Check Point Infinity solution includes multiple log fields, representing the diversity of Check Point's products. The log fields' mapping will help you understand security threats, logs language to better use complex queries, and your SIEM.
Two types of logs are available:
Security Logs - Generated by a Security Gateway, Harmony Endpoint, or Harmony Mobile.
Service ID, can work with multiple servers, treated as "services"
icap_server_name
N/A
string
Server name
internal_error
N/A
string
Internal error, for troubleshooting
verdict
Verdict
string
Enforcement per HTTP connection Possible values: Accept, Block-Reject, Data-modification
icap_more_info
N/A
string
Free text for verdict
reply_status
N/A
int
ICAP reply status code, e.g., 200 or 204
icap_server_service
N/A
string
Service name, as given in the ICAP URI
mirror_and_decrypt_type
N/A
string
Information about decrypt and forward Possible values: Mirror only Decrypt and Mirror Partial mirroring (HTTPS Inspection Bypass)
interface_name
N/A
string
Designated interface for Mirror and Decrypt
session_uid
N/A
int
HTTP session ID
Security Gateway - Identity Awareness Fields
broker_publisher
Broker Publisher
ipaddr
IP address of the broker publisher who shared the session information
R80.40
src_machine_name
Source Machine Name
string
Machine name connected to the source IP address
src_user_dn
N/A
string
User distinguished name connected to the source IP address
proxy_user_name
N/A
string
Username connected to the proxy IP address
proxy_machine_name
N/A
string
Machine name connected to the proxy IP address
proxy_user_dn
N/A
string
User distinguished name connected to the proxy IP address
dst_machine_name
Destination Machine Name
string
Machine name connected to the destination IP address
Security Gateway - IPS Fields
resource
Resource
string
Malicious domain
query
Query
string
DNS query
dns_query
DNS query
string
DNS query
dns_type
DNS Type
string
DNS query type
inspection_item
N/A
string
Blade element performed inspection
performance_impact
Performance Impact
int
Protection performance impact
inspection_category
N/A
string
Inspection category: protocol anomaly, signature etc.
inspection_profile
N/A
string
Profile which the activated protection belongs to
inspection_information
N/A
string
Attack or violation description
message
Message
string
Additional information
suppressed_logs
Suppressed Logs
int
Total number of aggregated malicious connections
summary
N/A
string
Summary message for non-compliant DNS traffic drops or detects
tid
Tunnel ID
int
DNS Transaction ID
dns_message_type
N/A
string
DNS message type Possible values: Query Response Authoritative response
question_rdata
N/A
string
List of question records domains
answer_rdata
N/A
string
List of answer resource records to the questioned domains
authority_rdata
N/A
string
List of authoritative servers
additional_rdata
N/A
string
List of additional resource records
files_names
N/A
string
List of files requested by FTP
ftp_user
N/A
string
FTP username
mime_from
N/A
string
Sender's address
mime_to
N/A
string
List of receiver address
cc
N/A
string
List of CC addresses
bcc
N/A
string
List of BCC addresses
content_type
Content Type
string
Mail content type Possible values: application msword text/html image/gif etc.
subject
Subject
string
Mail subject
user_agent
N/A
string
String that identifies the requesting software user-agent
referrer
N/A
string
Referrer HTTP request header, previous web page address.
http_location
N/A
string
Response header, indicates the URL to redirect a page to
content_disposition
N/A
string
Indicates how the content is expected to be displayed inline in the web browser
via
N/A
string
"Via" header is added by proxies for tracking purposes to avoid sending requests in loop
http_server
N/A
string
Server HTTP header value, contains information about the software used by the origin server, which handles the request
content_length
N/A
string
Indicates the size of the entity-body of the HTTP header
method
N/A
string
HTTP method (GET, POST, PUT, etc.)
status
Status
string
HTTP status code
authorization
N/A
string
Authorization HTTP header value
http_host
N/A
string
Domain name of the server that the HTTP request is sent to
industry_reference
Industry Reference
string
CVE registry entry
inspection_settings_log
N/A
string
Indicates that the log was released by inspection settings
Security Gateway - Mail Transfer Agent (MTA) Fields
email_control
Email Control
string
Engine name
email_message_id
Email Message ID
string
Email session ID (unique ID of the mail)
email_session_id
Email Session ID
string
Internal session ID
email_recipients_num
Email Recipients Number
int
Number of recipients
email_id
Email ID
string
Internal email ID
email_queue_id
Email Queue ID
string
Postfix email queue ID
email_queue_name
Email Queue Name
string
Postfix email queue name
original_queue_id
Original Queue ID
string
Original postfix email queue ID
file_name
File Name
string
Malicious file name
failure_reason
Failure Reason
string
MTA failure description
email_headers
N/A
string
String containing all the email headers
arrival_time
Arrival Time
timestmp
Email arrival timestamp
email_status
Email Status
string
Describes the email's state Possible options: delivered deferred skipped bounced hold new scan_started scan_ended
status_update
Last status update
timestmp
Last time log was updated
original_queue_id
Original Queue ID
string
Original postfix email queue ID
scan_started
Scan Started
timestmp
Beginning of the scanning process timestamp
scan_ended
Scan Ended
timestmp
End of the scanning process timestamp
delivery_time
Delivery Time
timestmp
Timestamp of when email was delivered (MTA finished handling the email
links_num
Links Number
int
Number of links in the mail
attachments_num
Attachments Number
int
Number of attachments in the mail
email_content
Email Content
string
Mail contents Possible options: attachments/links attachments/links/text only
Security Gateway - Mobile Access Fields
user_group
User Group
string
The group to which the user belongs, upon login
cvpn_resource
Application
string
Mobile Access application
cvpn_category
Mobile Access Category
string
Mobile Access application type
url
URL
string
Translated URL
outgoing_url
Outgoing Url
string
Untranslated URL, as seen inside the internal network
reject_id
Reject ID
string
A reject ID that corresponds to the one presented in the Mobile Access error page
fs-proto
N/A
string
The file share protocol used in Mobile Access File Share application
session_uid
Mobile Access Session UID
guid
Mobile Access session identification
Security Gateway - NAT Fields
allocated_ports
Allocated Ports
int
Amount of allocated NAT ports
R80.40
capacity
Capacity
int
Capacity of the NAT ports
R80.40
ports_usage
Ports Usage
int
Percentage of allocated NAT ports
R80.40
nat_exhausted_pool
Nat Exhausted Pool
string
4-tuple of an exhausted NAT pool
R80.40
R80.10 - R80.30 Jumbo Hotfixes
xlatesrc
Xlate (NAT) Source IP
ipaddr
Source IPv4 address after applying NAT
xlatedst
Xlate (NAT) Destination IP
ipaddr
Destination IPv4 address after applying NAT
xlatesint
Xlate (NAT) Source Port
int
Source port after applying Hide NAT on the source IP address
xlatedint
Xlate (NAT) Destination Port
int
Destination port after applying NAT
nat_rulenum
NAT Rule Number
int
NAT rulebase first matched rule
nat_addtnl_rulenum
NAT Additional Rule Number
int
When matching 2 automatic rules, the second rule match is shown. Otherwise, this field has the value 0.
message_info
Message Information
string
Used for information messages, for example: NAT connection has ended
nat46
N/A
string
NAT46 status In most cases "enabled"
end_time
N/A
timestmp
TCP connection end time
tcp_end_reason
N/A
string
Reason for TCP connection closure
nat_rulenum
NAT Rule Number
int
NAT rulebase first matched rule
cgnet
N/A
string
Describes the NAT allocation for specific subscriber
subscriber
N/A
ipaddr
Source IP address before CGNAT
hide_ip
N/A
ipaddr
Source IP address to be used after CGNAT
int_start
N/A
int
Subscriber start integer to be used for NAT
int_end
N/A
int
Subscriber end integer to be used for NAT
Security Gateway - SecureXL Fields
drop_reason
Drop Reason
string
Aggregated logs of dropped packets
packet_amount
N/A
int
Number of packets dropped
packets
Packets
string
Connection tuple: Source IP address Source Port Destination IP address Destination Port Protocol Number
monitor_reason
N/A
string
Aggregated logs of monitored packets
message_info
Message Information
string
Information on multicast packet dropped
drops_amount
N/A
int
Amount of multicast packets dropped
securexl_message
N/A
string
Two options for a SecureXL message: 1. Missed accounting records after heavy load on the logging system 2. FireWall log message regarding a packet drop