This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kb1
Collaborator
‎2020-10-27 11:47 AM

Have a query regarding smartevent

Hello Everyone,

 

So i have a doubt regarding port scans in smart event, so we have been getting a lot of port scans over the past month or so and im planning to block the activity if its the detected by our internet firewalls using smart event, now this post is what i came across-

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/How-can-I-avoid-quot-Host-Port-quot...

And according to the first reply by Vladimir he shows in his screenshot to block source ip as well including the event activity, now if i do select that option will it completely block the ip? or will it only block the scanning attempt (which im assuming the "block event activity" is responsible for)? ill also include the pic of what I'm talking about below:

Inkedsmartevent_LI.jpg

Also how do i install the policy on the firewall? i have pressed the save button on the top so im assuming it gets saved on the management server, now do i need to install on the firewall as well?

Thank You.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-10-27 01:38 PM

It blocks the source IP entirely for the configured time.
In this case, it's not the firewall policy that needs installing, it's the Event Policy on the SmartEvent server (e.g. Actions > Install Event Policy).

0 Kudos
kb1
Collaborator
‎2020-10-27 01:43 PM
In response to PhoneBoy

So i did install the policy on smartevent but shouldnt the changes be made on the firewall as well? like how will the firewall know about these changes? or am i thinking it wrong here?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-27 05:39 PM
In response to kb1

The block is done through a SAM rule, which doesn’t show in the Access Policy.
The CLI command fw sam with appropriate arguments should show the active SAM rules.
If you’re not seeing the appropriate rules getting created please engage with the TAC.

0 Kudos
kb1
Collaborator
‎2020-10-27 07:53 PM
In response to PhoneBoy

so on the global exclusion rule as you can see below which was by default-

 

smart.png

So it is ticked and source and destination are "any" does that mean that all logs will be excluded from event processing as explained below in the image? so do i have to untick that?

 

0 Kudos
kb1
Collaborator
‎2020-10-27 04:02 PM
In response to PhoneBoy

so we got another internal sweep alert with destination port 22 which means the configuration didnt work?? what else do i need to do to make it work?i have installed access control policy and apparently that didnt do anything for the changes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events