cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
David_Won
David_Won inside Logging and Reporting 8 hours ago
views 98 2

Smartevent upgraded to R80.10: Now how do I exclude alerts?

Upgraded our Smart Event server yesterday from R77.30 to R80.10.Lost all of our config unfortunately so now I have to put all of our exclusions in and whatnot. The problem is that in the old version I could just select an alert from the Smartevent client and then say to exclude or create an exceptioon. I can't find this anywhere int he new version. I found where to click to bring up the event policy editor but that's not what I'm looking for. I want to be able to click on the alert and change it. Having to manually enter in all of the details is a step backward from where we were at. 2nd question. What happened to the ticketing system. I used to close out events from my timeline by closing the ticket. That way the other sysadmins would know it's taken care of. I can't find this functionality anywhere.
Juan_Concepcion
Juan_Concepcion inside Logging and Reporting 12 hours ago
views 3064 17 3

Issue Launching SmartEvent Settings and Policy

I have an upgrade R80.10 Management Station with a fresh R80.10 SmartEvent Server - Everything seems to install fine but when I go to launch the SmartEvent Settings and Policy it fails and just pops up the login window.  Also I see this constantly scrolling the $RTDIR/log/cpsemd.log - database install states it's been done successfully:[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:38:25] Warning:cp_timed_blocker_handler: A handler [0x820a8a0] blocked for 5 seconds.[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:38:25] Warning:cp_timed_blocker_handler: Handler info: Library [cpsemd], Function offset [0x1c28a0].[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:38:25] Warning:cp_timed_blocker_handler: Handler info: Nearest symbol name [_ZN23CAutomaticPolicyBuilder33__sched_SchedListenToNotificationEPv], offset [0x1c28a0].[CPSEMD 3898 4076292800]@wal-event-01[23 Aug 15:38:34] Failed to get myself object by sic name from sem_network_objects table. Try to reconnect.[CPSEMD 3898 4076292800]@wal-event-01[23 Aug 15:38:34] Failed to get myself object by sic name from sem_network_objects table after reconnection too. Check if sem_network_objects table exists and contains the object.[CPSEMD 3898 4076292800]@wal-event-01[23 Aug 15:38:34] CActiveProductsListCreator::SetAnalyzerStatus() - error getting myself object!!![CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:38:55] Failed to get myself object by sic name from sem_network_objects table. Try to reconnect.[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:38:56] Failed to get myself object by sic name from sem_network_objects table after reconnection too. Check if sem_network_objects table exists and contains the object.[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:38:56] CActiveProductsListCreator::SetAnalyzerStatus() - error getting myself object!!![CPSEMD 3898 4076292800]@wal-event-01[23 Aug 15:39:08] CDBConfiguration::RefreshStatus() - Failed to calculate available DB max size.[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:39:26] Failed to get myself object by sic name from sem_network_objects table. Try to reconnect.[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:39:26] Failed to get myself object by sic name from sem_network_objects table after reconnection too. Check if sem_network_objects table exists and contains the object.[CPSEMD 3898 3884960656]@wal-event-01[23 Aug 15:39:26] CActiveProductsListCreator::SetAnalyzerStatus() - error getting myself object!!!
Maik
Maik inside Logging and Reporting yesterday
views 145 5

Logging statistics | MDM R80.20 - question regarding the actual rates

Hello guys, I have a question regarding the measurement of incoming logs, let's say some kind of "rate" of logs per second or minute. Related to that I have found two SKs:- sk88681 [How to calculate/count the total amount of FireWall Logs per second that arrive to Security Management Server]- sk120341 [How to monitor the Log Receive Rate on Management Server / Log Server R80 and above] The intersting thing is that both SKs are valid for R80.20 and also apply for MDM environmnets, such as the current case where I want to use this. However; here is the example output of one of my domains: sk120341 output:[Expert@MDMSERVER:0]# cpstat mg -f log_serverLog Receive Rate: 50Log Receive Rate Peak: 4722Log Receive Rate Last 10 Minutes: 57Log Receive Rate Last Hour: 59Log Server Connected Gateways---------------------------------------------------------------------------------------------|Name |State |Last Login Time |Log Receive Rate|---------------------------------------------------------------------------------------------|Local Clients |Connected|N/A | 0||VSX-GW-A|Connected|Wed Aug 14 10:57:19 2019 | 0||VSX-GW-B|Connected|Fri Aug 9 11:28:53 2019 | 50|--------------------------------------------------------------------------------------------- sk88681 output:[Expert@MDMSERVER:0]# ls -l fw.logptr ; sleep 180 ; ls -l fw.logptr-rw-r--r-- 1 admin root 18895720 Sep 19 12:18 fw.logptr-rw-r--r-- 1 admin root 18972856 Sep 19 12:21 fw.logptr(18972856 - 18895720) / (4* 180) = about107 I have run these commands in the related management domain (switched via mdsenv) - however the results are kinda different. The output of sk88681 seems to be more correct as lots of connections pass through the gateway. But how does the first output lists only about 50 logs per second and the second one more than 100? I guess the "log receive rate" of the cpstat mg command also references to logs per second. Where is the difference between both? And why does the cpstat command also tell that "Log Receive Rate Last 10 Minutes" is just 57. That's definitely not the case or do I mix something up in this case?Also a different question regarding log file movement. Is it save to move e.g. the following files from /CPsuite-R80.20/fw1/log to a different system in order to save them as a backup? Or do I have some negative impact on the management server if I'm going to remove these files?2018-11-10_000000.adtlog2018-11-10_000000.adtlogaccount_ptr2018-11-10_000000.adtloginitial_ptr2018-11-10_000000.adtlogptr2018-11-10_000000.logI have the requirement to move all log entries which are older than 3 months to a different system - or even delete them. As far as I know this option is not possible via the SmartConsole itself (only via a script that checks the timestamp of files in the log dir and removes them if they are older than three months). Or are there other ways in order to achieve the described goal? Currently thinking about a cronjob that runs each night, which looks for log files older than x days and removes them. But still - I am not sure if this method is "clean". Thanks and best regards,Maik  
resu
resu inside Logging and Reporting yesterday
views 75 2

Log query R80.10

I would like to run a query (something like NOT action:drop) on a list of unique IP addresses. I've looked through documentation and tried IP's with a space between, with "AND" (no quote marks) between. Neither worked. Any advice is appreciated.
kobilevi
kobilevi inside Logging and Reporting Saturday
views 83 2

Smart event script reactions

hello  im using smart event console to reaction the event and make some changes in my organization.  as i see there is option to "external script"have some examples to scripts ?  tanks
Dale_Lobb
Dale_Lobb inside Logging and Reporting Friday
views 105 4

SmartView and SmartLog idiosyncrasies

Fairly frequently, I see spurious results in the log listing to a simple query in SmartView and SmartConsole's SmartLog function.  Specifically, a query with a simple source and destination selected will include a few log entries that do not match the query.  The same query will produce this result in both tools.  Here's an example. Notice the entry in the selector and detailed at right does not match the simple selection criteria. 
Ankur_Datta
Ankur_Datta inside Logging and Reporting Friday
views 87 1 1

Log exporter send logs in UTC time zone to syslog server

Hi All, We configured log exporter on our MLM and send logs of all CLM to syslog server. On checking on syslog server we found out logs are coming in UTC Time zone. I gone through sk133472 and not able to understand the last two lines. "The CP Log Server can send logs to syslog in different timezone, and it needs to be UTC so target Log Server can convert it to the local timezone.This is also how Splunk and other SIEM vendors behave."Is this means we need to send logs through log exporter in UTC time zoneWe are using IST time zone.  Please guide.
apara
apara inside Logging and Reporting Friday
views 70 1

Checkpoint VSX log don't filter the origin virtual system name

Checkpoint VSX log don't filter the virtual system name origin, if i search for destination and/or source i see the gateway name on origin, but if i want use the filter on Origin, i don't find the virtual systemIt's Gaia 80.30What could be the problem? 
rajesh_s
rajesh_s inside Logging and Reporting Thursday
views 19240 16 8

Checkpoint Gateways are not sending the logs to Checkpoint management server

Hi All,We are using Checkpoint R77.30 firewall, Gateways are not sending the logs to Checkpoint management server, Is anyone has similar issue?.
Yonatan_Philip
inside Logging and Reporting Wednesday
views 2492 5 6
Employee+

Log Exporter - Splunk Integration Update

Hello Everyone,We are currently in advanced stages of developing a Log Exporter update that will add CIM support.This will give us better Splunk integration for CIM oriented apps and dashboards (e.g. Splunk Enterprise Security). We are currently looking for customers who wish to test this new feature (in either their lab or production) and share their feedback with us. I would also really appreciate if in your email you could also add the following details:what version of Check Point do you use? And what version of Splunk server?Is your Splunk environment installed as a single-instance or is it a distributed environment?Have you already tested out previous releases of the Log Exporter or is this your first use of the add-on?       The new update will also enable the Log Exporter to work in a semi-unified mode.For those who are unfamiliar with this setting, it means that updates are unified with their original log before they are exported. This makes the information in the update log complete and makes the update log itself more readable (in raw mode you had to manually search for the original log to make sense of the update).Best Regards, Yonatan 
B_P
B_P inside Logging and Reporting Tuesday
views 296 8

R80.30 Netflow Setup

Pre R80.10 Netflow worked fine.Now on R80.30 I have two flows that are identical -- but one only shows Outbound and the other only shows Inbound BUT -- and this is perplexing -- it is the exact same traffic for both inbound and outbound flows -- i.e. source and destination are the same.Yes.. let that simmer for a while.I have one rule that's configured on the firewall and it's a rule that a lot of web traffic hits on.I'm using ManageEngine's Netflow Analyzer.For this traffic, I would expect there should be one flow and it should include both inbound and outbound traffic on the one interface (the internal interface it's hitting).
Adiel_Ashrov
inside Logging and Reporting a week ago
views 4408 3 2
Employee+

How to exclude the SmartEvent object from the SSL Inspection group

Hello All,I'm reviewing sk112814 which explains how to overcome the the following error."SmartView server certificate is invalid" error when opening a new tab in the R80 SmartConsole "logs & monitor" In the solution steps it is said that one should exclude the SmartEvent object from the SSL inspection group, but I haven't found straight forward instructions on how to perform this step online.Any assist with screen shots will be much appreciated.Regards,AdielKobi Eisenkraft‌ 
lajie93
lajie93 inside Logging and Reporting a week ago
views 124 2

exporting logs from one SMS to another newly created

Greetings,This is my first post here. I really enjoy the community, which posts help me to fix some issues that i was facing.we have a smartevent server  (SMS A) which store logs from installed customers gateways.we project to move systems configuration and logs from the SMS A to the newly installed SMS B but my worry is about exporting logs.how can i easily realized it?
Marko_Keca
Marko_Keca inside Logging and Reporting a week ago
views 4090 8 3

Is there a way to share View created by one user with other users?

I have created custom View and I'm the only admin who can see it.How can I share it with others?Also when I click on Export template, nothing happens.Thanks in advance!Regards,--Marko
quanglnh
quanglnh inside Logging and Reporting a week ago
views 345 11

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!