Log reporting

dupacv — Tue, 17 Aug 2021 20:07:28 GMT

Hi,

I'm new here with this subject but I can't find solution so I'm trying it here. I have R80.40 and my goal is to create the report where I can see communication of source IP addresses with hit counts and actions to specific destination IP on specific destination port. Let's say I just want to see simple list of sources communicating to some specific DNS server.

I was able to do something like that in reports but problem is that I can't see the data like in "Logs" page (many and many lines) but I only see something different - it looks like it somehow do some security report from blades but it ignores all accepted communication from firewall and filtering to firewall blade shows some "nonsense" (probably not nonsense - there is probably reason why it shows something like that - but from my point of view it looks like nonsense when I see drop from only one source but in Log window I can see drop from hundreds of sources in one hour range ... ). But I need that too (to see accepted communication too) so I can see that there is for example communication from 192.168.1.2 and a few other sources to some DNS like 10.10.10.10. So for example between 192.168.1.2 and DNS server the communication was accepted in X logs but for example between another IP it was dropped Y times etc.

Is something like that possible in reports (show some access statistic table with sorted data from "Logs" table)? I saw some materials like: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_LoggingAndMonitoring_AdminGuide/Front-Matter/Front-Matter-How-to-Search-in-this-Book.htm?tocpath=_____1 but I couldn't find solution for my goal. So I just did some filter in "Logs" page and exported that query to MS Excel and did what I want in Excel. The result was what I needed but it would be much easier if it was possible in reports just to filter log to some destination IPs, port:53 and sort it by source with Log counts and action. So I can see for example 400 lines with hits to my query and not 1000+ of logs with zero informational value without some calculus. Is it possible to make something like that in report tool?

Thank you for advices,

Re: Log reporting

PhoneBoy — Tue, 17 Aug 2021 21:17:34 GMT

Firewall connection logs are not indexed by default.
That can be addressed via: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143853

Re: Log reporting

dupacv — Wed, 18 Aug 2021 05:06:36 GMT

That's it, thank you!

topic Re: Log reporting in Firewall and Security Management

Log reporting

Re: Log reporting

Re: Log reporting

Re: Log reporting