How do I enable the 'res=' field in Check Point Firewall-1 log files?

This article applies to:

• Security Reporting Center 2.X
• Firewall Suite 4.X

Question:

Procedure:

For Check Point Firewall-1 4.0 and earlier

In Firewall-1 4.0, most protocols are handled by the Stateful Inspection (SI) engine. This engine operates as a kernel module, and inspects everything at the packet level. It does look at data in packets, but does not do reassembly of information. When HTTP is handled via SI, Firewall-1 does not look into the stream to find the URL. In this case, the res= field will not be there.

When you use an HTTP resource (URL Filtering, CVP Virus Scanning) the HTTP session is sent to the security server (a process running on the Firewall-1 machine) which reassembles the data stream for data processing. In this case, the URL is seen by the firewall, and is logged in the res= field. To enable URL logging, define an HTTP resource that performs an action such as ActiveX filtering. Enable this action in the policy, and you should see the URLs logged.

For Check Point Firewall-1 4.1

1. Ensure that Firewall-1 is running.

2. Decide which of the following log methods to use:
• URL_NO_LOG: TCP Streaming will be performed for additional security, but no URL logging is performed.
• URL_LOG_ALL: TCP Streaming is performed, and all the URLs in a connection will be logged.
• URL_LOG_FIRST: Only the first URL (usually the web page) will be logged. After logging, the streaming for the connection is stopped. This method is useful since in most cases the rest of the GET requests are for images (GIFs, JPEGs, etc.).
• URL_LOG_FIRST_SECURE: URL logging behavior is the same as LOG_FIRST, but TCP Streaming is performed for the entire connection. This method provides additional security; since the streaming is performed for the entire connection, certain scenarios (such as a transmission containing a legal URL followed by a retransmission containing an illegal URL) are detected and rejected.
  
3. Add the appropriate new service. In the policy editor, define a new service of type Other with the following in the match field:

   URL_LOG_SVC (rule_no, port, log_method)

   where:

   • rule_no - the rule number that this service is used in. This number does not affect security, but is only the number used for entries in the firewall log.
   • port - the HTTP port used (usually 80)
   • log_method - one of: URL_NO_LOG, URLOG_LOG_ALL, URLOG_LOG_FIRST, URLOG_LOG_FIRST_SECURE.

4. If the active streaming mode is needed, append "| URLOG_USE_ACTIVE_STREAMING" (without the quotes) to the log_method.

5. If the rule is used with authentication, URL_LOG_AUTH_SVC should be used instead of URL_LOG_SVC.

   Examples:

   • URL_LOG_SVC (2, 80, URLOG_LOG_FIRST_SECURE)
   • URL_LOG_SVC (3, 80, URLOG_LOG_FIRST | URLOG_USE_ACTIVE_STREAMING)
   • URL_LOG_AUTH_SVC(10, 80, URLOG_LOG_ALL)

6. Make a new rule in the policy editor which uses the new service. No other services or resources may be listed in that rule.

7. Select "Long" logging for that rule if full URL logging is desired.

8. Install the policy.

Notes:

If you are still having difficult with this implementation please consult your firewall documentation or seek technical support from Check Point.

This article was previously published as:

NETIQKB1107