https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101274#M7932 <P>Hi Team,</P><P>One of the customer environment is running on R80.30. The Audit team found that PBR-related changes are missing in audit logs, but we can see routing changes in the audit log. If it is not possible please share audit log details related to the gateway.</P> Fri, 06 Nov 2020 07:44:17 GMT User-checkpoint 2020-11-06T07:44:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101274#M7932 <P>Hi Team,</P><P>One of the customer environment is running on R80.30. The Audit team found that PBR-related changes are missing in audit logs, but we can see routing changes in the audit log. If it is not possible please share audit log details related to the gateway.</P> Fri, 06 Nov 2020 07:44:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101274#M7932 User-checkpoint 2020-11-06T07:44:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101310#M7933 <P>I put the question on you: what precisely are you seeing versus what you expect to see?<BR />If you prefer not to share these details in public, I recommend a TAC case.</P> Fri, 06 Nov 2020 15:32:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101310#M7933 PhoneBoy 2020-11-06T15:32:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101326#M7934 <P>We are expecting if someone performs PBR-related changes should be captured in the audit log, the routing changes are captured but PBR changes are missing so if I'm not mistaken PBR related configuration changes should be captured?</P><P>Herewith I have shared my lab output..</P><P>I&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8799iE7B55360B6AC2C7C/image-size/large?v=v2&amp;px=999" role="button" title="IMG.PNG" alt="IMG.PNG" /></span></P> Fri, 06 Nov 2020 16:39:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101326#M7934 User-checkpoint 2020-11-06T16:39:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101327#M7935 <P>The audit logs in SmartConsole will only show changes made via SmartConsole or the API.&nbsp;<BR />For OS-level changes like routing, the better place to look is /var/log/messages.</P> Fri, 06 Nov 2020 16:56:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101327#M7935 PhoneBoy 2020-11-06T16:56:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101328#M7936 <P>This is distributed architecture. The customer wants to feed routing changes, PBR related changes to the SIEM solution. So please recommend the best way to achieve this requirement. We already using log exporter to export security and audit logs to SIEM solution. But the customer is now concern about routing and PBR related changes should be captured by SIEM.</P> Fri, 06 Nov 2020 17:05:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101328#M7936 User-checkpoint 2020-11-06T17:05:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101330#M7937 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/36401">@User-checkpoint</a>&nbsp;</P> <P>Changing PBR is a configuration change done on the gateways.</P> <P>To get this in your SIEM solution you have to export audit logs from your gateway to your SIEM or you can send these logs to your management.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="screen.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8800i84FFCCB90A27453D/image-size/large?v=v2&amp;px=999" role="button" title="screen.png" alt="screen.png" /></span>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Wolfgang</P> Fri, 06 Nov 2020 17:34:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101330#M7937 Wolfgang 2020-11-06T17:34:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101331#M7938 <P>You can configure the Gaia OS to directly send its syslog message elsewhere (e.g. your SIEM solution).</P> Fri, 06 Nov 2020 17:34:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101331#M7938 PhoneBoy 2020-11-06T17:34:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101333#M7939 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1447">@Wolfgang</a>&nbsp;mentioned configuration already in place. but behaviour is same</P> Fri, 06 Nov 2020 18:40:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101333#M7939 User-checkpoint 2020-11-06T18:40:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101334#M7940 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp; if I integrate gateway to SIEM via syslog messages, the concern is SIEM already integrated with SMS, will security logs be duplicated in SIEM solution?&nbsp;</P><P>&nbsp;</P> Fri, 06 Nov 2020 18:43:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101334#M7940 User-checkpoint 2020-11-06T18:43:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101335#M7941 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/36401">@User-checkpoint</a>&nbsp;</P> <P>did you set a remote system logging server? This should be your SIEM or a syslog server which is forwarding these audit logs to SIEM.</P> <P>Wolfgang</P> Fri, 06 Nov 2020 19:05:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101335#M7941 Wolfgang 2020-11-06T19:05:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101336#M7942 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1447">@Wolfgang</a>&nbsp;This is distributed architecture, the gateway is forwarding to SMS, and SMS will forward to SIEM solution via cp log exporter, where we cannot see PBR changes even in SMS. So I need to know how to pass PBR related changelogs to the SIEM solution</P> Fri, 06 Nov 2020 19:09:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101336#M7942 User-checkpoint 2020-11-06T19:09:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101337#M7943 <P>Gaia OS logs and Security Logs are entirely separate things&nbsp;unless you've checked the "Send syslog messages to management server" option as shown above, which is not the default.<BR />Even so, if Gaia OS logs are sent to management, they may not be parsed in the most useful way, particularly if they are then sent to your SIEM.&nbsp;<BR />Highly recommend exporting those logs to your SIEM separately.</P> Fri, 06 Nov 2020 19:11:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101337#M7943 PhoneBoy 2020-11-06T19:11:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101338#M7944 <P>So this is very new to me and my team, below are the concerns, if we use a remote system logging mechanism to pass to the SIEM solution</P><P>1. which Syslog level needs to be configured to get configuration changes, login failure</P><P>2. Do we have any SK regarding Syslog field information since manual field indexing is required which manual procedure</P><P>I believe this is a common audit/SIEM integration use case when it comes to BFSI segmentation (If I'm not mistaken, PCIDSS required to capture configuration changes in SIEM)</P> Fri, 06 Nov 2020 19:19:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101338#M7944 User-checkpoint 2020-11-06T19:19:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101462#M7945 <P>I would review the messages you are interested in to determine the correct logging level as I do not know them offhand.<BR />The only document I'm aware of that describes Gaia Syslog messages is:&nbsp;<A href="https://downloads.checkpoint.com/dc/download.htm?ID=24459" target="_blank">https://downloads.checkpoint.com/dc/download.htm?ID=24459</A>&nbsp;</P> Mon, 09 Nov 2020 05:19:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/PBR-configuration-is-missing-on-Audit-log/m-p/101462#M7945 PhoneBoy 2020-11-09T05:19:51Z