Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kb1
Collaborator

Have a query regarding smartevent

Hello Everyone,

 

So i have a doubt regarding port scans in smart event, so we have been getting a lot of port scans over the past month or so and im planning to block the activity if its the detected by our internet firewalls using smart event, now this post is what i came across-

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/How-can-I-avoid-quot-Host-Port-quot...

And according to the first reply by Vladimir he shows in his screenshot to block source ip as well including the event activity, now if i do select that option will it completely block the ip? or will it only block the scanning attempt (which im assuming the "block event activity" is responsible for)? ill also include the pic of what I'm talking about below:

Inkedsmartevent_LI.jpg

Also how do i install the policy on the firewall? i have pressed the save button on the top so im assuming it gets saved on the management server, now do i need to install on the firewall as well?

Thank You.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

It blocks the source IP entirely for the configured time.
In this case, it's not the firewall policy that needs installing, it's the Event Policy on the SmartEvent server (e.g. Actions > Install Event Policy).

0 Kudos
kb1
Collaborator

So i did install the policy on smartevent but shouldnt the changes be made on the firewall as well? like how will the firewall know about these changes? or am i thinking it wrong here?

0 Kudos
PhoneBoy
Admin
Admin

The block is done through a SAM rule, which doesn’t show in the Access Policy.
The CLI command fw sam with appropriate arguments should show the active SAM rules.
If you’re not seeing the appropriate rules getting created please engage with the TAC.

0 Kudos
kb1
Collaborator

so on the global exclusion rule as you can see below which was by default-

 

smart.png

So it is ticked and source and destination are "any" does that mean that all logs will be excluded from event processing as explained below in the image? so do i have to untick that?

 

0 Kudos
kb1
Collaborator

so we got another internal sweep alert with destination port 22 which means the configuration didnt work?? what else do i need to do to make it work?i have installed access control policy and apparently that didnt do anything for the changes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events