Session Logs

A session is a user's activity at a specified site or with a specified application. The session starts when a user connects to an application or to a site. The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. includes all the activity that the user does in the session in one session log (in contrast to the Security Gateway log, which shows top sources, destinations, and services). A session log is created based on a unique combination of these key connection attributes (this helps group related traffic under a single log entry for efficiency and clarity):

• Access Control Policy Match – Includes matched rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., Layer, and action (for example: Accept, Drop).

• User Identity – Based on source IP or username (when identity is available).

• Application – Identified by Application ID or, if not available, the combination of destination IP and IP protocol.

• Destination Domain Name – When available.

• SD-WAN Steering Object – When available (starting from R82.10).

A new session log is created when:

• A connection starts with a new combination of these attributes.

• Any of the attributes changes during an active session (for example: a change in user, Application ID, or rule match).

Notes: You can select both the per connection and per session options for each rule. To see the log generation mode for a rule, hover your mouse over the Track column of the rule.

To search for session logs:

In the Logs tab of the Logs & Events view, enter:

type:Session

To see details of a session log:

In the Logs tab of the Logs & Events view, select a session log.

In the bottom pane of the Logs tab, click the tabs to see the details of the session log:

• Connections - Shows all the connections in the session. These show if Per connection is selected in the Track option of the rule.

• URLs - Shows all the URLs in the session. These show if Extended Log is selected in the Track option of the rule.

• Files - Shows all the files uploaded or downloaded in the session. These show if Extended Log is selected in the Track option of the rule, or if a Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. was matched on the connection.

To see the session log for a connection within a session:

1. In the Logs & Events view > Logs tab, double-click on the log record of a connection that is part of a session.

2. In the Log Details window, click the session icon (in the top-right corner) to see the session log.

To configure the session timeout:

By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. from the Manage & Settings view, in Blades > Application & URL Filtering > Advanced Settings > General > Connection unification.