https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258057#M50606 <P>Hey bro,</P> <P>Smart console changes would be via audit logs, but something like what you described probably either smart event, or /var/log/audit dir.</P> <P>Andy</P> Tue, 23 Sep 2025 22:56:26 GMT the_rock 2025-09-23T22:56:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258056#M50605 <P>Hello, Mates</P> <P>Is it possible to “observe” all the changes made by an administrator from the CLI of a FW?</P> <P>For example, if an administrator changes a route, edits an interface, adds a new interface, configures SNMPv2, configures OSPF... all this from the CLI of a FW...</P> <P>Is it possible to review this activity performed by an administrator in the logs? Or is it stored somewhere else on the device?</P> <P>Thanks for your comments.</P> Tue, 23 Sep 2025 22:54:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258056#M50605 Matlu 2025-09-23T22:54:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258057#M50606 <P>Hey bro,</P> <P>Smart console changes would be via audit logs, but something like what you described probably either smart event, or /var/log/audit dir.</P> <P>Andy</P> Tue, 23 Sep 2025 22:56:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258057#M50606 the_rock 2025-09-23T22:56:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258058#M50607 <P>On a second thought bro, I know our company uses syslog server for these things, when say someone logs into the firewall, we do get an alert about it.</P> <P>Andy</P> Tue, 23 Sep 2025 23:15:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258058#M50607 the_rock 2025-09-23T23:15:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258060#M50608 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1 (5).png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31518i496834261939C452/image-size/large?v=v2&amp;px=999" role="button" title="1 (5).png" alt="1 (5).png" /></span></P> <P>Otherwise you would check&nbsp;<SPAN>/var/log/messages</SPAN></P> Tue, 23 Sep 2025 23:16:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258060#M50608 Chris_Atkinson 2025-09-23T23:16:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258063#M50610 <P>Hi, <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;<BR /><BR />Does this configuration shown in your image also apply when changes are made via CLI on a firewall?</P> <P>If a change is successful, for example when you “delete” several VLANs, should we be able to see these changes in the SmartConsole Audit Logs?</P> Tue, 23 Sep 2025 23:38:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258063#M50610 Matlu 2025-09-23T23:38:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258064#M50611 <P>Hey brother...keep in mind, those changes will NOT show up in smart console audit logs, because thats ONLY for changes made in smart console by default. However, you can make it work the way&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;posted, you just need to add mgmt server in remote system logging tab. Im sure you know that by default, fw logs will be sent to the management, but not ones you are referring to, unless you set this up first.</P> <P>I had done that before in the lab and was fine.</P> <P>Andy</P> Tue, 23 Sep 2025 23:44:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258064#M50611 the_rock 2025-09-23T23:44:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258071#M50612 <P>The audit logs are explicitly for any changed made by CLI on the system. So yes. We recommend you send them to syslog and then configure central syslog server to store them all in one place, so save you having to trawl the messages files on the systems and hope the entries you want haven't rotated away.</P> Wed, 24 Sep 2025 02:08:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258071#M50612 emmap 2025-09-24T02:08:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258075#M50613 <P>You need to implement&nbsp;sk99134 or you will not know what your privileged users are doing</P> <P>/Henrik</P> Wed, 24 Sep 2025 06:18:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Auditing-changes-in-FW/m-p/258075#M50613 Henrik_Noerr1 2025-09-24T06:18:55Z