Are there any known issues with Checkpoint and how enabling QoS might affect the logs that are sent from the firewall to the analyzer?
We recently enabled rate-limiting on OS updates. What this means from a logging perspective is that there may be thousands of sessions that remain open for several minutes before being "accounted" by Checkpoint and the bytes transferred data logged.
Does Checkpoint send an initial log entry without bytes, and then send a second log with the total bytes transferred?
Still, I'm confused about this issue. Even prior to this, there were some very extended connection times (streaming radio stations) where connections are open for hours before closing and being accounted for... and I think the analyzer was handling those ones OK.
In short, while QoS is enabled, I can see the analyzer recieving log packets, and if I capture those log packets I can see normal amounts of byte data inside of them... but the analyzer is logging very little data (less than 5% of total data).