Logging and Reporting are major points for any security solution. In this lecture, we talk about working with logs and security reports in our Check Point environment.

New User Interface

Check Point has completely re-worked the admin user interfaces in the R80 versions. If you have some experience with previous versions (R77 and below), you can appreciate how many different utilities are now unified under Logs & Monitor tab in SmartConsole:

Let’s take a closer look. Go to Logs & Monitor and open a New Tab there. This is what you will see:

There are two default options:

1. Audit Logs View – this shows all events related to administrative operations: admin logins and logouts events, configuration changes, policy and objects edits, etc. This is a standard Audit tool to track admin actions over time.
2. Logs View – shows security logs generated by the various Software Blades: Firewall, Anti-Virus, IPS, etc. We have looked at some security logs multiple times in our previous lectures.

The same User Interface allows us to work with Reports and various Dashboards (Views). SmartEvent should be enabled for reporting. We will address this a bit later.

Let’s look at the security logs first. Double-click on Logs to open the view.

Working with Logs

In the log window we have all security logs sent by various Software Blades. There can be a lot of them in a busy environment.  To simplify log management, Check Point uses elaborate search capabilities. There are multiple options available:

1. Free text search (for example, “Microsoft”);
2. Filtering via Software Blade. Enter “blade:” in the search field and then choose one you need (firewall, IPS, antivirus etc.);
3. Predefined fields search: src, dst, action and so forth. For example:  action:prevent;
4. You can use logical operators (AND, OR, NOT);

You can combine multiple filters in a single search. You can also add a custom filter with a right click on a log field:

There are multiple pre-defined filters in the Queries menu on the left:

You can add your own filters there by pressing Ctrl+D.

SmartEvent

To work with Views & Reports, we need to enable the SmartEvent Software Blade on our Security Management Server:

Choose both SmartEvent Server and SmartEvent Correlation Units and press OK.

Then install database on the Security Management Server object:

Once done, you will see Views and Reports options in Logs & Reports window.

Views

There are multiple default views available. When choosing a view, you can see a preview of the one you are selecting.

Views can be modified. You can also create your own as well as import and export them. You can play with different views in the lab, but since we only have a limited number of logs there, it is much better to run SmartConsole in Demo View when doing so.

Reports

Detailed security information can be collected and processed as Reports. Here as well, there are quite a number of pre-defined reports already available:

If required, Reports can be scheduled and sent via email.

Same as Views, Reports can be modified, customized, exported, and imported.

SmartView via a Browser

With R80.x, you can work with Logs and Views in a browser, without opening SmartConsole.  This functionality is called SmartView. To access SmartView, open the following URL:

https://192.168.1.100/smartview

In the logon screen, enter your admin credentials:

Once logged in, the look and feel is very similar to SmartConsole:

The same tabs you see in Logs and Reporting in SmartConasole are available:

Browser-based SmartView is very handy when security operators need simple access to the logs and security events but do not need other administration tools. In such cases you do not need to deploy SmartConsole on their machines.

To learn more about SmartView capabilities, refer to Check Point Infinity Talks: R80.20 log enhancements How-To video on CheckMates.

----------------------------

Authors and Contributors

Author - Evgeniy Olkov‌, CTO at TS Solution. 
Founded in 2010, the TS Solution is a fast growing Russian company, focused on integrating high-tech networking, security and server virtualization systems and technologies, along with maintenance and professional services.

Translation and editing - Valeri Loukine‌

Review and editing - Dameon Welch-Abernathy