Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matt_Ricketts
Employee
Employee

In search of a SmartEvent view based on Src/Dst Countries

I need a report/view for SmartEvent based on the Source and Destination Country. I started building one view using the Map and Chart widgets, but I figured I would ask if anyone had already done this and would like to share their template so I'm not recreating the wheel.

5 Replies
Kfir_Dadosh
Collaborator

It should be fairly easy to do it.

What other information would you like to show in this view? Attacks? Traffic? Users?

0 Kudos
Vladimir
Champion
Champion

Kfir, how do you query logs by country?

src:Russian Federation returns the accurate data, but with yellow error bar stating that "Russian could not be resolved to IP Address".

dst:Israel and src:Canada do not return anything.

I thought that CP using a .csv for IP range to country resolution and thus it could not be called directly.

Thank you,

Vladimir 

0 Kudos
ED
Advisor

Do you think that this script from Heiko Ankenbrand could help you by using dynamic objects with IP ranges of the individual countries?

https://community.checkpoint.com/docs/DOC-2872

A Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. (in cluster, run on both gateways). Next you create a dynamic object with same name in the management server. 

It's not a supported CheckPoint solution. 

0 Kudos
Kfir_Dadosh
Collaborator

"src" field is only for IPs, networks and object names.

In your case, my guess is that it failed to search for "Russian", thus the warning, but "free text" search the word Federation which is unique for your country.

For searching countries you should use "src_country" and "dst_country".

Paul_Gademsky
Employee Employee
Employee

This doesn't seem to work in R80.20. Next suggestion? 'geo:' seems to work to some extent.

 

Paul G.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events