cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Logging and Reporting

Have questions about viewing logs with SmartView, generating reports with SmartEvent Event Management, or exporting logs to a SIEM with Log Exporter? This is where to ask!

Calculating log size

I have a customer that today is just FW and IPS. They are moving off their Bluecoat and will use CP for APP/URL filtering and they will also moving to O365 (creating more traffic than today). Today they are generating 7G of logs per day and would like to upgrade their MGT for 6 months of log retention. The $1M question is how best to calculate the increase in log size once the APP/URL/O365 takes place.Any guess would be appreciated (please show your work 🙂 Thanks
Soren_Kristense
Soren_Kristense inside Logging and Reporting Friday
views 118 1 1

Compliance check for NIST 800-171

HiDoes any one have a compliance check for NIST 800-171, that can be imported into the compliance module? GreetingsSøren Kristensen
pmetridis
pmetridis inside Logging and Reporting Thursday
views 79

Top Services Report - Dummy question !

Deal all , I am trying to report DNS service for example from my Console Reports . I a,m using the default build in Report Network Activity and for example to the TOP Services , dns is not shown . Either if i add more entries than the 10 it has by default .  I also tried to make a clone to the report and make some changes , but it seems that the service DNS has no information . Its sure that i got a lot of DNS drops . Is there anywhere else it could filtered ? I am not expert to making Reports i am still learning !  Thanks in advanced  Makis 
Dan_Zada
inside Logging and Reporting Wednesday
views 11004 21 21
Employee+

*New* Splunk App for Check Point Logs

Hello all, I’m happy to announce about a new Splunk app for Check Point logs. Check Point brings you an advanced and real-time threat analysis and reporting tool for Splunk. The Check Point App for Splunk allows you to respond to security risks immediately and gain network true insights. You can collect and analyze millions of logs from all Check Point technologies and platforms across networks, Cloud, Endpoints and Mobile. (view in My Videos) Key features are: Infinity Dashboards General overview Top attacks Detected and prevented events Events timeline Blades statistics Cyber Attack View – a unique ability to aggregate Check Point events per attack vector (cross all blades) Reconnaissance actions against the network Delivery methods Malicious emails Malicious file download Server Exploit Infected hosts SandBlast Events – predefined aggregation for mail and web attack vectors CIM Support – Check Point logs are mapped into CIM (Common Information Model) and can be analyzed using standard dashboards (such as Splunk Enterprise Security)More information on CIM can be found here: https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview Fast Deploy – an easy and fast deployment using the new Log Exporter     The app can be downloaded from Splunk base: Check Point App for Splunk | Splunkbase    User Guide – https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm SK about the Log Exporter – http://supportcontent.checkpoint.com/solutions?id=sk122323   For any question, comment or suggestion, please contact cp_splunk_app_support@checkpoint.com.   Thank you! Dan Zada, Group Manager.
Julie_Paul
inside Logging and Reporting Wednesday
views 4466 19 3
Employee+

Limited Permission Profile

Can I setup a read only user with a profile that only allows him to read logs and view his policy only?  This is on a SMS not an MDM.  The purpose is to allow a limited admin the ability to be restricted to just what they control or have a business need to see.  They do not see all the policies or logs, just their own at their remote location.  
WesEvernden
WesEvernden inside Logging and Reporting Tuesday
views 157 4 2

fwm logexporter fails - file to large

Hi,I am trying to take a large log file from our busy DMZ and export it using a eval install running in hyper-v on my laptop.I can do fwm logexport of the running fw.log fine but when I try it with the DMZ file I get File is too large. The DMZ log file is 2,328,043,520 bytes. This is R80.30, 64bit, 8GB mem. I can cat the file. Any ideas appreciated. Thanks.[Expert@gw-460f06:0]# fwm logexport -n -p -i test.log pfopen: failed to open /opt/CPsuite-R80.30/fw1/log/test.log CBinaryFile::Open: failed to open file (/opt/CPsuite-R80.30/fw1/log/test.log) for reading CBinaryFile::Open: exit status false CMappedBinaryFile::error opening file /opt/CPsuite-R80.30/fw1/log/test.log CLogFile::Open2: error: open (/opt/CPsuite-R80.30/fw1/log/test.log) for reading failed Failed to open file '/opt/CPsuite-R80.30/fw1/log/test.log': File too large log_initfile: error - unable to open and read file: test.logError: Failed to open log file[Expert@gw-460f06:0]# ls -l test.log-rw-rw-r-- 1 admin root 2328043520 Feb 18 13:12 test.log 
Deepak__
Deepak__ inside Logging and Reporting Tuesday
views 167 1

Checkpoint custom reports

Hi, I have a Checkpoint setup running on  R80.30. I want to create a custom report with below for Incoming traffic for my internal applications. 1. The topmost app used 2. Amount of Bandwidth, 3. No. of Sessions, 4. Source IP. 5. Dest IP SIP AND1.Top attacks, 2. Source IP, 3. Dest IP, 4. Attack Type.
pmetridis
pmetridis inside Logging and Reporting a week ago
views 201 3

OPSEC LEA Permissions

Dear all , I would like to ask if anyone knows the access that potentially could have an OPSEC LEA client to SMS Gateway . Except the LEA Permissions TAB to the OPSEC Application Properties , where else i can find what kind of permission the remote client has when you configure it as OPSEC LEA Appl . Is it trusted to allow external partner  like Siem Vendor ,  to communicate with OPSEC LEA to the SMS server ? As you understand the SMS server has all the critical information like policies , etc.  Any other link , pdf , doc to read would be helpful  Thanks in advanced Makis 
Martijn
Martijn inside Logging and Reporting a week ago
views 226 3

GRE traffic not shown in log

Hi all,Two weeks ago, I migrated a R77.30 cluster on 12200 appliances to a R80.30 cluster on 6500 appliances. Installed jumbo hotfix is take 111.It was an advanced migration, so we installed a new SmartCenter, exported the database from R77.30 to R80.30 with the R80 migration tools and imported the database with the same migration tools. Rule base, IP interfaces and routes did not changed. Also nothing was changed on the network.The migration was successful and no problems where reported. But we have one strange issue with the log of GRE tunnels. Customer has several GRE tunnels passing the Check Point gateway (so Check Point is not an endpoint for these GRE tunnels) and these GRE tunnels are working fine.  But we do not see any logs regarding GRE in SmartLog. Even when the GRE tunnel is initiated again. We can see the traffic with tcpdump and fw monitor, but SmartLog remains empty.When we look at SmartLog from the old R77.30 environment (we still have access to the old SmartCenter) we can see logs regarding GRE. Has anyone seen this before on R80.30? I have a case open with Check Point support, but the chances are we need to run a debug and initiate the GRE tunnel again. And initiating the GRE tunnel causes a big impact on the customers processes.So I hope one of you has seen this before and has a solution that does not involve initiating the tunnel again.Thanks.Regards, Martijn. 
DH_ND
DH_ND inside Logging and Reporting a week ago
views 252 7

CP log Export issues

HI Checkmates Can someone help. I have two manager with the same subnet and environment within Azure. 1st managing Azure gateways on R80.30 and 2nd managing on prem gateways on R77.30. We use cp_log_export on both to send logs to a collector.2nd has been recently added using the same configuration as the first (this config was the same when the manager was on premise on R77.30. cp_log_export add name ****** target-server x.x.x.x target-port 514 protocol tcp format leefAll looks good except the collector isn't seeing the logs being sent it only sees the two way communication from manager to collector.difference between the two is the 2nd has the following lines below. The worker has both these values set to trueexport-link: falseexport-attachment-link: false1st is workingname: ******enabled: truetarget-server: x.x.x.xtarget-port: 514protocol: tcpformat: leefread-mode: rawexport-link: Foundexport-attachment-link: Found2nd is NOT workingname: ******enabled: truetarget-server: x.x.x.xtarget-port: 514protocol: tcpformat: leefread-mode: rawexport-link: falseexport-attachment-link: false Does anyone have any idea what could be causing this. We have full comms from both to the collector. Thanks   
Moe_89
Moe_89 inside Logging and Reporting a week ago
views 3704 7

Remote VPN users report

Hello,Is there a way to export a list of Remote VPN users in the local MGMT database which includes last login time etc. ?Something similar to fwm dbexport.
ED
ED inside Logging and Reporting 2 weeks ago
views 265 6 1

SG cluster not sending logs to SMS

Hi,R80.30 environment. SG cluster is not sending logs to SMS.  Steps that I have done in troubleshooting: Installed database in SmartConsole.Installed policy several times.Changed the SG to log locally, installed policy and then reverted to sending logs again to SMS in SmartConsole.Rebooted the cluster that don’t send logs to the SMSDisk space is checked on SMS and is fine.Checked that security gateway is configured to send logs to SMS in SmartConsole.SIC communication is fine and communicating.Ping from SMS to SG works fine. The other way too.Checked that the SMS is listening on port 257. No connection from the cluster SG seen there.Checked if any logs are coming from the SG to the SMS on port 257 with tcpdump on the interface. No logs there.The active firewall log file fw.log is growing on the SG. Checked with the command watch -d -n 2 "ls -l $FWDIR/log/fw.log"Checked the masters file on the SG and it is set to log to the SMSSo are there anymore suggestions in troubleshooting this issue? Could it be that the last step (that I didn't do), the active firewall log file fw.log might be corrupted on the SG?   
Fred_Howard
Fred_Howard inside Logging and Reporting 2 weeks ago
views 3405 10

SmartLog only shows 3 days of logs.

I cannot query any logs older than 3 days.  df -h showed 99% in var/log, I have adjusted settings to delete files and got it to 83%, still no change.  
peter_schumache
peter_schumache inside Logging and Reporting 2 weeks ago
views 258 3

Filter Logs by geo location

Is there a way to filter my Check Point logs e.g. Destination IP by Geo-Location?
mortiis
mortiis inside Logging and Reporting 2 weeks ago
views 229 3

[R80.20] smartview on dedicated server

Hi All 🙂 In my CP topology, I have dedicated server for management (for example 10.1.1.101) and dedicated server for smartevent (for example 10.1.1.102).I would like to grant access to smartview for my colleagues but only via web browser and only to 10.1.1.102 (https://10.1.1.102/smartview/). To achieve that, I created a new gaia user on 10.1.1.102 server where I have smartevent installed and attached this new user to monitorRole. Authentication is done by tacacs.Unfortunately, this config doesn't work, I received "Authentication to server failed".I assume, that something is wrong with my CP configuration, because I don't see any events on my tacacs server.Did I miss something in configuration? Thank you in advance!