This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SantosJoao
Participant
‎2024-08-21 12:15 PM

Too few data on SmartView Reports

Hello All,

I was generating a report for one of our domains, and I could see that the report returned too few data compared to the logs on the same timespan. In comparison, for another domain that we also have, the report showed all the expected data. Have you already faced something like this? I tried to generate the logs both on SmartView and SmartConsole and the outcome was the same, removed any filters but still the behavior continues. This is a multidomain environment, and these two domains I mentioned are managed by the same Manager.

 

Attached are some screenshots showing the issue. They were all filtered for the last 24 hours and on that example, the host with the Brazil's flag on the report returned 1 log but on the logs view returned much more

 

 

Preview file
17 KB
Preview file
78 KB
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2024-08-21 04:55 PM

Version/JHF of management?
What is the nature of the rules related to the traffic you're trying to run reports on?
Specifically, are they rules that involve Applications (versus Services)?

0 Kudos
SantosJoao
Participant
‎2024-08-22 07:18 AM
In response to PhoneBoy

Hello PhoneBoy,

The version is R81.10 JHF take 150. The report in this case is the Network Activity standard report that came with the box, it's being used to get details from the firewall blade and firewall rules

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 07:40 AM
In response to SantosJoao

I found in the lab, since I run dedicated smart event, there were way more options when I upgraded to R81.20 originally. Now, its on jumbo 76, so definitely something to think about.

If there is specific report you want me to test, please let me know.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-22 10:04 AM
In response to SantosJoao

Firewall Blade meaning only simple TCP/UDP services in your rulebase, correct?
Activity with these rules are not indexed by SmartEvent by default.
Ensure that firewall sessions are enabled on the various rules by right-clicking on the Track field and enabling the appropriate checkbox.image.png

0 Kudos
SantosJoao
Participant
‎2024-08-22 11:41 AM
In response to PhoneBoy

Hello Guys,

Thanks for the reply. 

That's right, the report that I'm trying to generate are using the rule based on TCP/UDP ports

I've checked here, most of the rules are with the log option enabled. I could see that some of the options you have checked I don't have, however I could see on the report that there are more data for blocked packets than for accepted, and the deny rules are using the same log options as the accept rules.

 

image.png

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 11:57 AM
In response to SantosJoao

You need to check "accounting" to see it all.

Andy

Screenshot_1.png

0 Kudos
SantosJoao
Participant
‎2024-09-04 11:33 AM
In response to the_rock

Hello the_rock

Sorry for the long time without reply, The folks that manage these firewalls are applying the accounting option. I will post here later if it worked.

0 Kudos
the_rock
Legend
Legend
‎2024-09-04 11:36 AM
In response to SantosJoao

No problem!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events