FireWall-1 FAQ: How to log FTP and Web Files Downloaded
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
The security servers were designed to do this sort of thing. In order to use them, you will need to make sure they are on. Look in $FWDIR/conf/fwauthd.conf. You should see lines like the following:
80 in.ahttpd wait 0 21 in.aftpd wait 0
These are the two lines for HTTP and FTP respectively. If they are missing or commented out, you can either add/uncomment them manually or run fwconfig. In either case, you should restart the firewall (fwstop; fwstart) after doing so.
The idea here is to create a resource that matches "everything" and then funnel all web and ftp traffic through those resources. To create a resource that matches all FTP downloads, create a new FTP resource called "ftpmatchall". Set the exception track to Log, set the path to "*" and check GET (to track uploads too, also check PUT).
To create a resource that matches all HTTP URLs, create a new URI resource called "httpmatchall". Set the exception track to Log, set the URI Match Spec to Wildcard, if NG, also specify "Optimize URL Logging," match all schemes, all methods, and put "*" in the host, path, and query fields.
Now that you've created both the resources, add this rule to your rulebase:
When you add the services "HTTP" and "FTP", you will need to add them with resource to add in the httpmatchall and ftpmatchall resources that were created.
Install your security policy and install the user database. In some cases, it may be necessary to bounce the firewall (fwstop; fwstart). The URLs will appear in the info field of the log viewer.
Note that in FireWall-1 4.1 SP2 and above, you can do URL logging without using the HTTP Security Server. See the release notes for details. In NG, this can be done more efficiently by checking the "Optimize URL Logging" box in the resource.