There could be a number of reasons for Check Point not to log connections. Some only occur when there are problems, and some are built-in.
Built-in: 1. There are a number of built-in parameters that would cause Check Point to NOT log. The most basic of these is that Check Point logs connection "request" only, not responses (unless there are problems with the responses). 2. The next reason is if you've instructed the gateway (via "Logs and Masters") to stop logging when the disk space is below a certain size. 3. Certain types of packet errors are not logged, like IP Options set in the packets which the kernel does not support. You can see these tracking options in "Global Properties -> Log and Alert" 4. Finally, there is a built-in protection against logging overload called "Excessive log grace period" which prevents logging of "duplicate" packets requests if they are seen by the gateway within 62 seconds of each other. This is why you don't see retries from hosts that have timed-out connections, or why ping packets only show 1 entry in the logs instead of a separate entry for each packet. This option is available via Global Properties -> Log and Alert -> Time Settings. Then there are some things which could prevent logging when certain environmental errors occur, such as: 1. Disk space fills up. 2. Connections are occurring too fast for the logging mechanism to keep up with. You will see messages on the console along the lines of "Log message buffer queue full" when this occurs. Often a virus or worm outbreak can result in this happening, as the connections are occurring faster than the logging mechanism can write to disk. In those cases, some logs will be lost. 3. Connection to management server breaks, either due to networking problems, SIC issues, or daemon issues (services stopped on the management). In those cases the gateway "should" log locally. 4. Management database not updated with logging host information. If you have just prepared a new gateway object and need to install a policy, sometimes you also need to perform a database install on the management station via "Policy -> Install Database". That should update the management station with the new gateway information and allow the log unification engine to identify the logging source. In general, if you want to see the actual packets and not rely on the logging mechanism, you can always use the debug commands. The most useful one to use to see dropped packets is "fw ctl zdebug drop" which creates a small memory buffer and shows you packets being dropped by the kernel in real-time. This is by far the most common method for seeing "actual" dropped packets instead of relying on the logging mechanism. Cheers Matthew -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of a bv Sent: 15 August 2011 09:09 AM To: [email protected] Subject: [FW-1] When does Checkpoint doesnt log? Hi, Thinking of up to date gateways R7x, is there any time when checkpoint/gateway doesnt log (both access/security and audit logs) ? I accept that the situation is you select logging on all the security rules. Is tehre something like only a syn packet reaches it doesnt log or anything like that? Are there any builtin and buggy misses for logs? Regards Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
