dropbox). If there is a match on a rule that specifies a Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade., the session log shows information about the files, and the contents of the files.

• Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.

Note - When upgrading from R77.X or from R80 versions to R81, there are changes to the behavior of the options in the Track column. To learn more see sk116580.

Advanced Track options

Detailed Log and Extended Log are only available if one or more of these Blades are enabled on the Layer: Application & URL Filtering, Content Awareness, or Mobile Access.

• Detailed Log -Equivalent to the Log option, but also shows the application that matched the connections, even if the rule does not specify an application. Best Practice - Use for a cleanup rule (Any/internet/Accept) of an Applications and URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.Policy Layer that was upgraded from an R77Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

• Extended Log -Equivalent to the Detailed option, but also shows a full list of URLs and files in the connection or the session. The URLs and files show in the lower pane of the Logs view.

Log Generation

• per Connection - Select this to show a different log for each connection in the session. This is the default for rules in a Layer with only Firewall enabled. These are basic Firewall logs.

  Important - SmartEvent does not index these logs.

• per Session - Select this to generate one log for all the connections in the same session (see Log Sessions). This is the default for rules in a Layer with Application & URL Filtering or Content Awareness enabled. These are basic Application Control logs.

Alert:

For each alert option, you can define a script in Menu > Global properties > Log and Alert > Alerts.

• None - Do not generate an alert.

• Alert - Generate a log of type Alert and run a command, such as: Show a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Global Properties.

• SNMP - Generate a log of type Alert and send an SNMP alert to the SNMP GUI, as defined in the Global Properties.

• Mail - Generate a log of type Alert and send an email to the administrator, as defined in the Global Properties.

• User Defined Alert - Generate a log of type Alert and send one of three possible customized alerts. The alerts are defined by the scripts specified in the Global Properties.

Log Sessions

A session is a user's activity at a specified site or with a specified application. The session starts when a user connects to an application or to a site. The Security Gateway includes all the activity that the user does in the session in one session log (in contrast to the Security Gateway log, which shows top sources, destinations, and services).

To search for log sessions:

In the Logs tab of the Logs & Monitor view, enter:

type:Session

To see details of the log session:

In the Logs tab of the Logs & Monitor view, select a session log.

In the bottom pane of the Logs tab, click the tabs to see details of the session log:

• Connections - Shows all the connections in the session. These show if Per connection is selected in the Track option of the rule.

• URLs - Shows all the URLs in the session. These show if Extended Log is selected in the Track option of the rule.

• Files - Shows all the files uploaded or downloaded in the session. These show if Extended Log is selected in the Track option of the rule, or if a Data Type was matched on the connection.

To see the session log for a connection that is part of a session:

1. In the Logs tab of the Logs & Monitor view, double-click on the log record of a connection that is part of a session.

2. In the Log Details, click the session icon (in the top-right corner) to search for the session log in a new tab.

To configure the session timeout:

By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. from the Manage & Settings view, in Blades > Application & URL Filtering > Advanced Settings > General > Connection unification.

Viewing Rule Logs

You can search for the logs that are generated by a specific rule, from the Security Policy or from the Logs & Monitor > Logs tab.

To see logs generated by a rule (from the Security Policy):

1. In SmartConsole, go to the Security Policies view.

2. In the Access Control Policy or Threat Prevention Policy, select a rule.

3. In the bottom pane, click one of these tabs to see:

   • Logs - By default, shows the logs for the Current Rule. You can filter them by Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.

   • History (Access Control Policy only) - List of rule operations (Audit logs) related to the rule in chronological order, with the information about the rule type and the administrator that made the change.

To see logs generated by a rule (by Searching the Logs):

1. In SmartConsole, go to the Security Policies view.

2. In the Access ControlPolicy or Threat PreventionPolicy, select a rule.

3. Right-click the rule number and select Copy Rule UID.

4. In the Logs & Monitor > Logs tab, search for the logs in one of these ways:

   • Paste the Rule UID into the query search bar and click Enter.

   • For faster results, use this syntax in the query search bar:

     layer_uuid_rule_uuid:*_<UID>

     For example, paste this into the query search bar and click Enter:

     layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10

Packet Capture

You can capture network traffic. The content of the packet capture provides a greater insight into the traffic which generated the log. With this feature activated, the Security Gateway sends a packet capture file with the log to the Log Server Dedicated Check Point server that runs Check Point software to store and process logs.. You can open the file, or save it to a file location to retrieve the information a later time.

For some blades, the packet capture option is activated by default in Custom Threat Prevention Policy.

To deactivate packet capture (in Custom Threat Prevention Policy only):

1. In SmartConsole, go to the Security Policies view > Custom Threat Prevention.

2. In the Track column of the rule, right-click and clear Packet Capture.

To see a packet capture:

1. In SmartConsole, go to the Logs & Monitor view.

2. Open the log.

3. Click the link in the Packet Capture field.

   The Packet Capture opens in a program associated with the file type.

4. Optional: Click Save to save the packet capture data on your computer.