no destination value, but http packet accepted

[mattob]

Newbie asks

I found entries in my log where packets have been accepted, however there is no destination ip, only source ip. there is also no rule number for those entries. I dunno how is this possible at all.

Can somebody help please?!

mat

[RayPesek]

Do you have Floodgate logging enabled?

Ray

[mattob]

Nope, we are not using it.

I also thought that I deleted an object, which would leave an empty destination in a NAT rule, but thats not the case.

Heeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeelp!!?! ?!

[RayPesek]

How's about posting one of the entries?

Ray

[mattob]

This is an example:

No. Date Time Inter. Origin Type Action Service Source Destination Product
--------------------------------------------------------------------------
"8252" "31Jan2007" " 5:12:26" "daemon" "ix-fw1" "log" "accept" "http" "202.108.11.106" "" "firewall"

As you can see, destination is missing.

[Joncon]

Click "Show or Hide query properties" in the top left hand corner of the tracker records. Is the field for destination checked to show?

[MarioL]

Let me guess, you are using an old firewall version and set the log to "short"?

[mattob]

Kind of.

We are using FW 4.1. I know, but please don't post things like: upgrade would help. It is unfortunately not up to me.

We don't log any http requests, and even if we would log them with attribute short, it would display destination.

One of our network guys reckons, it is something checkpoint internal, since it gets accepted, but it doesn't say with which rule does it get accepted. What do you guys think?

I attached a screenshot. It might help you guys to help me, hopefully.

Cheers

Matt

[MarioL]

Thanks for posting an image.

Since you didn't post the Info field, I'm going to assume it's empty, if not, please post. Also I'm going to assume those source addresses are External (Internet).

The thing I notice is that Interface is "daemon", normally this should show one of the firewall's interfaces... so the logs are being generated by a security server or something.

I'd check all the rules, make sure there is none allowing http or using resources, also change any possible log "short" to "long". I'd also review the "Policy->Global Properties".

Sorry I can't be any more detailed...

[mattob]

Mate, your assumption is correct, info field is empty, furthermore all IPs are external

I am not quite sure what do you mean by half of the things you posted (reminder: I am a newbie to CPFW) but I'll try:

logs being generated by Security Server?! All I know is that all three components of our firewall are on one machine. (This was/is not my decision)

What do you mean by using resources? I checked all objects, services, etc. It seems to be ok.

We are allowing only one http connection to our Web server, but that one is being logged properly.

I'll definitely change short to long and see what happens.

Thanx.

Matt

[mattob]

Changing the log format to long resolved the issue!!

Cheers

Matt