LogForge Logo LogForge
Home Vendors Search Download Login
Vendors Check Point Software Technologies Check Point Security Gateway Firewall Traffic Logs
Check Point Software Technologies Logo

Firewall Traffic Logs

Network traffic and policy enforcement events

Check Point Security Gateway firewall traffic logs capturing network connections, policy enforcement decisions, and traffic flow details including source/destination IPs, ports, protocols, and rule matching information.

firewall network traffic security policy checkpoint
PLAIN TEXT Format 31 Fields High Frequency Generator
Preview Sample View Schema

Overview

Records all network traffic processed by Check Point Security Gateway, including accepted, dropped, and rejected connections with detailed policy matching and rule information.

When Generated:

  • When network packets traverse the firewall
  • When firewall policy rules are evaluated and matched
  • When traffic is accepted, dropped, or rejected based on policy
  • During ICMP, TCP, and UDP connection attempts
  • When traffic crosses security zones (Internal, External, DMZ)

Security Relevance:

High

Compliance:

PCI-DSS (Requirement 1.2 - Network Security Controls) NIST 800-53 (SC-7 - Boundary Protection) ISO 27001 (A.13.1 - Network Security Management) HIPAA (164.312(e)(1) - Transmission Security) SOC 2 (CC6.6 - Logical and Physical Access Controls)

Frequency Notes:

Very high frequency during business hours (1500+ events/hour). Network traffic logs are among the most voluminous firewall log types, scaling with network activity and connection volumes.

Resources

Tools

Generation Configuration

Base Frequency: 500 events/hour
Time Patterns:
business_hours night_hours weekend
Business Hours Multiplier: 3.0x
Night Hours Multiplier: 0.4x
Weekend Multiplier: 0.6x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name Type Required Format Description Example Possible Values
time
Source: current_timestamp() | unix_timestamp
 Integer Required Unix epoch timestamp (seconds) Unix timestamp when the event occurred 1766266517
hostname
Source: registry.get_random_device().hostname
 String Required Hostname of the Check Point management server or security gateway orgmgmt
product
Source: Static value 'Firewall'
 String Required Check Point product type generating the log Firewall
layer_name
Source: random_choice(['Internal-Policy Network', 'External-Policy Network', 'Standard Network', 'Security-Policy Network'])
 String Required Name of the security policy layer that processed the traffic Internal-Policy Network
Internal-Policy Network — Policy layer for internal network traffic
External-Policy Network — Policy layer for external-facing traffic
Standard Network — Default security policy layer
Security-Policy Network — Enhanced security policy layer
layer_uuid
Source: random_guid()
 String Required UUID (RFC 4122) Unique identifier for the policy layer 1cfc5be4-cef8-4340-8217-3828ef6e9aa2
match_id
Source: random_int(1, 50)
 Integer Required Rule number within the policy layer that matched the traffic 7
parent_rule
Source: Static value 0
 Integer Required Parent rule identifier (0 indicates top-level rule) 0
rule_action
Source: random_weighted(['Accept', 'Drop', 'Reject'], [0.85, 0.10, 0.05])
 String Required Action specified in the matched firewall rule Accept
Accept — Traffic is allowed through the firewall (85% probability)
Drop — Traffic is silently discarded (10% probability)
Reject — Traffic is rejected with notification (5% probability)
rule_name
Source: random_choice(['Cleanup', 'Enterprise-Inbound', 'Allow-SCCP_SNMP', 'Rapid7 Scanning', 'VPN Access', 'Internet Access', 'DMZ Access', 'Internal Access', 'Stealth Rule'])
 String Required Descriptive name of the firewall rule that matched Rapid7 Scanning
rule_uid
Source: random_guid()
 String Required UUID (RFC 4122) Unique identifier for the firewall rule 29e5bb8c-7249-4682-936d-e4fcff0a5bea
action
Source: random_weighted(['Accept', 'Drop', 'Reject'], [0.85, 0.10, 0.05])
 String Required Final action taken on the traffic (typically matches rule_action) Accept
ifdir
Source: random_choice(['inbound', 'outbound'])
 String Required Direction of traffic relative to the firewall interface inbound
inbound — Traffic entering the firewall interface
outbound — Traffic leaving the firewall interface
ifname
Source: eth{random_int(0,3)}-{random_int(20,25)}
 String Required ethX-Y format Network interface name where traffic was observed eth2-23
logid
Source: Static value 0
 Integer Required Log message identifier (0 for standard traffic logs) 0
loguid
Source: Generated with random_hex() for each component
 String Required Four hexadecimal values in braces Unique log entry identifier in Check Point format {0x3cab6cc,0x90e12910,0x7a93992b,0x8f110a1b}
origin
Source: random_private_ip()
 String Required IPv4 address IP address of the Security Gateway that generated the log 10.40.55.33
originsicname
Source: Constructed from device hostname and organization info
 String Required Distinguished Name format with escaped characters SIC (Secure Internal Communication) name of the originating gateway CN=dst_Int-GW,O=ORGMGMT..ohuccs
sequencenum
Source: random_int(100, 999)
 Integer Required Sequential log entry number 345
version
Source: Static value 5
 Integer Required Log format version 5
src
Source: random_private_ip()
 String Required IPv4 address Source IP address of the network connection 10.40.5.162
dst
Source: random_weighted([random_private_ip(), random_public_ip()], [0.6, 0.4])
 String Required IPv4 address Destination IP address of the network connection 54.144.111.231
s_port
Source: random_port(1024, 65535)
 Integer Optional 1024-65535 (ephemeral port range) Source port number (present for TCP/UDP traffic) 59786
service
Source: random_choice([80, 443, 22, 23, 25, 53, 161, 162, 445, 3389, 8080, 8443, 9443])
 Integer Optional Destination port number or service identifier 443
service_id
Source: random_choice(['http', 'https', 'ssh', 'telnet', 'smtp', 'dns', 'snmp', 'snmp-trap', 'microsoft-ds', 'rdp', 'http-alt', 'https-alt', 'tcp-high-ports', 'echo-request', 'nbname', 'SCCP'])
 String Optional Named service identifier for the destination port https
proto
Source: random_weighted([6, 17, 1], [0.7, 0.25, 0.05])
 Integer Required IANA protocol number IP protocol number 6
6 — TCP (Transmission Control Protocol) - 70% of traffic
17 — UDP (User Datagram Protocol) - 25% of traffic
1 — ICMP (Internet Control Message Protocol) - 5% of traffic
icmp
Source: random_choice(['Echo Request', 'Echo Reply', 'Destination Unreachable', 'Time Exceeded'])
 String Optional ICMP message type description (present only for ICMP traffic) Echo Request
icmp_code
Source: random_int(0, 15)
 Integer Optional 0-15 ICMP message code (present only for ICMP traffic) 0
icmp_type
Source: random_int(0, 18)
 Integer Optional 0-18 ICMP message type number (present only for ICMP traffic) 8
inzone
Source: random_choice(['Internal', 'External', 'DMZ', 'Trusted'])
 String Required Security zone of the incoming interface Internal
Internal — Internal corporate network zone
External — External/Internet-facing zone
DMZ — Demilitarized zone for public-facing services
Trusted — Highly trusted network segment
outzone
Source: random_choice(['Internal', 'External', 'DMZ', 'Trusted'])
 String Required Security zone of the outgoing interface Internal
member_id
Source: random_choice(['1_2', '1_3', '2_1', '2_2'])
 String Required X_Y where X is cluster ID and Y is member number Cluster member identifier for high-availability deployments 1_2

Details

31
Fields
High
Frequency
6
Tags
firewall_traffic
Event Type
Tags:
firewall network traffic security policy checkpoint

Feedback

No ratings yet