cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

Running R80.10, how do you "track" IPS rules hit by SNMP trap to get useful (or custom) information?

For example, I would like the following information in the trap when the IPS prevent or detect something :

Severity

Confidence Level

Attack Name

Attack Information

Performance Impact

Protection Name

Protection Type

Action

But by default, there is no real valuable information in the trap in my own humble opinion.

0 Kudos
1 Solution

Accepted Solutions

Re: How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

It seems like the issue we are facing is related to sk123240 - Email alerts are truncated and missing fields :
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
6 Replies
Admin
Admin

Re: How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

If you look at your logs via the CLI (e.g. fw log -n | grep IPS), you'll see what can be sent.

You may just want to verify you get the same information by capturing it with a script using a User Defined alert.

These are set in Global Properties.

You can write a script to parse the information as required and use the snmp_trap command to send it.

Re: How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

Hello Dameon,

I'm not familiar with scripts. Could you share some info/doc/website to get started please?

Thanks!

0 Kudos
Admin
Admin

Re: How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

The kind of scripting in question is for bash or cshell (depending on your preference.

As these are standard Unix shells that have been around for many years, there are numerous sources of information for this.

Re: How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

I just came to same deduction. I was about to edit my post Smiley Happy Thank you, I'll be able to get something done with this.

0 Kudos

Re: How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

After playing around with the "fw log" command, I discovered recently that the alert received (either by mail or by SNMP trap) for Threat Prevention Policy rules is incomplete. We are only receiving about half the log information.

 

And guess what? The usefull information is mostly in the other half...

 

A service request is open in order to know how to get the full log information by alert and we are awaiting for the resolution.

 

In the meantime, if anyone has a solution, it would be appreciated!

0 Kudos

Re: How to track IPS (Threat Prevention) by SNMP trap

Jump to solution

It seems like the issue we are facing is related to sk123240 - Email alerts are truncated and missing fields :
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos