This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
WarpTeam
Participant
‎2024-04-15 02:20 AM

how to see logs on smartevent only from a specific CMA of the MDSM

Hello,

We have made a deployment of a MDSM, log server and Smartevent. I´ve installed the smartevent in the global domain and a log server for each of the CMAs. Everything is working properly but when the administrators connect to the smartevent, they can see logs from all of the CMAs. This must be changed in a way that they can only see logs from their specific CMA.

Can anyone give me some insight on how to accomplish this?

Thank you .

Nuno

0 Kudos
5 Replies
Peter_Lyndley
Advisor
Advisor
‎2024-04-15 03:56 AM

Normally, the way I have seen it done before.... the administrators of SmartEvent, are global administrators and therefore its ok for them to set up SmartEvent with a view on all CMAs.

Then to view the data and create reports, you are doing this through a single CMA/SmartConsole so each person setting up reports is connecting to a single CMA (or more if they are superuser)

I dont see any need for an individual administrator for each CMA on SmartEvent unless you have a very specific scenario.

I dont believe it would be possible without an RFE (Request for Enhancement) via your local Check Point SE

0 Kudos
WarpTeam
Participant
‎2024-04-15 04:28 AM
In response to Peter_Lyndley

I see your point but indeed the customer needs to see only the logs and events for the specific CMA he manages. For me this makes sense for a question of privacy and also to be more simple to make queries over the traffic that comes from each CMA.

PhoneBoy
Admin
Admin
‎2024-04-15 09:00 AM
In response to WarpTeam

You can set up a hard-coded filter on the server side for the relevant user.
This will ensure they only will be able to see logs from the relevant gateways;
https://community.checkpoint.com/t5/Management/Limited-Permission-Profile/m-p/32868 

WarpTeam
Participant
‎2024-04-18 04:00 AM
In response to PhoneBoy

Hello PhoneBoy,

I´ve tried that with the following syntaxe:

<emailServer/>
<_timestamp_><![CDATA[2024-03-12T12:04:00Z]]></_timestamp_>
<filter><![CDATA[orig:FW-1 OR orig:FW-2 OR orig:CLU_FW]]
<field><![CDATA[user]]></field>
<value><![CDATA[silva.af]]></value>
</filter>
</user>
</users>

 

But the user still can see the logs from all the gateways in smartevent.

Any idea?

Thank you.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-18 09:51 AM
In response to WarpTeam

Your syntax is incorrect...you should use origin instead of orig.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events
    Top