topic Re: How to Find Who have created SAM rules. in Firewall and Security Management

How to Find Who have created SAM rules.

FirewallGyaan — Wed, 31 Aug 2022 19:26:30 GMT

Basically I like to see where details on SAM rule for user/admin who created SAM rules are stored (Not the IPs which are blocked)

I have tried to see Audit Logs, Log, Messaged Files from GW and SMS but no luck. And SAM.DAT fire is Binary file .

Re: How to Find Who have created SAM rules.

the_rock — Wed, 31 Aug 2022 19:29:58 GMT

I think audit log should show you that if you search for time frame and rule name.

Re: How to Find Who have created SAM rules.

FirewallGyaan — Wed, 31 Aug 2022 19:45:59 GMT

I did tried to add multiple Selection on Audit logs as you mentioned but no details found . I just tried to reproduce issue in my lab and same no details present anywhere. Please see attachment for Selection criteria.

Re: How to Find Who have created SAM rules.

FirewallGyaan — Wed, 31 Aug 2022 20:06:53 GMT

Incase to see issue in detail Please see video :

https://youtu.be/H4fzfgwFFDQ

Re: How to Find Who have created SAM rules.

FirewallGyaan — Thu, 01 Sep 2022 08:36:29 GMT

@PhoneBoy any suggestions here ?

Re: How to Find Who have created SAM rules.

G_W_Albrecht — Thu, 01 Sep 2022 09:22:08 GMT

According to sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules, this is only possible if:

- SAM CLI is used

- fw sam is used with option

-e <key=val>+

Specifies rule information based on the keys and the provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:

name - security rule name (limited to 100 characters)
comment - security rule comment (limited to 100 characters)
originator - security rule originator's username (limited to 100 characters)

so the originator is included

---> So what you want can be achieved if SAM rules are only created by CLI scripts embedding the originator

Re: How to Find Who have created SAM rules.

PhoneBoy — Thu, 01 Sep 2022 15:56:25 GMT

If the commands were set using fw sam on the CLI within the standard clish shell, you'll see evidence of this in /var/log/messages like so:

Sep 1 13:26:13 2022 R8120EA clish[30380]: cmd by admin: Start executing : fw sam ... (cmd md5: 70c66e959afe845950934f11615fff55)
Sep 1 13:26:13 2022 R8120EA clish[30380]: cmd by admin: Processing : fw sam -D (cmd md5: 70c66e959afe845950934f11615fff55)

If it was done in SmartConsole, you might find evidence in the Audit logs in SmartConsole (haven't checked).
If it was done via expert mode, unless you've taken steps to explicitly log commands entered there, or you did something like @G_W_Albrecht pointed you to, that information is not logged anywhere, at least as far as I know.