cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Ants
Iron

R80.10 Smartview Reports not showing allowed traffic

Hi All,

R80.10 Openserver - Mngmt running Log Server/Smartevent also
Having an issue with running reports atm..

Using Filter - 'service=ssh'

Withing Smartview logs I can see logs all fine.. accept/drop etc etc
But when running a report however it doesn’t show 'ssh' packets accepted/allowed.. but shows only ssh dropped packets.
It appears I cannot get a report on packets that are allowed/accepted etc..
In my normal logs I can see them.. but in the report.. it shows nothing for accept/allow. I have only one filter (service = ssh) defined and nothing being inherited also that I can see that will exclude accept/allowed from being omitted.

Running the pre-defined report - Network Activity - Access control.

In my SmartEvent policy config I have ‘Firewall Session’ checked under 'Event Policy -> Consolidation Sessions'

Any ideas?
thanks in adv

Labels (1)
4 Replies

Re: R80.10 Smartview Reports not showing allowed traffic

There are two different services representing SSH (i.e. ssh, ssh_version_2), try matching against port 22 in your report filter.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Ants
Iron

Re: R80.10 Smartview Reports not showing allowed traffic

Thanks.. but not that.

it shows the correct service.. but it only shows blocked traffic for that service.. not allowed traffic.. so it is as if somewhere there is a filter hard coded that excludes services for allow/accept.. yet the filters are only for ssh.. nothing else.

thanks

0 Kudos
Admin
Admin

Re: R80.10 Smartview Reports not showing allowed traffic

I'm guessing SSH is being treated as a "connection" and not a "session."

As such, this thread is likely relevant: https://community.checkpoint.com/message/14475-re-creating-reports-with-tracking-per-connection 

0 Kudos
Highlighted
Ants
Iron

Re: R80.10 Smartview Reports not showing allowed traffic

Issue resolved - it appears to have been related to the correlation unit not able to talk to the log server (all on one box and was a separate issue being investigated)

we have a log aggregator puling logs using lea cleartext on custom port 18185 and sending it to arcsight SIEM.

And then Correlation unit was not able to connect on 18184 using ssl.

so after changing lea to auth port 18184, reinstalling the database then evstop/evstart it was able to connect which fixed 2 issues for me.. so now I can see accept/allowed traffic in reports.. both lea clear text and ssl is working which is a bonus also.

Was weird that it was showing blocked/drop traffic but not allow/accept when the correlation unit cannot connect.. 

anyways.. all good. thanks