Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

SmartView report unable to filter by rule or rule name

Hi,

I am discovering SmartViews on a SmartEvent server in version R80.30.

I have made a Dashboard with some interesting graphs and it works well. I filter the last 7 days of log, coming from 2 members of a cluster (Origin), with action are Drop. Perfect.

I want to add another filter using a rule to get only matching traffic from a rule.

If I add the filter Rule equals 30 I have no data found. And it is the same if I add rule:30 in the top search bar.

If I search the exact same query in SmartConsole I can use rule:30 to filter, but I cannot graph or export the results.

Would hyou have an idea if I am missing something or if there is a bug ?

Thanks

Raphaël

0 Kudos
Reply
7 Replies
Employee+
Employee+

We had issues with the rule field in SmartView. If this is the same issue the latest JHF should fix that for you.

Tell me if this solves it.

Amir

Kind regards, Amir Senn
0 Kudos
Reply
Explorer

Hi,

On the event server we have installed latest JHF available for r80.30. Management is on the same versions.

Check_Point_R80_30_JUMBO_HF_Bundle_T155_sk153152_Security_Management_3_10_FULL.tgz released on February 20th

I have no other hotfix installable nor minor version.

Only package is the latest SmartConsole jumbo HF B76 available.

Thanks

Raphaël

0 Kudos
Reply
Employee+
Employee+

I tried it, it works for me.

Maybe try a different rule number to see if it returns data from other rules.

Some rules only create connection logs and those aren't indexed to SME so you won't see them even if you have data for them (you can filter on connections log in the logs view, try to see if you have matches for "rule:30 AND type:"Session" ").

You can also try and filter with rule name, maybe you'll have more luck with that. I also recommend the "custom" filter.

Amir

Kind regards, Amir Senn
0 Kudos
Reply
Explorer

Hi,

Still no luck with rule and session, another rule does not produce any result, the problem is still present.

I already tried with rule name with same result.

Thanks, I'll wait for the next Jumbo hotfix.

Raphaël

0 Kudos
Reply
Employee+
Employee+

Hi,

 

as Amir said, it should work without installing any other HF.

I suggest you to open the general overview and drill down to firewall logs, it will be opened in a new logs window.

add the "access rule number" to the columns and see what rule numbers exists in those logs.

take one of them and try to apply it on the filter and see the results.

0 Kudos
Reply
Explorer

Hi,

Thanks for reply.

SO I followed your steps and in SmartView, in the logs I see the logs that interest me with the filter :

(origin:FW1 OR origin:FW2) and rule:15 and action:Drop

When I make a View with the same infos I have no result as soon as I add the rule filter.

Raphaël

0 Kudos
Reply
Employee+
Employee+

Thank you Raphael,

According to your description, I think your case might fall into a known issue (that is currently under investigation).

The issue is that logs that matched on inline layer are indexed without the rule number.

Either way I suggest you open a support case to Check Point.

 

Thanks.

0 Kudos
Reply