topic Re: Finding bandwidth use by host in network to determine hosts infected with coinminer. in General Topics

Finding bandwidth use by host in network to determine hosts infected with coinminer.

quanglnh — Tue, 07 Apr 2020 01:09:51 GMT

Hi everyone,

I suddently see my bandwidth usage peak very high, after some analyze i think my users infected with coinminer. These users dont have endpoint security but they all access Internet through check point firewall. During working time, the banwitdh usage peak very high and when the users leave office it back to normal, that why i think user's devices is infected woth coinminer. And want to find which host using most bandwidth in network. I see in Log > View a bandwitdth report but when i click of that, it just empty and no data found. I also try with other reports but just the same :'no data found' or very least infor while there is a ton of logs.
Why there is many log but so very least in report ? Or can anyone please tell me is there any other way to find a list of top host using lot bandwitdh in network with Check oint firewall ?

Thanks

Re: Finding bandwidth use by host in network to determine hosts infected with coinminer.

_Val_ — Tue, 07 Apr 2020 06:53:00 GMT

Which version are you running?

Re: Finding bandwidth use by host in network to determine hosts infected with coinminer.

quanglnh — Tue, 07 Apr 2020 07:17:40 GMT

Hi Val,

I'm running R80.20

Re: Finding bandwidth use by host in network to determine hosts infected with coinminer.

_Val_ — Tue, 07 Apr 2020 07:41:16 GMT

Look into Logging and Monitoring Admin Guide, under Traffic Monitoring.

Re: Finding bandwidth use by host in network to determine hosts infected with coinminer.

_Val_ — Tue, 07 Apr 2020 07:45:53 GMT

authentication attempts to identify possible intrusion attempts.

A Traffic view can be created to monitor the Traffic types listed in the following table.

Traffic Type	Explanation
Services	Shows the current status view about Services used through the selected gateway.
IPs/Network Objects	Shows the current status view about active IPs/Network Objects through the selected gateway.
Security Rules	Shows the current status view about the most frequently used Firewall rules. The Name column in the legend states the rule number as previously configured in SmartConsole.
Interfaces	Shows the current status view about the Interfaces associated with the selected gateway.
Connections	Shows the current status view about current connections initiated through the selected gateway.
Tunnels	Shows the current status view about the Tunnels associated with the selected gateway and their usage.
Virtual Link	Shows the current traffic status view between two gateways (for example, Bandwidth, Bandwidth Loss, and Round Trip Time).
Packet Size Distribution	Shows the current status view about packets according to the size of the packets.
QoS	Shows the current traffic level for each QoS rule.

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_LoggingAndMonitoring_AdminGuide/html_frameset.htm