cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

In search of a SmartEvent view based on Src/Dst Countries

I need a report/view for SmartEvent based on the Source and Destination Country. I started building one view using the Map and Chart widgets, but I figured I would ask if anyone had already done this and would like to share their template so I'm not recreating the wheel.

6 Replies

Re: In search of a SmartEvent view based on Src/Dst Countries

I can tell you one really true fact: You can be sure that i did not create such a template .

0 Kudos
Employee+
Employee+

Re: In search of a SmartEvent view based on Src/Dst Countries

It should be fairly easy to do it.

What other information would you like to show in this view? Attacks? Traffic? Users?

0 Kudos
Vladimir
Pearl

Re: In search of a SmartEvent view based on Src/Dst Countries

Kfir, how do you query logs by country?

src:Russian Federation returns the accurate data, but with yellow error bar stating that "Russian could not be resolved to IP Address".

dst:Israel and src:Canada do not return anything.

I thought that CP using a .csv for IP range to country resolution and thus it could not be called directly.

Thank you,

Vladimir 

0 Kudos
ED
Silver

Re: In search of a SmartEvent view based on Src/Dst Countries

Do you think that this script from Heiko Ankenbrand could help you by using dynamic objects with IP ranges of the individual countries?

https://community.checkpoint.com/docs/DOC-2872

A Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. (in cluster, run on both gateways). Next you create a dynamic object with same name in the management server. 

It's not a supported CheckPoint solution. 

0 Kudos
Employee+
Employee+

Re: In search of a SmartEvent view based on Src/Dst Countries

"src" field is only for IPs, networks and object names.

In your case, my guess is that it failed to search for "Russian", thus the warning, but "free text" search the word Federation which is unique for your country.

For searching countries you should use "src_country" and "dst_country".

Re: In search of a SmartEvent view based on Src/Dst Countries

This doesn't seem to work in R80.20. Next suggestion? 'geo:' seems to work to some extent.

 

Paul G.

0 Kudos