V 2.0 : Application Control URL Filtering Events

Vendor Documentation

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Application Control URL Filtering Events	Base Rule	General Application Control Message	Information
V 2.0 : Application Control : Traffic Accepted	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
V 2.0 : Application Control : Traffic Allowed	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
V 2.0 : Application Control : Traffic Blocked	Sub Rule	Traffic Denied by Network Firewall	Network Deny
V 2.0 : Application Control : Traffic Encrypted	Sub Rule	Encrypt Packet	Network Traffic
V 2.0 : Application Control : Traffic Decrypted	Sub Rule	Decrypted Packet	Network Traffic

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
virtuallogsource	N/A	N/A	N/A
subproduct	N/A	N/A	Sub Product
Product	<vmid>	Text/String	Product name
Originip	N/A	N/A	IP of the log origin
origin	N/A	N/A	Name of the first Security Gateway that reported this event
Action	<action> <tag1>	Text/String	N/A
SIP	<sip>	IP Address	Source IP
SPort	<sport>	Number	Source host port number
DIP	<dip>	IP Address	Destination IP
dport	<dport>	Number	Destination host port number
protocol	<protnum>	Number	Protocol detected on the connection
ifname	<sinterface>	Text/String	The name of the Security Gateway interface, through which a connection traverses
ifdirection	N/A	N/A	Connection direction
reason	<reason>	Text/String	Description of log's reason
Rule	N/A	N/A	N/A
Info	<vendorinfo>	Text/String	N/A
XlateSIP	<snatip>	IP Address	Source ipv4 after applying NAT
XlateSport	<snatport>	Number	Source host port number after applying NAT
XlateDIP	<dnatip>	IP Address	Destination ipv4 after applying NAT
XlateDPort	<dnatport>	Number	Destination host port number after applying NAT
user	<login>	Text/String	Source user name
alert	N/A	N/A	N/A
icmp-code	N/A	N/A	N/A
icmp-type	N/A	N/A	N/A
matched_category	N/A	N/A	N/A
rule_name	N/A	N/A	N/A
Url	N/A	N/A	Matched URL
time	N/A	N/A	The time stamp when the log was created.
OriginZone	N/A	N/A	N/A
ImpactedZone	N/A	N/A	N/A
Service	<protname>	Text/String	N/A
duration	<duration>	Number	N/A
conn_direction	N/A	N/A	N/A
flags	N/A	N/A	N/A
logid	N/A	N/A	N/A
loguid	N/A	N/A	UUID of unified logs
originsicname	N/A	N/A	N/A
sequencenum	N/A	N/A	Number added to order logs with the same Linux timestamp and origin
version	<version>	Number	N/A
__policy_id_tag	<policy>	Text/String	N/A
aggregated_log_count	N/A	N/A	N/A
browse_time	N/A	N/A	N/A
bytes	N/A	N/A	N/A
client_inbound_bytes	<bytesin>	Number	N/A
client_inbound_packets	<packetsin>	Number	N/A
client_outbound_bytes	<bytesout>	Number	N/A
client_outbound_packets	<packetsout>	Number	N/A
connection_count	<quantity>	Number	N/A
creation_time	N/A	N/A	N/A
hll_key	N/A	N/A	N/A
last_hit_time	N/A	N/A	N/A
lastupdatetime	N/A	N/A	N/A
app_category	N/A	N/A	N/A
app_desc	N/A	N/A	Application description
app_id	N/A	N/A	Application ID
app_properties	<subject>	Text/String	Application categories
app_risk	<severity>	Number	Application risk Possible values: 0 - Unknown 1 - Very Low 2 - Low 3 - Medium 4 - High 5 - Critical
app_sig_id	N/A	N/A	N/A
appi_name	<process>	Text/String	Application name
layer_name	N/A	N/A	N/A
layer_uuid	N/A	N/A	N/A
match_id	N/A	N/A	N/A
parent_rule	N/A	N/A	N/A
rule_action	N/A	N/A	N/A
rule_uid	N/A	N/A	N/A
packets	N/A	N/A	N/A
server_inbound_bytes	N/A	N/A	N/A
server_inbound_packets	N/A	N/A	N/A
server_outbound_bytes	N/A	N/A	N/A
server_outbound_packets	N/A	N/A	N/A
sig_id	N/A	N/A	N/A
update_count	N/A	N/A	N/A
resource	<url>	Text/String/Number	Resource from the HTTP request