CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: In the logs once the traffic accepted and then detected

  1. 2018-06-27 #1
    Sneha
    Sneha is offline Junior Member
    Join Date
    2017-07-17
    Posts
    23
    Rep Power
    0

    Default In the logs once the traffic accepted and then detected

    In the logs from the source to destination once the traffic is accepted and then detected ? and user is getting drops when detect? in detect mode the traffic shouldn't be dropped right?

    Here is the attachemt:-

    Click image for larger version.  Name: accept-detect.jpg  Views: 80  Size: 35.0 KB  ID: 1397
    Reply With Quote Reply With Quote
  2. 2018-06-28 #2
    Bob_Zimmerman
    Bob_Zimmerman is offline Senior Member
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    250
    Rep Power
    12

    Default Re: In the logs once the traffic accepted and then detected

    Generally, traffic is processed by the firewall rules first, then by threat prevention (IPS, antivirus, and so on). These can generate separate logs. The firewall actions include accept, drop, and reject. The threat prevention actions include allow, detect, and deny.

    Even if something is accepted by the firewall rules, threat prevention can drop it later. If something is dropped by the firewall rules, it never hits threat prevention.
    Zimmie
    Reply With Quote Reply With Quote
  3. 2018-06-29 #3
    Sneha
    Sneha is offline Junior Member
    Join Date
    2017-07-17
    Posts
    23
    Rep Power
    0

    Default Re: In the logs once the traffic accepted and then detected

    The log is detected by the Firewall blade - and Message information says detected due to Address spoofing.Click image for larger version.  Name: detection log.PNG  Views: 27  Size: 27.4 KB  ID: 1399
    Reply With Quote Reply With Quote
  4. 2018-07-02 #4
    Bob_Zimmerman
    Bob_Zimmerman is offline Senior Member
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    250
    Rep Power
    12

    Default Re: In the logs once the traffic accepted and then detected

    Quote Originally Posted by Sneha View Post
    The log is detected by the Firewall blade - and Message information says detected due to Address spoofing.Click image for larger version.  Name: detection log.PNG  Views: 27  Size: 27.4 KB  ID: 1399
    Address spoofing drops are always caused by either misconfiguration of your antispoofing topology or routing problems. It sounds like the gateway your firewall sends this packet to is sending it right back to the firewall.
    Zimmie
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Logs not showing orginal source of HTTP traffic with websense
    By k3y3n1n in forum SmartView Tracker
    Replies: 1
    Last Post: 2013-04-05, 03:20
  2. Abra: connection is not accepted by rulebase
    By Jamin79 in forum GO (The Product Formerly Known As Abra)
    Replies: 1
    Last Post: 2010-12-07, 16:36
  3. Checkpoint Traffic Logs
    By dazzler in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 9
    Last Post: 2010-11-05, 07:28
  4. SMTP reject immediately after being accepted
    By bluescreen in forum Miscellaneous
    Replies: 1
    Last Post: 2009-06-16, 20:47
  5. no destination value, but http packet accepted
    By mattob in forum Miscellaneous
    Replies: 10
    Last Post: 2007-02-14, 20:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules