Showing results for 
Search instead for 
Did you mean: 
Post a Question
Aitor_Carazo inside Logging and Reporting yesterday
views 27 1

How can i print "Destination DNS Hostname" on an automatic reaction Mail

Hello Checkmates, I am looking for show the field "Destination DNS Hostname" in the email which Smartevent sends as an automatic reaction.The field is the one on the image.Is there any way to do this? Also i have other question regarding this post.Is there any kibnd of documentation about Smartevent's event fields?Thanks and regards
Leon_Jaimes inside Logging and Reporting yesterday
views 47 2

Missing connection logs from 6500 gateway with R80.20 Take 18

Hello,I just set up a 6500 gateway running the R80.20 Take 18 image and Security Management Server on VMware running R80.20 M2, don't have the build handy on that. This is a fairly sensitive environment, so I am hesitant to deploy R80.30 yet, but I have not done any technical digging into the relationship between the 6000 series and R80.30. I set up a handful of very basic policies, essentially the "Admin Access to Gateways", "Stealth", and then a few other rules which I have since removed and now only have those two followed by a Test rule that is any/any/accept/log to troubleshoot.The Gatewat topology is:Mgmt connected to as connected to a laptop as and on the interface and the on laptop-A.eth8 connected to another laptop as and on the interface and on the laptop-B.There is a static NAT on the object with IP, and a webserver running on laptop-A.The SMS is:eth1 connected to as enabled are:FirewallApplication ControlURL FilteringIdentity AwarenessContent AwarenessIPSAnti-VirusAnti-BotSIC is fine, and there are some logs from the gateway about system events, but nothing for traffic. I can ping from Laptop-B to Laptop-A and I can see the connections with fw monitor hitting i I O o. The webpage loads, so NAT is working.I have been troubleshooting using sk40090 and none of the suggestions there have helped.I noticed that $FWDIR/conf/log_policy.C did not match, but that was not something that I recall having to set up in the past.I also noticed that in the General Properties of the gateway object, there is not a selection fro 6000 series, so I have that set to Other right now, but had initially tried using the settings for the 5000 series.The topology in the gateway object matches the the way the interfaces are configured, and anti-spoofing is turned off.I feel like I am missing something that is right in front of me. I'm away from the project for the next week, and I just went through DemoPoint and didn't see anything that looked different than the way I have it set up. Thought I'd put this out to you all and see what suggestions might come back.Cheers,Leon
Yonghao_Gao inside Logging and Reporting yesterday
views 17 1

smartevent status attention

Dear all My SMS is R80.10,provide smartevent service,but it have as follow attention:"Scale is not according to recommendation"What does that mean?
Yonghao_Gao inside Logging and Reporting yesterday
views 68 8

If can R77.30 send log to R80.30

Dear all I have a R77.30 SMS,now, i want to R80.30 as my smartlog and smartevent server,if can i do it,thanks!

Custom view/report for application usage by user broken out by week over time

Hi there,Looking if anyone has a view/report to share or steps How to...Would like a report listing by user the top x application usage shown and a weekly basis over a period of x weeks.Example: a report showing user's app usage over the last 9 weeksuser Application Name Week1 Week2 Week3 Week4 Week5 Week6 etc.Joe YouTube-HD 2GB 4GB 100Gb 30GB 4GB 400GBJoe Twitter 1GB 1GB 1Gb 1GB 0GB 200MB Any ideas would be appreciated. We are running R80.10 with SmartEvent and accounting is on for logging. The User Activity report doesn't give us the form we would like to see. Thanks.
Sergei_M inside Logging and Reporting Friday
views 185 1

Log Exporter Reexport

For the purpose of restoration of logs after accidents we tried to apply command cp_log_export reexport. In practice unloading of logs was executed in the period of last 4 hours that did not suit us. Whether there is an opportunity to unload the logs fora longer period? How to make it?
Lee_Cassey inside Logging and Reporting Thursday
views 39538 11 4

OPSEC LEA pull from a SIEM on R80.10 Smart-1 Log Server

So we have access to a SMART-1 Log Server with R80.10 and it is configured only as a logging server, no management server or other blades. Its receiving logs from several CP firewalls into a management server (which we don't have access to) and then these logs get forwarded to the above Smart-1 Logging server which we do have access to.Trying to set up an OPSEC/LEA connection for our SIEM to pull down from the Logging Server. We can create the connection and SIC generated and activated. Trouble is the SIEM is complaining that it cant connect on 18120 to get the cert. We can access 18184 ok via the SIEM and telnet but we get no response from either on port 18120. our CP support engineer told us that because it is only configured as a logging server with no management blade we wont be able to use OPSEC/LEA to pull logs from it and that syslog is the only option. Syslog doesnt work especially well with our SIEM as needs some major parsing to account for the originating sources devices being different from the server our SIEM receives syslogs for (ie the logging server)Does anyone know if OPSEC/LEA is possible in this setup? Our SIEM providers say that this is the standard way most of their other clients retrieve logs form CP products. Just wondered if there is a way to use OPSEC/LEA at all in this scenario or whether we have to live with the PITA syslog option thats not idea for us?Ta
HeikoAnkenbrand inside Logging and Reporting Wednesday
views 75997 50 46

R80.10 Syslog Exporter

Via Check Point Support you get a Syslog exporter for SIEM applications for R80.10 Managment. Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats. Log Exporter supports: Splunk Arcsight RSA LogRhythm QRadar McAfee Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target. Installation on R80.10 Jumbo Hotfix Take 56 or higher. Syntax: # cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> [optional arguments] Command Name Command Description add Deploy a new Check Point logs exporter. set Updates an exporter's configuration. delete Removes an exporter. show Prints an exporter's current configuration. status Shows an exporter's overview status. start Starts an exporter process stop Stops an exporter process. restart Restarts an exporter process. reexport Resets the current position, and re-exports all logs per the configuration. Regards, Heiko
Muditha_Thelisi inside Logging and Reporting Tuesday
views 3406 15

Searching for Address Spoofing Logs in R80

With SmartLog in R80 how can I search for 'Address Spoofing' logs? Which field should I select? With SmartView Tracker I could add a filter on Information column but with SmartLog I can't do the same.
Phaneath_Phourn inside Logging and Reporting Tuesday
views 154 2

Generate all Incident Report on SmartEvent

Hello CheckMates,I got an inquiry from my client that they need to generate all Incidents category as hight light in the below figure. The default reports it summy only 11,636 Hight and Critical Incidents it doesn't show another of 30,846 Incidents which are Medium or Low Incidents. So, is there a place that we can see all Incident (not only High and Critical Incidents)? Thank you!Phaneath
Bishal_Upadhyay inside Logging and Reporting Sunday
views 1238 6

Smartconsole not showing Gateway Status, cluster members and Management Server

Hi Everyone,At Smartconsole, we are not able to view gateway status, along with cluster members and Management server too. However, it seems only GUI issue since every other logical functions are working properly like cphaprob stat in cli command shows both active and standby members, database installation and policy installation also taking place. We tried sk112058 but to no avail.The screenshots are attached herewith.With Regards,Bishal
fabiofleck inside Logging and Reporting a week ago
views 270 1

Doubt about report VPN Access - R77.30

Hello CheckMates, 😎 How do I to create a daily automatic report (to send by email) about VPN access with follow information:- Which users have accessed;- Connection duration;- Start time connection;- End time connection;I would like configure this report in the R77.30.Is it possible receive this email daily?
Yonghao_Gao inside Logging and Reporting a week ago
views 501 3

Traffic total bytes no traffic sum

Hi allVersion:R80.10 I try to check box firewall 、app control and url filter together,as follow:and i check box account in policy. then,i do services ranking by traffic,But there is no traffic sum and display 0B,as follow: Then,I try to separation firewall and "App control& URL filter",as follow:then,i see services ranking by traffic,as follow:Why there is no any traffic when i check box firewall 、app control and url filter together?Thanks!
cinortoce inside Logging and Reporting a week ago
views 480 1

Parse old logs

I made a custom parser for events arriving via syslog to the Checkpoint log server, can I parse the old log files with this parser?