Configuring Tracking Options in Security Policies

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. tracks all necessary rules. When you track multiple rules, the log file is large and requires more disk space and management operations.

To balance these requirements, track rules that can help you improve your cyber security, help you understand of user behavior, and are useful in reports.

To configure tracking in a rule:

  1. Right-click in the Track column.

  2. Select a tracking option.

  3. Install the policy.

Available Tracking Options

These are the available tracking options in the Track column of a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.

  • None - Does not generate a log. This is the default option in the Access Control policy.

  • Log - This is the default option for the Threat Prevention policy. Shows all the information that the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. used to match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination Port. If there is a match on a rule that specifies an application, a session log shows the application name (for example, Dropbox). If there is a match on a rule that specifies a Data TypeClosed Classification of data in a Check Point Security Policy for the Content Awareness Software Blade., the session log shows information about the files, and the contents of the files.

  • Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time. Browse time is the total duration of a user session, including both active usage and idle time. The session times out after the defined idle time.Idle time is the period within a session when there is no user activity, but the connection remains open.

  • Alert -

    • None - Does not generate an alert.

    • Alert - Generates a log of type Alert and runs a command, such as: show a popup window, send an email alert or an SNMP trap alert, or runs a user-defined script as defined in the Global Properties.

    • SNMP - Generates a log of type Alert and sends an SNMP alert to the SNMP GUI, as defined in the Global Properties.

    • Mail - Generates a log of type Alert and sends an email to the administrator, as defined in the Global Properties.

    • User Defined Alert - Generates a log of type Alert and sends one of three possible customized alerts. The alerts are defined by the scripts specified in the Global Properties.

    For each alert option, you can define a script in Menu > Global properties > Log and Alert > Alerts. These are the Alert options:

  • Detailed Log and Extended Log - Only available if one or more of these Blades are enabled on the Layer: Application & URL Filtering, Content Awareness, or Mobile Access.

    • Detailed Log -Equivalent to the Log option, but also shows the application that matched the connections, even if the rule does not specify an application.

    • Extended Log -Equivalent to the Detailed option, but also shows a full list of URLs and files in the connection or the session. The URLs and files show in the lower pane of the Logs view.

    Note - The Detailed Log and Extended Log options have a higher performance impact on the Security Gateway than the Log option, because they inspect the packets and connections more thoroughly.

  • Log Generation Mode