Prev Question
Next Question

An internal router is sending UDP keep-alive packets that are being encapsulated with GRE and sent through
your R77 Security Gateway to a partner site. A rule for GRE traffic is configured for ACCEPT/LOG. Although
the keep-alive packets are being sent every minute, a search through the SmartView Tracker logs for GRE
traffic only shows one entry for the whole day (early in the morning after a Policy install).
Your partner site indicates they are successfully receiving the GRE encapsulated keep-alive packets on the 1-
minute interval.
If GRE encapsulation is turned off on the router, SmartView Tracker shows a log entry for the UDP keep-alive
packet every minute.
Which of the following is the BEST explanation for this behavior?

The setting Log does not capture this level of detail for GRE. Set the rule tracking action to Audit since
certain types of traffic can only be tracked this way.

The log unification process is using a LUUID (Log Unification Unique Identification) that has become
corrupt. Because it is encrypted, the R77 Security Gateway cannot distinguish between GRE sessions. This
is a known issue with GRE. Use IPSEC instead of the non-standard GRE protocol for encapsulation.

The Log Server log unification process unifies all log entries from the Security Gateway on a specific
connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout,
thus each keep-alive packet is considered part of the original logged connection at the beginning of the day.

The Log Server is failing to log GRE traffic properly because it is VPN traffic. Disable all VPN configuration
to the partner site to enable proper logging.

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *