Configuring Tracking Options in Security Policies

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. tracks all necessary rules. When you track multiple rules, the log file is large and requires more disk space and management operations.

To balance these requirements, track rules that can help you improve your cyber security, help you understand of user behavior, and are useful in reports.

To configure tracking in a rule:

Right-click in the Track column.
Select a tracking option.
Install the policy.

Available Tracking Options

These are the available tracking options in the Track column:

Option

Description

None

Do not generate a log. This is the default setting in the Access Control policy.

Note - Changing the default affects only rules created after the change.

Log

This is the default option in the Threat Prevention policy.

Show all the information that the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. used to match the connection. At a minimum, this includes the Source, Destination, Source Port, and Destination Port. If there is a match on a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that specifies an application, a session log shows the application name (for example, Dropbox). If there is a match on a rule that specifies a Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade., the session log shows information about the files and their contents.

To change the default value to Log in the Access Control policy:

Go to Manage & Settings > Policy settings > Rule Base Cell Settings > Access Control Default > Track.
From the drop-down menu, select Log.

Custom Log

Track Settings

None
Log

Detailed Log and Extended Log

These options are available only if one or more of these Software Blades are enabled on the Layer: Application & URL Filtering, Content Awareness, or Mobile Access.

Detailed Log - Similar to the Log option, but also logs the matched application, even if the rule does not specify an application.

Extended Log - Similar to the Detailed option, but also shows a full list of URLs and files in the connection or the session. The URLs and files appear in the lower pane of the Logs view.

Note - The Detailed Log and Extended Log options have a higher performance impact on the Security Gateway than the Log option, due to deeper inspection of packets and connections.

Log Generation

per Connection

Generates a separate Firewall log for each connection in the session. This is the default for rules in Layers with only the Firewall blade enabled.
per Session

Generates a single log for all the connections in the same session. A session log is the default for rules in Layers with Application & URL Filtering or Content Awareness enabled, and it is a basic Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. log. For further explanation on session logs, see Session Logs.

Notes:

You can select both the per connection and per session options for each rule.
To see the log generation mode for a rule, hover your mouse over the Track column of the rule.

Alert

None - Does not generate an alert.
Alert - Generates a log of type Alert and run a command, such as: show a pop-up window, sends an email alert or an SNMP trap alert, or runs a user-defined script as defined in the Global Properties.
SNMP - Generates a log of type Alert and sends an SNMP alert to the SNMP GUI, as defined in the Global Properties.
Mail - Generates a log of type Alert and sends an email to the administrator, as defined in the Global Properties.
User Defined Alert - Generates a log of type Alert and sends one of three possible customized alerts. The alerts are defined by the scripts specified in the Global Properties.

For each alert option, you can define a script in Menu (): > Global properties > Log and Alert > Alerts.

Accounting

Select this option to update the log at 10-minute intervals, showing how much data passed through the connection: upload bytes, download bytes, and browse time. Browse time is the total duration of a user session, including both active usage and idle time. Idle time is when there is no user activity, but the connection remains open. The session times out after the defined idle time.

Log Generation Mode

Starting from R82.10, you can configure the log generation mode for the entire Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. This configuration applies to all rules, both newly created and existing.

Note - The configuration does not apply to rules whose settings were changed in the Custom Log window. Custom Log window changes include for example: changes between per connection and per session, changes in track settings between log and extended log, and so on.

Procedure:

Go to the Manage & Settings view > Policy Settings > Advanced.
Select one of these options:

Standard mode - Sets the logging mode to per connection or per session, based on these factors:
- The active Software Blades in the Layer
- Whether there are selected applications in the Services & Applications column
- Whether there are selected Data Types in the Content column.
Aggregate mode - Generates logs per session and combines multiple connection logs into a single log. Aggregate mode significantly reduces log volume and cloud storage costs.

Logging Implied Rules

Starting from R82.10, you can configure the type of logs created for implied rules.

Procedure:

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., at the top-right corner, click the menu icon: .
From the drop-down menu, select Global Properties.
In the Firewall page, go to Track, and select Log implied rule.
From the drop-down menu, select per session or per connection.

Note - For versions earlier than R82.10, when selecting Log Implied Rules, the log generation mode is per connection

Top Rules in the Logs View

In SmartConsole > Logs & Events > Logs view, R82.10 introduces Top Access Rules and Top Log Types statistics to help identify rules that generate excessive logging. For any high-logging rule, you can change the log generation mode to Per Session to significantly reduce log volume.