CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: In the logs once the traffic accepted and then detected

  1. #1
    Join Date
    2017-07-17
    Posts
    23
    Rep Power
    0

    Default In the logs once the traffic accepted and then detected

    In the logs from the source to destination once the traffic is accepted and then detected ? and user is getting drops when detect? in detect mode the traffic shouldn't be dropped right?

    Here is the attachemt:-

    Click image for larger version. 

Name:	accept-detect.jpg 
Views:	29 
Size:	35.0 KB 
ID:	1397

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: In the logs once the traffic accepted and then detected

    Generally, traffic is processed by the firewall rules first, then by threat prevention (IPS, antivirus, and so on). These can generate separate logs. The firewall actions include accept, drop, and reject. The threat prevention actions include allow, detect, and deny.

    Even if something is accepted by the firewall rules, threat prevention can drop it later. If something is dropped by the firewall rules, it never hits threat prevention.
    Zimmie

  3. #3
    Join Date
    2017-07-17
    Posts
    23
    Rep Power
    0

    Default Re: In the logs once the traffic accepted and then detected

    The log is detected by the Firewall blade - and Message information says detected due to Address spoofing.Click image for larger version. 

Name:	detection log.PNG 
Views:	20 
Size:	27.4 KB 
ID:	1399

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: In the logs once the traffic accepted and then detected

    Quote Originally Posted by Sneha View Post
    The log is detected by the Firewall blade - and Message information says detected due to Address spoofing.Click image for larger version. 

Name:	detection log.PNG 
Views:	20 
Size:	27.4 KB 
ID:	1399
    Address spoofing drops are always caused by either misconfiguration of your antispoofing topology or routing problems. It sounds like the gateway your firewall sends this packet to is sending it right back to the firewall.
    Zimmie

Similar Threads

  1. Replies: 1
    Last Post: 2013-04-05, 03:20
  2. Abra: connection is not accepted by rulebase
    By Jamin79 in forum GO (The Product Formerly Known As Abra)
    Replies: 1
    Last Post: 2010-12-07, 16:36
  3. Checkpoint Traffic Logs
    By dazzler in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 9
    Last Post: 2010-11-05, 07:28
  4. SMTP reject immediately after being accepted
    By bluescreen in forum Miscellaneous
    Replies: 1
    Last Post: 2009-06-16, 20:47
  5. no destination value, but http packet accepted
    By mattob in forum Miscellaneous
    Replies: 10
    Last Post: 2007-02-14, 20:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •