Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ants
Contributor

R80.10 Smartview Reports not showing allowed traffic

Hi All,

R80.10 Openserver - Mngmt running Log Server/Smartevent also
Having an issue with running reports atm..

Using Filter - 'service=ssh'

Withing Smartview logs I can see logs all fine.. accept/drop etc etc
But when running a report however it doesn’t show 'ssh' packets accepted/allowed.. but shows only ssh dropped packets.
It appears I cannot get a report on packets that are allowed/accepted etc..
In my normal logs I can see them.. but in the report.. it shows nothing for accept/allow. I have only one filter (service = ssh) defined and nothing being inherited also that I can see that will exclude accept/allowed from being omitted.

Running the pre-defined report - Network Activity - Access control.

In my SmartEvent policy config I have ‘Firewall Session’ checked under 'Event Policy -> Consolidation Sessions'

Any ideas?
thanks in adv

4 Replies
Timothy_Hall
Champion
Champion

There are two different services representing SSH (i.e. ssh, ssh_version_2), try matching against port 22 in your report filter.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Ants
Contributor

Thanks.. but not that.

it shows the correct service.. but it only shows blocked traffic for that service.. not allowed traffic.. so it is as if somewhere there is a filter hard coded that excludes services for allow/accept.. yet the filters are only for ssh.. nothing else.

thanks

0 Kudos
PhoneBoy
Admin
Admin

I'm guessing SSH is being treated as a "connection" and not a "session."

As such, this thread is likely relevant: https://community.checkpoint.com/message/14475-re-creating-reports-with-tracking-per-connection 

0 Kudos
Ants
Contributor

Issue resolved - it appears to have been related to the correlation unit not able to talk to the log server (all on one box and was a separate issue being investigated)

we have a log aggregator puling logs using lea cleartext on custom port 18185 and sending it to arcsight SIEM.

And then Correlation unit was not able to connect on 18184 using ssl.

so after changing lea to auth port 18184, reinstalling the database then evstop/evstart it was able to connect which fixed 2 issues for me.. so now I can see accept/allowed traffic in reports.. both lea clear text and ssl is working which is a bonus also.

Was weird that it was showing blocked/drop traffic but not allow/accept when the correlation unit cannot connect.. 

anyways.. all good. thanks

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events