- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-16-2018 03:03 AM
Hi
I would like to have apolicy that just logs and does nothing else - ie the packet keeps getting evaluated.
some times I want to know there is packet there but not process it with that line.
Can this be done already ?
09-17-2018 05:15 AM
Hi @Alex_Samad,
Policies are always evaluated.
I'm guessing you're looking for a tap interface :
If this isn't what you're looking for then I'd recommend filing a feature request.
Cheers !
-Kiwi.
09-17-2018 08:07 AM
@Alex_Samad wrote:some times I want to know there is packet there but not process it with that line.
What do you mean exactly with that?
As @kiwi already wrote a TAP interface or a simple any any allow policy with an application override rule may be something for you...
09-17-2018 02:50 PM
Don't think i have worded it properly.
I want to add a policy say at the top that does match but doesn't allow the packet - just matches and say marks it or logs it . but then the packet/ stream still get evaluated later.
09-17-2018 03:27 PM
Logging every new packet will likely flood you with logs that aren't really valuable, but you can do it. For each policy that will be evaluated, select "Log at session start" under the Actions tab in the security rule.
Every single new packet that gets installed as a new session will be logged before the rules themselves are processed. This will increase the load on the management plane, because of the extra logging. It will also reduce the number of completed logs you can store, since you're effectively logging everything twice.
What problem are you trying to solve? Maybe your use case will help the community understand the goal, and get you there without using the policy approach you're attempting.
09-17-2018 04:59 PM
Sorry that seems a but silly I already log all polices so currently each packet creates 1 log entry. so if I wasn stupid and added any any log then I would double the amount of logging.
sorry what extra logging. each packet is processed as it is already
For example in iptables I can have chains that process lines and just log them. so lets say I want to see all the packets from a specif host that meet a specific criteria. but I don't want to allow it I just want to register it in the logs and then have the normal process of the rules happen
A
09-19-2018 05:58 PM
Lets say for example I want to capture all traffic from a specific location to a specific dest.. but I don't want the rule to allow, just to log. I would place this at the top of the policies
09-20-2018 12:23 AM
Not possible in the way you're describing it as far as I know. The rule will always be evaluated as per the action you configured on it.
I'd use the TAP solution as proposed earlier or a 3rd party solution like SNORT could maybe help you.
Cheers !
-Kiwi.
09-20-2018 12:27 AM
Yep I understand its not possible now.
Thats why i raised this. the action could be to continue and log ?
But I get the impression its not something people might want 🙂
09-20-2018 12:30 AM
I can see how this can be usefull 🙂
It wouldn't hurt asking your local SE to file a feature request for this.
If it gets enough votes then it might be added to a future release.
Cheers !
-Kiwi.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!