Support Center > Search Results > SecureKnowledge Details
Description of Fields in Check Point Logs Technical Level
Solution

Introduction

Check Point Infinity solution includes multiple log fields, representing the diversity of Check Point's products. The log fields' mapping will help you understand security threats, logs language to better use complex queries, and your SIEM.

Two types of logs are available:

  • Security Logs - Generated by a Security Gateway, Harmony Endpoint, or Harmony Mobile.
  • Audit Logs - Generated by a Management Server.


Working with the tables below

Each table entry contains:

Field Name Field Display Name Type Description Supported Version
Blade Display Name (Blade Name) - Product Name

Show / Hide the explanations
Column Description

Field Name

Field name as it appears in raw log (If the field appears in a table, the table's name will appear inside parentheses)

Field Display Name

Field name as it appears in SmartConsole

Description

Field information

Type

One of these:

Field Type Description
int Stores an integer
ipaddr IP address
guid Global Unique Identifier
luuid Log Unification Unique ID
string Sequence of alphanumeric text or other symbols

Blade Name

Name of blade as it appears in raw log

Blade Display Name

Name of blade as it appears in SmartConsole


Best practices for field mapping usage (SIEM integration)

In case you are using a SIEM platform and want to integrate Check Point logs into it, use the Log Exporter tool.


Disclaimer - These fields are only used for Check Point internal purposes. Therefore, these fields do not appear in the table below:

  • flags
  • ifdir
  • ifname
  • __policy_id_tag
  • version
  • rounded_bytes
  • __interface
  • mgmt
  • db_tag
  • update_service


Security Logs

Enter a string to filter this table:

Field Name Field Display Name Type Description Supported Version
Common Fields
Primary Category string Application category  
bytes Total Bytes int Number of bytes received during a connection  
confidence_level Confidence Level int Confidence level determined by ThreatCloud
Possible values:
0 - N/A
1 - Low
2 - Medium-Low
3 - Medium
4 - Medium-High
5 - High
 
calc_desc Description tring Log description  
dst Destination ipaddr Destination IP address  
dst_country Destination Country string Destination country  
dst_ip N/A ipaddr Destination IP address  
dst_user_name Destination User Name string Connected username for the destination IP  
email_id Email ID string Email number in SMTP connection  
email_subject Email Subject string Original email subject  
email_session_id Email Session ID string Connection UUID  
event_count Event Count int Number of events associated with the log  
failure_impact Failure Impact string The impact of update service failure  
file_id File Id int Unique file identifier  
file_type File Type string Classified file type  
file_name File Name string Malicious file name / Matched file size  
file_size File Size int Attachment file size / Matched file size  
file_md5 File MD5 string File MD5 checksum  
file_sha1 File SHA1 string File SHA1 checksum  
file_sha256 N/A string File SHA256 checksum  
from Sender string Source mail address  
to Recipient string Source mail recipient  
id N/A int Override application ID  
information Information string Status of policy installation for a specific Software Blade (used only for Anti-Bot and Anti-Virus)  
interface_name Interface string The name of the Security Gateway interface, through which a connection passes  
interfacedir Direction string Connection direction  
layer_name (match table, TP match table) Layer Name string Layer name  
layer_uuid (match table, TP match table) N/A string Layer UUID  
log_id Log ID int Unique identity for logs includes: Type, Family,
Product/Blade, Category
 
loguid N/A luuid UUID of unified logs  
malware_action Malware Action string Description of detected malware activity  
malware_family Malware Family string Additional information on protection  
malware_rule_id (TP match table) Threat Prevention Rule ID string Threat Prevention rule ID  
malware_rule_name (TP match table) Threat Prevention Rule Name string Threat Prevention rule name  
matched_category (match table) Matched Category string Name of the matched category  
origin Orig string Name of the first Security Gateway that reported this event  
origin_ip N/A ipaddr IP address of the Security Gateway that generated this log  
origin_sic_name N/A string SIC name  
policy_mgmt Policy Management string Name of the Management Server that manages this Security Gateway  
policy_name Policy Name string Name of the last policy that this Security Gateway fetched  
product Blade string Product name  
product_family Product Family int The product family the blade/product belongs to
Possible values:
0 - Network
1 - Endpoint
2 - Access
3 - Threat
4 - Mobile
 
protection_id Protection ID string Protection malware ID  
protection_name Protection Name string Specific signature name of the attack  
protection_type Protection Type string Type of protection used to detect the attack  
proto IP Protocol int Protocol  
protocol Protocol string Protocol detected on the connection  
proxy_src_ip Proxied Source IP ipaddr Sender source IP (even when using proxy)  
reason Reason string Information on the error occurred  
received_bytes Received Bytes int Number of bytes received during connection  
resource Resource string Resource from the HTTP request  
rule (match table) Rule int Matched rule number  
rule_action Action string Action of the matched rule in the access policy  
rule_name (match table) Access Rule Name string Access rule name  
rule_uid (match table) Policy Rule UID string Rule ID in the Access Control policy to which the connection was matched  
scan_direction File-Direction string Scan direction
Possible options:
1) External/DMZ/Internal to External/DMZ/Internal
2) To/From this Security Gateway
 
sent_bytes Sent Bytes int Number of bytes sent during the connection  
session_id Session Identification luuid Log UID  
sequencenum Sequencenum int Number added to order logs with the same Linux timestamp and origin (Security Gateway that generated these logs)  
service/fservice Destination Port

int/string

Connection (service) destination port  
service_id Service ID string Service found for the connection (by the destination port)  
severity Severity int/string

Threat severity determined by ThreatCloud
Possible values:
0 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical

 
source_os Source OS string OS of the computer that generated the attack  
src Source ipaddr Client source IP address  
src_ip Source IP ipaddr Source IP  
src_country Source Country string Country name, derived from connection source IP address  
src_user_name Source User Name string Username connected to the source IP  
s_port Source Port int Source host port number  
src_port N/A int Source host port number  
ticket_id Ticket ID string Unique ID per file  
time Time string The timestamp when the log was created  
tls_server_host_name TLS Server Host Name string SNI/CN from the encrypted TLS connection used by URL Filtering for categorization R80.40
type Type string Log type  
verdict Verdict string Threat Emulation engine verdict
Possible values:
Malicious
Benign
Error
 
user User string Source username  
vendor_list Vendor List string The vendor name that provided the verdict for a malicious URL  
web_client_type Client Type string Web client detected in the HTTP request (e.g: Chrome)  
web_server_type Server Type string Web server detected in the HTTP response  
Security Gateway - Firewall Fields
inzone Source Zone string Indicates whether the source zone is internal or external  
outzone Destination Zone string Indicates whether the destination zone is internal or external  
sub_policy_name N/A string Layer name  
sub_policy_uid N/A string Layer UID  
fw_message Firewall Message string Used for various firewall errors  
message Message string ISP link has failed  
isp_link ISP link string Name of ISP link  
fw_subproduct Subproduct string Can be VPN or non-VPN  
sctp_error N/A string Error information, what caused SCTP to fail due to "out_of_state"  
chunk_type N/A string Chuck of the SCTP stream  
sctp_association_state N/A string The bad state you were trying to update to  
tcp_packet_out_of_state TCP packet out of state string State violation  
tcp_flags TCP Flags string TCP packet flags (SYN, ACK, etc.,)  
connectivity_level Connectivity Level string Log for a new connection in wire mode  
ip_option IP Option int IP option that was dropped  
tcp_state N/A string Log with a TCP state change  
expire_time N/A timestmp Connection closing time  
icmp_type ICMP Type int In case a connection is ICMP, type info will be added to the log  
icmp_code ICMP Code int In case a connection is ICMP, ICMP code info will be added to the log  
rpc_prog RPC Program int Log for new RPC state - prog values  
dce-rpc_interface_uuid DCE-RPC Interface UUID uuid Log for new RPC state - UUID values  
start_time Start Time timestmp Session start time  
elapsed Elapsed time Time passed since start time  
packets Packets int Number of packets encountered in connection  
client_inbound_packets Client Inbound Packets int Number of packets, received by the client  
client_outbound_packets Client Outbound Packets int Number of packets, sent from the client  
server_inbound_packets Server Inbound Packets int Number of packets, received by the server  
server_outbound_packets Server Outbound Packets int Number of packets, sent from the server  
client_inbound_bytes Client Inbound Bytes int Number of bytes received by the client  
client_outbound_bytes Client Outbound Bytes int Number of bytes sent from the client  
server_inbound_bytes Server Inbound Bytes int Number of packets received by the server  
server_outbound_bytes Server Outbound Bytes int Number of packets sent from the server  
client_inbound_interface Client Inbound Interface string Gateway interface, where the connection is received from in case of an outbound connection  
client_outbound_interface Client Outbound Interface string Gateway interface, where the connection is sent from, in case of an inbound connection  
server_inbound_interface Server Inbound Interface string Gateway interface, where the connection is received from, in case of an inbound connection  
server_outbound_interface Server Outbound Interface string Gateway interface, where the connection is sent from, in case of an outbound connection  
icmp ICMP string ICMP message, will be added to the connection log  
capture_uuid Captured UUID luuid UUID generated for the capture. Used when enabling the capture when logging.  
diameter_app_name N/A string The name defined/pre-configured for the diameter application  
diameter_app_ID N/A int The ID of diameter application  
diameter_cmd_code N/A int Diameter not allowed application command id  
diameter_msg_type N/A string Diameter message type  
info Information string Rule information on the blocked diameter CMD  
cp_message N/A string Used to log a general message  
log_delay Log Delay int

When a new connection is created that matches an Accept Template, the Security Gateway generates a log to indicating this.
To decrease the logging load, the Security Gateway aggregates all the logs that are related to a specific Accept Template until it reaches specific thresholds. Then, the Security Gateway sends the aggregated log. If the Security Gateway needs to expire a specific Accept Template, it immediately sends all the aggregated logs that are related to this Accept Template.
If there is only one such log, the Security Gateway sends a regular non-aggregated log and generates an additional log with the Log Delay time to show the time that elapsed from the event, for which the Accept Template log was created.

 
Security Gateway - Anti-Spam Fields
email_spam_category Email Spam Category string Email categories
Possible values:
Spam
Not spam
Phishing
 
email_control Email Control string Engine name  
email_control_analysis Email Control Analysis string Message classification, received from spam vendor engine  
email_session_id Email Session ID string Internal session ID  
email_id Email ID string Internal email ID  
email_recipients_num Email Recipients Number int Number of recipients  
from From string Sender email address  
to Recipient string Recipient email address  
reason Reason string Description of log's reason  
Security Gateway - Anti-Virus Fields
scan_result Scan Result string "Infected", or description of a failure  
triggered_by N/A string Engine or Software Blade that triggered the log  
original_queue_id Original Queue ID string Original Postfix email queue ID  
risk N/A string Risk level received from the engine  
resource Resource string In case of a malicious URL, the resource field will include that URL  
email_recipients_num Email Recipients Number int Number of recipients  
observable_name N/A string IoC observable signature name  
observable_id N/A string IoC observable signature ID  
observable_comment N/A string IoC observable signature description  
indicator_name Indicator Name string IoC indicator name  
indicator_description N/A string IoC indicator description  
indicator_reference N/A string IoC indicator reference  
indicator_uuid N/A string IoC indicator UUID  
reason Reason string Description of the log's reason  
Security Gateway - Application Control & URL Filtering Fields
appi_name (match table) Application Name string Application name  
app_desc (match table) Application Description string Application description  
app_id (match table) Application ID int Application ID  
app_properties (match table) Additional Categories string Application categories  
app_risk (match table) Application Risk int Application risk
Possible values:
0 - Unknown
1 - Very Low
2 - Low
3 - Medium
4 - High
5 - Critical
 
app_rule_id Application Rule ID string Rule number  
app_rule_name Application Rule Name string Rule name  
app_sig_id (match table) Application Signature ID string The signature ID, by which the application was detected  
categories Categories string Matched categories  
certificate_resource Resource string HTTPS resource Possible values: SNI or domain name (DN) R80.40
certificate_validation Certificate Validation string Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature R80.40
description Description string Additional explanation about the certificate validation failure R80.40
usercheck_incident_uid UserCheck ID string UserCheck incident ID  
resource Resource string HTTP connection resource  
browse_time Browse Time time Application session browse time  
limit_requested N/A int Indicates whether data limit was requested for the session  
limit_applied N/A int Indicates whether the session was actually date-limited  
dropped_outgoing N/A int Number of outgoing dropped packets  
dropped_incoming N/A int Number of incoming dropped packets  
dropped_total N/A int Number of dropped packets (both incoming and outgoing)  
suppressed_logs Suppressed Logs int Number of connections/HTTP sessions that were aggregated in this application session log  
match_id (match table) N/A int Mapping of matched rule to its matched application  
client_type_os N/A string Client OS detected in the HTTP request  
referrer N/A string The referrer header, if exists  
name N/A string Application name  
properties (match table) N/A string Application categories  
risk N/A int Application risk  
sig_id N/A string Application's signature ID, by which it was detected  
desc N/A string Override application description  
referrer_self_uid N/A guid UUID of the current log  
referrer_parent_uid N/A guid Log UUID of the referring application  
needs_browse_time N/A int Browse time required for the connection  
security_inzone N/A string Source security zone  
security_outzone N/A string Destination security zone  
url URL string Matched URL  
Security Gateway - Cluster Fields
cluster_info Cluster information string Cluster information
Possible options:
Failover reason
Cluster state changes
CP ClusterXL or 3rd party cluster
 
sync Synchronization string Sync status and the reason (stable, at risk)  
Security Gateway - Content Awareness Fields
file_direction File Direction string File direction
Possible options:
upload
download
 
invalid_file_size N/A int The "file_size" field is valid only if this field is set to 0  
top_archive_file_name Archive File string In case of archive file: the file that was sent/received  
data_type_name Data Type string Data type in rulebase that was matched  
specific_data_type_name N/A string Compound/Group scenario, data type that was matched  
word_list N/A string Words matched by data type  
Security Gateway - Data Loss Prevention (DLP) Fields
info Information string Special log message  
outgoing_url Outgoing URL string URL related to this log (for HTTP)  
dlp_rule_name DLP Rule Name string Matched rule name  
dlp_recipients DLP Recipients string Mail recipients  
dlp_subject Mail Subject string Mail subject  
dlp_word_list DLP Words List string Phrases matched by data type  
dlp_template_score DLP Template Score string Template data type match score  
message_size Message Size int Mail/post size  
dlp_rule_name DLP Rule Name string Matched rule name  
dlp_rule_uid DLP Rule UID string Unique ID of the matched rule  
dlp_incident_uid DLP Incident UID guid Unique incident ID  
dlp_related_incident_uid Related Incidents guid Other ID related to this one  
dlp_data_type_name DLP Data Type Nam string Matched data type  
dlp_data_type_uid Data Type UID string Unique ID of the matched data type  
outgoing_url Outgoing URL string HTTP post URL  
dlp_file_name Scanned Data Fragment string Matched file  
dlp_violation_description Message to User string Violation descriptions described in the rulebase  
dlp_relevant_data_types N/A string In case of Compound/Group: the inner data types that were matched  
dlp_action_reason DLP Action Reason string Action chosen reason  
dlp_categories DLP Categories string Data type category  
dlp_transint DLP Transint string HTTP/SMTP/FTP  
duplicate Duplicate string Log marked as duplicated, when mail is split, and the Security Gateway detects it two times  
incident_extension Incident Extension string Format of original data  
matched_file Matched File string Fingerprint: the file from FP repository that was matched by the traffic  
matched_file_text_segments Matched File Text Segments int Fingerprint: number of text segments matched by this traffic  
matched_file_percentage Matched File Percentage int Fingerprint: match percentage of the traffic  
dlp_addtional_action DLP Additional Action string Watermark or None  
dlp_watermark_profile DLP Watermark Profile string Watermark that was applied  
dlp_repository_id Repository ID string ID of scanned repository  
dlp_data_type_uid Data Type UID string Fingerprint data type ID  
dlp_data_type_name DLP Data Type Name string Fingerprint data type name  
dlp_repository_root_path DLP Repository Root path string Repository path  
scan_id Scan ID string Sequential number of scan  
special_properties Special properties int If this field is set to '1', then the log is not shown (used for monitoring the scan progress)  
dlp_repository_total_size Repository size (MB) int Repository size  
dlp_repository_files_number Repository files int Number of files in repository  
dlp_repository_scanned_files_number Scanned files int Number of scanned files in repository  
duration Duration time Scan duration  
dlp_fingerprint_long_status Scan Status string Scan status - long format  
dlp_fingerprint_short_status Scan Status Code string Scan status - short format  
dlp_repository_directories_number Directories int Number of directories in repository  
dlp_repository_unreachable
_directories_number
Unreachable directories int Number of directories the Security Gateway was unable to read  
dlp_fingerprinted_files_number Fingerprinted Files int Number of successfully scanned files in repository  
dlp_repository_skipped_files_number Filtered Files int Skipped number of files because of configuration  
dlp_repository_scanned_directories_number N/A int Number of directories scanned  
number_of_errors Number of Errors int Number of files that were not scanned due to an error  
next_scheduled_scan_date Next Scheduled Scan Date timestamp Next scan scheduled time according to time object  
dlp_repository_scanned_total_size Scanned Size (MB) int Size scanned  
dlp_repository_scanned_files_number Scanned Files int Number of scanned files in repository  
dlp_repository_reached_directories_number Reachable Directories int Number of scanned directories in repository  
dlp_fingerprint_short_status Scan Status Code string Scan status - short format  
dlp_repository_not_
scanned_directories_percentage
Not scanned directories percentage int Percentage of directories the Security Gateway was unable to read  
dlp_repository_scanned_directories_number Directories scanned int Number of files that were not scanned due to an error  
speed N/A int Current scan speed  
dlp_repository_scan_progress N/A int Scan percentage  
dlp_relevant_data_types DLP Relevant Data Types string If the matched data type is a group data type, then the field specifies which data types from that group were matched  
Security Gateway - HTTPS Inspection Fields
https_inspection_rule_id HTTPS Inspection Rule ID string ID of the matched rule  
https_inspection_rule_name HTTPS Inspection Rule Name string Name of the matched rule  
app_properties (match table) Additional Categories string List of all found categories  
resource Resource string HTTPS resource
Possible values: SNI or domain name
 
https_validation HTTPS Validation string Precise error, describing HTTPS inspection failure  
https_inspection_action Inspection Action string HTTPS Inspection action (Inspect/Bypass/Error)  
Security Gateway - ICAP Client Fields
icap_service_id N/A int Service ID, can work with multiple servers, treated as "services"  
icap_server_name N/A string Server name  
internal_error N/A string Internal error, for troubleshooting  
verdict Verdict string Enforcement per HTTP connection
Possible values: Accept, Block-Reject, Data-modification
 
icap_more_info N/A string Free text for verdict  
reply_status N/A int ICAP reply status code, e.g., 200 or 204  
icap_server_service N/A string Service name, as given in the ICAP URI  
mirror_and_decrypt_type N/A string Information about decrypt and forward
Possible values:
Mirror only
Decrypt and Mirror
Partial mirroring (HTTPS Inspection Bypass)
 
interface_name N/A string Designated interface for Mirror and Decrypt  
session_uid N/A int HTTP session ID  
Security Gateway - Identity Awareness Fields
broker_publisher Broker Publisher ipaddr IP address of the broker publisher who shared the session information R80.40
src_machine_name Source Machine Name string Machine name connected to the source IP address  
src_user_dn N/A string User distinguished name connected to the source IP address  
proxy_user_name N/A string Username connected to the proxy IP address  
proxy_machine_name N/A string Machine name connected to the proxy IP address  
proxy_user_dn N/A string User distinguished name connected to the proxy IP address  
dst_machine_name Destination Machine Name string Machine name connected to the destination IP address  
Security Gateway - IPS Fields
resource Resource string Malicious domain  
query Query string DNS query  
dns_query DNS query string DNS query  
dns_type DNS Type string DNS query type  
inspection_item N/A string Blade element performed inspection  
performance_impact Performance Impact int Protection performance impact  
inspection_category N/A string Inspection category: protocol anomaly, signature etc.  
inspection_profile N/A string Profile which the activated protection belongs to  
inspection_information N/A string Attack or violation description  
message Message string Additional information  
suppressed_logs Suppressed Logs int Total number of aggregated malicious connections  
summary N/A string Summary message for non-compliant DNS traffic drops or detects  
tid Tunnel ID int DNS Transaction ID  
dns_message_type N/A string DNS message type
Possible values:
Query
Response
Authoritative response
 
question_rdata N/A string List of question records domains  
answer_rdata N/A string List of answer resource records to the questioned domains  
authority_rdata N/A string List of authoritative servers  
additional_rdata N/A string List of additional resource records  
files_names N/A string List of files requested by FTP  
ftp_user N/A string FTP username  
mime_from N/A string Sender's address  
mime_to N/A string List of receiver address  
cc N/A string List of CC addresses  
bcc N/A string List of BCC addresses  
content_type Content Type string Mail content type
Possible values:
application
msword
text/html
image/gif
etc.
 
subject Subject string Mail subject  
user_agent N/A string String that identifies the requesting software user-agent  
referrer N/A string Referrer HTTP request header, previous web page address.  
http_location N/A string Response header, indicates the URL to redirect a page to  
content_disposition N/A string Indicates how the content is expected to be displayed inline in the web browser  
via N/A string "Via" header is added by proxies for tracking purposes to avoid sending requests in loop  
http_server N/A string Server HTTP header value, contains information about the software used by the origin server, which handles the request  
content_length N/A string Indicates the size of the entity-body of the HTTP header  
method N/A string HTTP method (GET, POST, PUT, etc.)  
status Status string HTTP status code  
authorization N/A string Authorization HTTP header value  
http_host N/A string Domain name of the server that the HTTP request is sent to  
industry_reference Industry Reference string CVE registry entry  
inspection_settings_log N/A string Indicates that the log was released by inspection settings  
Security Gateway - Mail Transfer Agent (MTA) Fields
email_control Email Control string Engine name  
email_message_id Email Message ID string Email session ID (unique ID of the mail)  
email_session_id Email Session ID string Internal session ID  
email_recipients_num Email Recipients Number int Number of recipients  
email_id Email ID string Internal email ID  
email_queue_id Email Queue ID string Postfix email queue ID  
email_queue_name Email Queue Name string Postfix email queue name  
original_queue_id Original Queue ID string Original postfix email queue ID  
file_name File Name string Malicious file name  
failure_reason Failure Reason string MTA failure description  
email_headers N/A string String containing all the email headers  
arrival_time Arrival Time timestmp Email arrival timestamp  
email_status Email Status string Describes the email's state
Possible options:
delivered
deferred
skipped
bounced
hold
new
scan_started
scan_ended
 
status_update Last status update timestmp Last time log was updated  
original_queue_id Original Queue ID string Original postfix email queue ID  
scan_started Scan Started timestmp Beginning of the scanning process timestamp  
scan_ended Scan Ended timestmp End of the scanning process timestamp  
delivery_time Delivery Time timestmp Timestamp of when email was delivered (MTA finished handling the email  
links_num Links Number int Number of links in the mail  
attachments_num Attachments Number int Number of attachments in the mail  
email_content Email Content string Mail contents
Possible options:
attachments/links
attachments/links/text only
 
Security Gateway - Mobile Access Fields
user_group User Group string The group to which the user belongs, upon login  
cvpn_resource Application string Mobile Access application  
cvpn_category Mobile Access Category string Mobile Access application type  
url URL string Translated URL  
outgoing_url Outgoing Url string Untranslated URL, as seen inside the internal network  
reject_id Reject ID string A reject ID that corresponds to the one presented in the Mobile Access error page  
fs-proto N/A string The file share protocol used in Mobile Access File Share application  
session_uid Mobile Access Session UID guid Mobile Access session identification  
Security Gateway - NAT Fields
allocated_ports Allocated Ports int Amount of allocated NAT ports R80.40
capacity Capacity int Capacity of the NAT ports R80.40
ports_usage Ports Usage int Percentage of allocated NAT ports R80.40
nat_exhausted_pool

Nat Exhausted Pool

string 4-tuple of an exhausted NAT pool

R80.40

R80.10 - R80.30 Jumbo Hotfixes

xlatesrc Xlate (NAT) Source IP ipaddr Source IPv4 address after applying NAT  
xlatedst Xlate (NAT) Destination IP ipaddr Destination IPv4 address after applying NAT  
xlatesint Xlate (NAT) Source Port int Source port after applying Hide NAT on the source IP address  
xlatedint Xlate (NAT) Destination Port int Destination port after applying NAT  
nat_rulenum NAT Rule Number int NAT rulebase first matched rule  
nat_addtnl_rulenum NAT Additional Rule Number int When matching 2 automatic rules, the second rule match is shown. Otherwise, this field has the value 0.  
message_info Message Information string Used for information messages, for example:
NAT connection has ended
 
nat46 N/A string NAT46 status
In most cases "enabled"
 
end_time N/A timestmp TCP connection end time  
tcp_end_reason N/A string Reason for TCP connection closure  
nat_rulenum NAT Rule Number int NAT rulebase first matched rule  
cgnet N/A string Describes the NAT allocation for specific subscriber  
subscriber N/A ipaddr Source IP address before CGNAT  
hide_ip N/A ipaddr Source IP address to be used after CGNAT  
int_start N/A int Subscriber start integer to be used for NAT  
int_end N/A int Subscriber end integer to be used for NAT  
Security Gateway - SecureXL Fields
drop_reason Drop Reason string Aggregated logs of dropped packets  
packet_amount N/A int Number of packets dropped  
packets Packets string Connection tuple:
Source IP address
Source Port
Destination IP address
Destination Port
Protocol Number
 
monitor_reason N/A string Aggregated logs of monitored packets  
message_info Message Information string Information on multicast packet dropped  
drops_amount N/A int Amount of multicast packets dropped  
securexl_message N/A string Two options for a SecureXL message:
1. Missed accounting records after heavy load on the logging system
2. FireWall log message regarding a packet drop
 
conns_amount N/A int Number of connections in the aggregated log  
aggregation_info N/A string List of aggregated source connections  
Security Gateway - Threat Emulation Fields
Harmony Endpoint - Threat Emulation Fields
scope Scope ipvxaddr IP address related to the attack  
analyzed_on Analyzed On string Check Point ThreatCloud / emulator name  
detected_on Vulnerable Operating Systems string

System and applications version, on which the file was emulated

 
dropped_file_name Dropped File Name string List of names dropped from the original file
dropped_file_type Dropped File Type string List of file types dropped from the original file
dropped_file_hash Dropped File Hash string List of file hashes dropped from the original file
dropped_file_verdict Dropped File Verdict string List of file verdicts dropped from the original file
emulated_on Not Vulnerable OS string Images, in which the files were emulated  
extracted_file_type Extracted File Type string Types of extracted files in case of an archive  
extracted_file_names Extracted File Names string Names of extracted files in case of an archive  
extracted_file_hash Extracted File Hash string Archive hash in case of extracted files  
extracted_file_verdict N/A string Verdict of extracted files in case of an archive  
extracted_file_uid N/A string UID of extracted files in case of an archive  
mitre_initial_access Mitre Initial Access string The adversary is trying to break into your network
mitre_execution Mitre Execution string The adversary is trying to run malicious code
mitre_persistence Mitre Persistence string The adversary is trying to maintain his foothold
mitre_privilege_escalation Mtre Privilege Escalation string The adversary is trying to gain higher-level permissions
mitre_defense_evasion Mitre Defense Evasion string The adversary is trying to avoid being detected
mitre_credential_access Mitre Credential Access string The adversary is trying to steal account names and passwords
mitre_discovery Mitre Discovery string The adversary is trying to expose information about your environment
mitre_lateral_movement Mitre Lateral Movement string The adversary is trying to explore your environment
mitre_collection Mitre Collection string The adversary is trying to collect data of interest to achieve his goal
mitre_command_and_control Mitre Command And Control string The adversary is trying to communicate with compromised systems to control them
mitre_exfiltration Mitre Exfiltration string The adversary is trying to steal data
mitre_impact Mitre Impact string The adversary is trying to manipulate, interrupt, or destroy your systems and data
parent_file_hash N/A string Archive's hash in case of extracted files  
parent_file_name N/A string Archive's name in case of extracted files  
parent_file_uid N/A string Archive's UID in case of extracted files  
similiar_iocs Similar IoCs string Other IoCs, similar to the ones found, related to the malicious file
similar_hashes Similar Hashes string Hashes found similar to the malicious file
similar_strings string Strings found similar to the malicious file
similar_communication Similar Communication string Network action found similar to the malicious file
te_verdict_determined_by Determined By string Emulators determined file verdict  
packet_capture_unique_id Packet Capture Unique Id string Identifier of the packet capture files  
total_attachments Total Attachments int The number of attachments in an email  
Security Gateway - Threat Extraction Fields
Harmony Endpoint - Threat Extraction Fields
additional_info General Information string ID of original file/mail which are sent by admin  
content_risk Content Risk int File risk
Possible values:
0 - Unknown
1 - Very Low
2 - Low
3 - Medium
4 - High
5 - Critical
 
operation Operation string Operation made by Threat Extraction  
scrubbed_content Suspicious Content string Active content that was found  
scrub_time N/A string Extraction process duration  
scrub_download_time N/A string File download time from resource  
scrub_total_time N/A string Threat extraction total file handling time  
scrub_activity Threat Extraction Activity string The result of the extraction  
subject Subject string Mail subject  
watermark N/A string Reports whether watermark is added to the cleaned file  
Security Gateway - Unified Policy Fields
domain_name Domain Name string Domain name sent to DNS request  
source_object N/A string Matched object name on source column  
destination_object N/A string Matched object name on destination column  
drop_reason Drop Reason string Drop reason description  
hit N/A int Number of hits on a rule  
rulebase_id N/A int Layer number  
first_hit_time N/A int First hit time in current interval  
last_hit_time Last Update Time int Last hit time in current interval  
rematch_info N/A string Information sent when old connections cannot be matched during policy installation  
last_rematch_time N/A timestmp Connection rematched time  
action_reason Action Reason string Connection drop reason  
c_bytes N/A int Boolean value indicates whether bytes sent from the client side are used  
context_num N/A int Serial number of the log for a specific connection  
match_id (match table) N/A int Private key of the rule  
alert (UP alert hll table) Alert string Alert level of matched rule (for connection logs)  
action Action int

Action of matched rule
Possible values:
0 - Drop
1 - Reject
2 - Accept
3 - Encrypt
4 - Decrypt
17 - Authorize
18 - Deauthorize
30 - Bypass
33 - Block
34 - Detect
39 - Do not send
43 - Allow
46 - Ask User
61 - Extract

Note: This field is not mandatory to every log

 
parent_rule (match table) N/A int Parent rule number, in case of inline layer  
match_fk N/A int Rule number  
dropped_outgoing N/A int Number of outgoing bytes dropped when using UP-limit feature  
dropped_incoming N/A int Number of incoming bytes dropped when using UP-limit feature  
dropped_total N/A int Total bytes dropped when using UP-limit feature  
Security Gateway - VoIP Fields
content_type Content Type string VoIP session  
media_type N/A string Media used (audio, video, etc.)  
sip_reason SIP Reason string Explains why 'source_ip' is not allowed to redirect (handover)  
voip_method Request string Registration request  
registered_ip-phones N/A string Registered IP-Phones  
voip_reg_user_type Registered IP-Phone Type string Registered IP-Phone type  
voip_call_id VoIP Call ID string Call-ID  
voip_reg_int Registration Port int Registration port  
voip_reg_ipp Registration IP Protocol int Registration IP protocol  
voip_reg_period Registration Period int Registration period  
voip_log_type VoIP Log Type string VoIP log types
Possible values: reject, call, registration
 
voip_method Request string Call request  
src_phone_number Source IP-phone string Source IP -Phone  
voip_from_user_type Source IP-Phone Type string Source IP-Phone type  
dst_phone_number Destination Phone Number string Destination IP-Phone  
voip_to_user_type Destination IP-Phone Type string Destination IP-Phone type  
voip_call_dir VoIP Call direction string Call direction: in/out  
voip_call_state VoIP Call State string Call state
Possible values:
in
out
 
voip_call_term_time Call termination time stamp string Call termination time stamp  
voip_duration VoIP Duration time Call duration (seconds)  
voip_media_port Media Port string Media port  
voip_media_ipp Media IP Protocol string Media IP protocol  
voip_est_codec Estimated Codec string Estimated codec  
voip_exp Expiration int Expiration  
voip_attach_sz VoIP Attachment Size int Attachment size  
voip_attach_action_info VoIP Attach Action Information string Attachment action information  
src_phone_number Source IP-phone string Source IP-Phone  
voip_media_codec N/A string Estimated codec  
voip_reject_reason VoIP Reject Reason string Reject reason  
voip_reason_info VoIP Reject Reason Information string Information  
voip_config VoIP Configuration string Configuration  
voip_reg_server Registrar Server ipaddr Registrar server IP address  
Security Gateway - VPN Fields
scv_user SCV User string Username, whose packets are dropped during Secure Configuration Verification (SCV)  
scv_message_info SCV Message Information string Drop reason  
ppp Point to Point Protocol string Authentication status  
scheme Encryption Scheme string Describes the scheme used for the log  
auth_method Authentication Method string Password authentication protocol used (PAP or EAP)  
machine Machine string L2TP machine which triggered the log and the log refers to it  
vpn_feature_name VPN Feature string L2TP / IKE / Link Selection  
reject_category Reject Category string Authentication failure reason  
peer_ip_probing_status_update N/A string IP address response status  
peer_ip N/A string IP address which the client connects to  
peer_gateway VPN Peer Gateway ipaddr Main IP address of the VPN peer Security Gateway  
link_probing_status_update N/A string IP address response status  
source_interface N/A string External Interface name for source interface or Null if not found  
next_hop_ip N/A string Next hop IP address  
srckeyid Source Key ID string Initiator SPI ID  
dstkeyid Destination Key ID string Responder SPI ID  
encryption_failure Encryption Failure string

Message indicating why the encryption failed

 
ike_ids N/A string All Quick Mode (QM) IDs  
community Community string Community name for the IPsec key and the use of the IKE  
ike N/A string IKEMode (PHASE1, PHASE2, etc.)  
cookieI IKE Initiator Cookie string Initiator cookie  
cookieR IKE Responder Cookie string Responder cookie  
msgid IKE Phase2 Message ID string Message ID  
methods Encryption Methods string IPsec methods  
connection_uid Connection UID luuid Calculation of MD5 of the IP address and username as UID  
site_name N/A string VPN Site name  
cvpn_category Mobile Access Category string Endpoint Security On Demand (ESOD)  
esod_rule_name ESOD Rule Name string Unknown rule name  
esod_rule_action ESOD Rule Action string Unknown rule action  
esod_rule_type ESOD Rule Type string Unknown rule type  
esod_noncompliance_reason ESOD Noncompliance Reason string Non-compliance reason  
esod_associated_policies ESOD Associated Policies string Associated policies  
spyware_name Malware Name string Spyware name  
spyware_type Malware Type string Spyware type  
anti_virus_type Virus Type string Anti-Virus type  
end_user_firewall_type End User Firewall Type string End user firewall type  
esod_scan_status ESOD Scan Status string Scan failed  
esod_access_status ESOD access status string Access denied  
client_type N/A string Endpoint Connect  
message Message string General log message  
session_uid N/A guid SNX Session GUID  
Security Gateway - Web Security Fields
summary N/A string URLs detected for a specific host  
resource Resource string The resource from the HTTP request  
precise_error N/A string HTTP parser error  
method N/A string HTTP method
Possible values:
0 - DELETE
500 - GET
1000 - HEAD
1500 - METHOD
2000 - OPTIONS
2500 - POST
3000 - PUT
3500 - TRACE
4000 - CONNECT
Harmony Endpoint - Common Fields
client_name Client Name string Client Application or Software Blade that detected the event  
client_version Product Version string Build version of Harmony Endpoint client installed on the computer  
extension_version Extension Version string Build version of the Harmony Endpoint Browse Extension  
host_time Host Time string Local time on the endpoint computer  
installed_products Installed Blades string List of installed Endpoint Software Blades  
os_name OS Name string Name of the OS installed on the source endpoint computer  
os_version OS Version string Build version of the OS installed on the source endpoint computer  
packet_capture Packet Capture string Link to the PCAP traffic capture file with the recorded malicious connection  
process_md5 Process MD5 string MD5 hash of the process that triggered the attack  
process_name Process Name string Name of the process that triggered the attack  
cc CC string The Carbon Copy address of the email  
reason Reason string The reason for detecting or stopping the attack  
resource Resource string URL, Domain, or DNS of the malicious request  
Harmony Endpoint - Anti-Bot Fields
first_detection First Detection string Time of the first detection of the infection  
last_detection Last Detection string Time of the last detection of the infection  
parent_process_md5 Parent Process MD5 string MD5 hash of the parent process of the process that triggered the attack  
parent_process_name Parent Process Name string Name of the parent process of the process that triggered the attack  
parent_process_username Parent Process Username string Owner username of the parent process of the process that triggered the attack  
process_username Process Username string Owner username of the process that triggered the attack  
Harmony Endpoint - Anti-Malware Fields
destination_dns_hostname Destination DNS Hostname string Malicious DNS request domain  
smartdefense_profile (TP match table) Threat Profile string IPS profile responsible for the decision about the action  
email_session_id Email Session ID string Email session ID (unique ID of the mail)  
email_recipients_num Email Recipients Number string Number of recipients to whom the mail was sent  
suppressed_logs Suppressed logs int Aggregated connections for five minutes on the same source, destination, and port  
blade_name N/A string Software Blade name  
status status int Ok
Warning
Error
 
short_desc N/A string Short description of the process that was executed  
long_desc N/A string More information on the process (usually describing error reason in failure)  
scan_hosts_hour N/A int Number of unique hosts during the last hour  
scan_hosts_day N/A int Number of unique hosts during the last day  
scan_hosts_week N/A int Number of unique hosts during the last week  
unique_detected_hour N/A int Detected virus for a specific host during the last hour  
unique_detected_day N/A int Detected virus for a specific host during the last day  
unique_detected_week N/A int Detected virus for a specific host during the last week  
scan_mail N/A int Number of emails that were scanned by the "Anti-Bot malicious activity" engine  
additional_ip Additional IP string DNS host name  
description Description string Additional explanation how the security gateway enforced the connection  
Harmony Endpoint - Forensics Fields
attack_status Attack Status string In case of a malicious event on an endpoint computer, the status of the attack  
impacted_files Impacted Files string In case of an infection on an endpoint computer, the list of files that the malware impacted  
remediated_files Remediated Files string In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer  
triggered_by Triggered By string The name of the mechanism that triggered the Software Blade to enforce a protection  
Harmony Endpoint - Zero Phishing Fields
trusted_domain Trusted Domain string In case of phishing event, the domain, which the attacker was impersonating  
Harmony Mobile App Fields
app_package App Package string Unique identifier of the application on the protected mobile device R80.20
appi_name Application Name string Name of application downloaded on the protected mobile device R80.20
app_repackaged Application Repackaged string Indicates whether the original application was repackaged not by the official developer R80.20
app_sid_id Application Signature ID string Unique SHA identifier of a mobile application R80.20
app_version Application Version string Version of the application downloaded on the protected mobile device R80.20
developer_certificate_name Developer Certificate Name string Name of the developer's certificate that was used to sign the mobile application R80.20


Audit logs

Enter a string to filter this table:

Field Name Field Display Name Type Description
administrator Administrator string User who performed the operation
fieldschanges Changes string Specific changes done on the affected object
client_ip Client IP ipaddr IP address of the client machine, from which the change was performed
logic changes Logic Changes string Technical information about the specific changes done on the affected object
objecttype Object Type string The type of the affected object
operation Operation string The type of operation done on the object or rule
operation number Operation Number int Operation number done by the administrator, each operation is represented by a number
Show / Hide this section
  • 0 - Create Object
  • 1 - Update Object
  • 2 - Rename Object
  • 3 - Delete Object
  • 4 - Unlock Object
  • 5 - Ublock Table
  • 6 - Unlock Database
  • 7 - Install Security policy
  • 8 - Uninstall Security policy
  • 9 - Status Change
  • 10 - Log in
  • 11 - Login Failed
  • 12 - Logout
  • 13 - Init Sic Certificate
  • 14 - Push Sic Certificate
  • 15 - Revoke Sic Certificate
  • 16 - Init IKE Key
  • 17 - Disable IKE Key
  • 18 - Generate IKE Certificate
  • 19 - Revoke IKE Certificate
  • 20 - OMSEC Command
  • 21 - Kill Operation
  • 22 - Restore Version
  • 23 - Create Version
  • 24 - Delete Version
  • 25 - Automatic Log Export
  • 26 - Synchronize Peer
  • 27 - Synchronized By Peer
  • 28 - Change to Active
  • 29 - Change to Standby
  • 30 - Detect Active Server
  • 31 - General Database Change
  • 32 - Put File
  • 33 - Fetch File
  • 34 - SmartUpdate Install Module
  • 35 - SmartUpdate Uninstall Module
  • 36 - MDS License Violation Detected
  • 37 - CMA Synchronized by an SMC Backup Server
  • 38 - System Message
  • 39 - MDS Assign Global Policy and Install Last Policy
  • 40 - MDS Assign Global Policy
  • 41 - MDS Install Last Policy
  • 42 - MDS Remove Global Policy
  • 43 - MDS Start CMA
  • 44 - MDS Stop CMA
  • 45 - MDS Enable Global Use
  • 46 - MDS Disable Global Use
  • 47 - VSX Configuration Update
  • 48 - Set Session Description
  • 49 - Log Export
  • 50 - Log Switch
  • 51 - Log Purge
  • 52 - Plugin Activate
  • 53 - Plugin Deactivate
  • 54 - Validation Failure
  • 55 - P1SHELL Command
  • 56 - MDS License Operation
  • 57 - Portable Client Password Recovery
  • 58 - Security Management Server IP Address Changed
  • 59 - DLP Incident Viewed
  • 60 - IPS Contract Invalid
objectname Performed On string The name of the object that is affected by the action
session_name Session Name string The name of the session, in which the change was published
session_description Session Description string The description of the session, in which the change was published
subject Subject string Audit log category

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment