Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enyi_Ajoku inside Logging and Reporting 28m ago
views 482 3

All online jobs-The Correlation Unit can't connect to one of its Log Servers

Had to shutdown over the weekend for some power installation. Got in this morning, booted up the management station (R80.10) and had this errorWarning (All online jobs-The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job.)Would appreciate all the helpThank You  
Gomboragchaa_Ja inside Logging and Reporting yesterday
views 3428 14 1

Log Time difference

I have Management R80.10 take 121. Times in logs is one hour late.I tried sk61941 but no success, enabling NTP didn't help.When running #hwclock --systohc time is synchronized but not the logs timestamp.We using few time based rules. Time issue affected rules also.It looks like there is a bug.Is there any information if this is bug or maybe I am doing something wrong?
Marc_Burie inside Logging and Reporting Sunday
views 114 3

Windows Remote client Version in logs R80.20

Hello,I want to study version of my remote clients connecting to my gatewayI search the client version in logs fieds ( others )  ... nothingIt's possible in R80.20 tracker ,  but not in SmartConsole ...We are in R80.20 An idea ?
Lucas_Planchere inside Logging and Reporting Friday
views 889 7 2

OPSEC lea missing log information

Ho all, We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.Anybody knows if we can forward those information as well ?I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet.. Thanks ! 
Rajput_Arvind inside Logging and Reporting Friday
views 152 3 2

R80.10 integration with SIEM tool

Hi All,We are upgrading our MDS from R77.30 to R80.10. And there few SIEM tool integrated with it.So I just wanted to know if anything needs to be done either on Checkpoint or SIEM tool to make it compatible with R80.10. Customer doesn't want to go for Log-Exporter for now.Below are the SIEM tool integrated at the moment with R77.30ArcsightIntegralsLoglogicTufinSplunkeiq-testwebtrends41-lea2 
apara inside Logging and Reporting Thursday
views 144 4

Checkpoint VSX log don't filter the origin virtual system name

Checkpoint VSX log don't filter the virtual system name origin, if i search for destination and/or source i see the gateway name on origin, but if i want use the filter on Origin, i don't find the virtual systemIt's Gaia 80.30What could be the problem? 
Tom_Cripps inside Logging and Reporting a week ago
views 239 2

Is it possible to see hits on the HTTPS Inspection Rulebase?

Hi there,Does anyone know if it possible to see hits against rules within HTTPS Inspection?
Richard_Nock inside Logging and Reporting a week ago
views 204 6 1

Logging not working for Azure CloudGuard gateways and SMS behind NAT

Our topology is as follows: - BackEnd SubnetAzure Firewall (R80.10) - FrontEnd Subnet|Azure Check Point Cluster Public IP|( Internet )| Check Point 5400 Series Appliance Cluster (R80.10)| ( NAT IP)SmartCenter/Security Management Server (R80.30)As you can see our SMS is NATed behind our 5400 series appliances which it also manages. The management object has the private defined as the IP in the General Properties tab and then public is defined in the NAT tab, set to static IP, install on 5400 series gateway and Apply for Security Gateway control connections ticked.This works for all of our other physical appliances - logging and CRL checking, all fine. However, this does not work for the Azure gateways as they persistently want to get to the SMS on the private IP, which doesn't work.Things we've tried:1. Editing the masters file by replacing the SMS name with the public IP of the management then locking the file changes using the chattr command. We've had limited success with this - if we make the change and restart the FWD service it will start working, but if we push policy again it will start using the private IP again. I'm looking for something more permanent.2. Creating a dummy object with the IP of, tick Logging & Status blade, then select this as the logging server for the Azure gateways. The Azure gateways pick up the change, but they still persist in sending logs to the private IP.3. Tried adding a NAT rule to the top of the NAT policy for anything from src: (FrontEnd Subnet) to dst: (private SMS) then translate to dst: (public SMS). No luck here either.I originally thought it was because we were using an older R80.10 template, but I've deployed a new R80.20 cluster in Azure and updated to the latest jumbo and we still get the same issue.Running out of ideas now, any help/suggestions would be appreciated 🙂
GGiorgakis inside Logging and Reporting a week ago
views 224 2

Firewall R77.30 stop logging IPS logs on SMS R.80.20

Firewall R77.30 stop logging IPS logs on SMS R80.20.Please note that FW logs are still logging properly.I confirm that GW has install latest IPS policy pockage and all services are up.Also verify disk space log server and i i try again install policy without any changes.Anyone faces something similar?   
Greg_Galowitz inside Logging and Reporting 2 weeks ago
views 246 3

Identity Awareness' is not responding

I noticed  users are being shown in my logs. When I check the Device Stats I am getting this error message. Warning ('Identity Awareness' is not responding. Verify that 'Identity Awareness' is installed on the gateway. If 'Identity Awareness' should not be installed verify that it is not selected in the Products List of the gateway (SmartDashboard > Security Gateway > General Properties > Software Blades List).)The blade is turned on and  AD is  connect. # adlog a dcDomain controllers:Domain Name IP Address Events (last hour) Connection state============================================================================================================x.local 192.168.100.X 28 has connectionx.local 192.168.100.X 601 has connectionx.local 192.168.100.X 36 has connectionI am in production right now and cant restart the firewall.  How do I restart just Identity Awareness?Thank you,Greg
Olga_Kuts inside Logging and Reporting 2 weeks ago
views 5201 20 6

Number of connections depending on dst addresses

Hi!We have a certain group of destination addresses. We need to calculate the total number of connections for this group for a certain period of time. How can we do this at R80.10 in SmartConsole as well as from cli? It is necessary exactly the number of connections, not events.Thank you!
inside Logging and Reporting 2 weeks ago
views 199

Log Exporter - Links

Hello all, I'm happy to inform you that we added a new feature to the log exporter - the ability to export links to the log card in SmartView and to the log attachment (such as Forensics report, TE report and more) When drilling down into the exported the link, the customer will be requested to login to SmartView and then the log card or the log attachment will be opened automatically. You can now enjoy better integration with your SIEM product and get quick value from our log attachments.   More information, including basic and advanced instructions, can be found in SK122323. If you have any question or comment, let me know.   Thanks! Dan.
kobilevi inside Logging and Reporting 2 weeks ago
views 156 3

Smart event script reactions

hello  im using smart event console to reaction the event and make some changes in my organization.  as i see there is option to "external script"have some examples to scripts ?  tanks
Paul_Mainhardt1 inside Logging and Reporting 2 weeks ago
views 564 7

Firewalls stop logging to Management Server (R80.20)

We are currently experiencing issues with logging from our firewalls to the management server. It logs correctly for awhile then all off a sudden stops logging. We are running 5600 appliances for our gateways and our management server is an open server.We are running R80.20 T87 for both our firewalls and SMS.I suspect its something related to high cpu for fw_full as i notice it reaches 80- 90% CPU but fw_worker_0 - 2 have low CPU usage.I do have identity awareness, App Control, URL Filtering, IPS, Threat Emulation and Anti-bot and Antivirus turned on for the gateways. I am not sure if one of these blades are causing us issues.
Sried inside Logging and Reporting 2 weeks ago
views 368 11

CP R.80.30 Not allowed SSL version

Hi Everyone,im currently encountering an issue with several drops of  different sevices being rejected with the message Not allowed SSL version.I checked the DB settings: ssl_min_ver is set to sslv3 while max is set to tls1.2 . I also created a seperate rule for ssl inspect like described in sk34182., yet i still receive the error. Currently it blocks me from initiating a rdp session within an existing Site 2 Site VPN Connection.Remote_Desktop_Protocol (TCP/3389)RejectNot allowed SSL version So far i was not able to find any other sk article regarding this issue,Has anyone else encountered this problem?