topic Re: Have a query regarding smartevent in General Topics

Have a query regarding smartevent

kb1 — Tue, 27 Oct 2020 18:59:39 GMT

Hello Everyone,

So i have a doubt regarding port scans in smart event, so we have been getting a lot of port scans over the past month or so and im planning to block the activity if its the detected by our internet firewalls using smart event, now this post is what i came across-

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/How-can-I-avoid-quot-Host-Port-quot-scan/td-p/18550

And according to the first reply by Vladimir he shows in his screenshot to block source ip as well including the event activity, now if i do select that option will it completely block the ip? or will it only block the scanning attempt (which im assuming the "block event activity" is responsible for)? ill also include the pic of what I'm talking about below:

Also how do i install the policy on the firewall? i have pressed the save button on the top so im assuming it gets saved on the management server, now do i need to install on the firewall as well?

Thank You.

Re: Have a query regarding smartevent

PhoneBoy — Tue, 27 Oct 2020 20:38:58 GMT

It blocks the source IP entirely for the configured time.
In this case, it's not the firewall policy that needs installing, it's the Event Policy on the SmartEvent server (e.g. Actions > Install Event Policy).

Re: Have a query regarding smartevent

kb1 — Tue, 27 Oct 2020 20:43:09 GMT

So i did install the policy on smartevent but shouldnt the changes be made on the firewall as well? like how will the firewall know about these changes? or am i thinking it wrong here?

Re: Have a query regarding smartevent

kb1 — Tue, 27 Oct 2020 23:02:20 GMT

so we got another internal sweep alert with destination port 22 which means the configuration didnt work?? what else do i need to do to make it work?i have installed access control policy and apparently that didnt do anything for the changes.

Re: Have a query regarding smartevent

PhoneBoy — Wed, 28 Oct 2020 00:39:48 GMT

The block is done through a SAM rule, which doesn’t show in the Access Policy.
The CLI command fw sam with appropriate arguments should show the active SAM rules.
If you’re not seeing the appropriate rules getting created please engage with the TAC.

Re: Have a query regarding smartevent

kb1 — Wed, 28 Oct 2020 02:53:58 GMT

so on the global exclusion rule as you can see below which was by default-

So it is ticked and source and destination are "any" does that mean that all logs will be excluded from event processing as explained below in the image? so do i have to untick that?