CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
2. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
3. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Content Security/Security Servers/CVP/UFP
Reload this Page How to log Web and FTP files downloaded
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-13
BarryStiefel BarryStiefel is offline
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 571
Rep Power: 10
BarryStiefel has disabled reputation
Default How to log Web and FTP files downloaded
How to log Web and FTP files downloaded



The security servers were designed to do this sort of thing. In order to use them, you will need to make sure they are on. Look in $FWDIR/conf/fwauthd.conf. You should see lines like the following: 80 in.ahttpd wait 0 21 in.aftpd wait 0These are the two lines for HTTP and FTP respectively. If they are missing or commented out, you can either add/uncomment them manually or run fwconfig. In either case, you should restart the firewall (fwstop; fwstart) after doing so.



The idea here is to create a resource that matches "everything" and then funnel all web and ftp traffic through those resources. To create a resource that matches all FTP downloads, create a new FTP resource called "ftpmatchall". Set the exception track to Log, set the path to "*" and check GET (to track uploads too, also check PUT).

To create a resource that matches all HTTP URLs, create a new URI resource called "httpmatchall". Set the exception track to Log, set the URI Match Spec to Wildcard, if NG, also specify "Optimize URL Logging," match all schemes, all methods, and put "*" in the host, path, and query fields.

Now that you've created both the resources, add this rule to your rulebase:

Source Destination Service Action Track Internal-hosts Any ftp->ftpmatchall
http->httpmatchall Accept Long

When you add the services "HTTP" and "FTP", you will need to add them with resource to add in the httpmatchall and ftpmatchall resources that were created.

Install your security policy and install the user database. In some cases, it may be necessary to bounce the firewall (fwstop; fwstart). The URLs will appear in the info field of the log viewer.

Note that in FireWall-1 4.1 SP2 and above, you can do URL logging without using the HTTP Security Server. See the release notes for details. In NG, this can be done more efficiently by checking the "Optimize URL Logging" box in the resource.

-- PhoneBoy - 30 Dec 2003

FAQForm FAQs.Class: ContentSecurityFAQs OperatingSystem?: FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 23:05.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0