https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162610#M70407 <P>I opened a SR with TAC. I'll update this thread when they find anything useful.</P> Mon, 21 Nov 2022 07:46:44 GMT Danny 2022-11-21T07:46:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162462#M70403 <P>I copied the <STRONG>Rule UID </STRONG>of a<STRONG> HTTPS inspection rule</STRONG> to my clipboard.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 587px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18461i882AE78A6BC09346/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>I'm able to filter for this UID in SmartLog, however <STRONG>I'm unable to filter for it within SmartEvent / SmartView</STRONG>.<BR /><STRONG>Is this a limitation?</STRONG>&nbsp;The behaviour is identical in every R81 / R81.10 environment I tried.</P> <P>My goal was to create SmartEvent View for HTTPS Inspection to show the top HTTPSi bypass rules etc.</P> <P>I checked&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk144192" target="_self">sk144192</A> but I found no way to use these log fields in SmartEvent:</P> <TABLE id="Unique_ID1Table" class="footnote" border="1" width="864px" cellspacing="2" cellpadding="4"> <TBODY> <TR class="SubTitle" bgcolor="#ebebeb"> <TD colspan="4" width="863px"><STRONG>Security Gateway - HTTPS Inspection Fields</STRONG></TD> </TR> <TR> <TD width="226.984px"><CODE>https_inspection_rule_id</CODE></TD> <TD width="219.594px">HTTPS Inspection Rule ID</TD> <TD width="52.9844px">string</TD> <TD width="363.438px">ID of the matched rule</TD> </TR> <TR> <TD width="226.984px"><CODE>https_inspection_rule_name</CODE></TD> <TD width="219.594px">HTTPS Inspection Rule Name</TD> <TD width="52.9844px">string</TD> <TD width="363.438px">Name of the matched rule</TD> </TR> <TR> <TD width="226.984px"><CODE>app_properties</CODE></TD> <TD width="219.594px">Additional Categories</TD> <TD width="52.9844px">string</TD> <TD width="363.438px">List of all found categories</TD> </TR> <TR> <TD width="226.984px"><CODE>resource</CODE></TD> <TD width="219.594px">Resource</TD> <TD width="52.9844px">string</TD> <TD width="363.438px">HTTPS resource<BR />Possible values: SNI or domain name</TD> </TR> <TR> <TD width="226.984px"><CODE>https_validation</CODE></TD> <TD width="219.594px">HTTPS Validation</TD> <TD width="52.9844px">string</TD> <TD width="363.438px">Precise error, describing HTTPS inspection failure</TD> </TR> <TR> <TD width="226.984px"><CODE>https_inspection_action</CODE></TD> <TD width="219.594px">Inspection Action</TD> <TD width="52.9844px">string</TD> <TD width="363.438px">HTTPS Inspection action (Inspect/Bypass/Error)</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>It seems that SmartEvent only has these two HTTPS Inspection fields:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 520px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18463iB98FFD96EE3C16C7/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 18 Nov 2022 16:19:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162462#M70403 Danny 2022-11-18T16:19:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162489#M70404 <P>Did you try just filtering on the rule UUID? (Treating it like a regular Access Policy rule)</P> Fri, 18 Nov 2022 19:53:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162489#M70404 PhoneBoy 2022-11-18T19:53:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162517#M70405 <P>That's what I did. Filtering the rule UID works in SmartLog,</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 663px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18467iB3E6DA7B5BE90068/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>but doesn't return anything in SmartEvent.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 663px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18470i5DC6DE5A9CC9F18B/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 18 Nov 2022 23:09:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162517#M70405 Danny 2022-11-18T23:09:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162526#M70406 <P>Never really played around with https inspection filters in smart event, but will check next week. Yes, UUID does work in regular log filters.</P> Fri, 18 Nov 2022 23:47:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162526#M70406 the_rock 2022-11-18T23:47:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162610#M70407 <P>I opened a SR with TAC. I'll update this thread when they find anything useful.</P> Mon, 21 Nov 2022 07:46:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-in-SmartEvent-shows-no-data/m-p/162610#M70407 Danny 2022-11-21T07:46:44Z