cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Daniel_Westlund
Daniel_Westlund inside Logging and Reporting 3 hours ago
views 104 2

Unable to filter out Network Access Rule Number in logs

I'm trying to migrate a customer into using an inline policy. To do this, I've added the inline rules, and kept the Application layer there as well to catch what I missed. Now I need to remove the Application layer. To do that, I click on a rule, look at the logs for the rule, and filter on the column Access Rule Number in order to see if I missed any inline rules.The problem is that for drops, which are the most important, the Access Rule Number column doesn't show the Network Rule, but the Application Rule.I know this info (the Network rule) is there because if I drill down into the log, I see it in the Matched Rules tab.But, there are millions of logs so rather than look into each one, I'd like a way to filter them out like I filter the accepts by Access Rule Number in the first screenshot. I've looked at the columns available in the profiles and don't see anything that would give me the Network Rule the traffic is using when it gets dropped on the Application Rule. If I don't add an inline drop for the relevant rules, like 144 above, then users can get out to blocked sites. If I keep the Application layer in place, then the Inline rules are not making the policy more efficient. Any ideas how I can find the rules that I need to add the block rule on inline?
stevenhudson622
stevenhudson622 inside Logging and Reporting 4 hours ago
views 117 3 1

SmartView Tracker Not Working Properly

Hello I am having a problem getting SmartView Tracker to show traffic that is actually allowed to pass through the Firewall. If I Edit Filter and just filter on Accept/Allow I'm not seeing anything.Using Provider 1 Smartdashboard R77.30 and Gateways R70On the Same Set up all the hit Counts are on 0 also. Any ideas? Thanks Kind Regards
Mubarizuddin_Mo
Mubarizuddin_Mo inside Logging and Reporting 6 hours ago
views 1124 2

Remote VPN users report

Hello,Is there a way to export a list of Remote VPN users in the local MGMT database which includes last login time etc. ?Something similar to fwm dbexport.
Sergei_M
Sergei_M inside Logging and Reporting yesterday
views 409 5

Log Exporter Reexport

For the purpose of restoration of logs after accidents we tried to apply command cp_log_export reexport. In practice unloading of logs was executed in the period of last 4 hours that did not suit us. Whether there is an opportunity to unload the logs fora longer period? How to make it?
ThomasD
ThomasD inside Logging and Reporting Thursday
views 597 3

Sending Check Point logs via LogExporter to SkyBox

Hello,I am curious if anyone has successfully sent Check Point logs to SkyBox via the LogExporter tool. I was able to send the syslogs to the SkyBox server, but apparently SkyBox cannot interpret it correctly due to a date/time format issue.According to SkyBox, they are expecting the format below from Check Point CMA (Provider-1):2013-01-06 16:07:55 Local4.Info 10.1.1.1 cma1: 16Sep2012 15:53:54 accept 10.2.2.2 >eth0 rule: 1; rule_uid: {42B0B1D4-73B6-4FEC-97D0-9BBE0AF18742}; service_id: ssh_version_2; src: 192.168.1.1; dst: 10.2.2.2; proto: tcp; product: VPN-1 & FireWall-1; service: 22; s_port: 53753; product_family: Network;But, this is what SkyBox is receiving from the Provider-1 instead:Jun 5 04:00:01 XXXXXXXXXX 2019-06-05T07:59:58Z XXXXXXXXXX CheckPoint 9066 - [action:"XXXXXXXXXX"; flags:"XXXXXXXXXX"; ifdir:"XXXXXXXXXX"; ifname:"XXXXXXXXXX"; loguid:"XXXXXXXXXX"; origin:"XXXXXXXXXX"; time:"XXXXXXXXXX"; version:"XXXXXXXXXX"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={XXXXXXXXXX};mgmt=XXXXXXXXXX;date=XXXXXXXXXX;policy_name=XXXXXXXXXX]"; dst:"XXXXXXXXXX"; origin_sic_name:"XXXXXXXXXX,O=XXXXXXXXXX"; product:"XXXXXXXXXX"; proto:"XXXXXXXXXX"; rule:"XXXXXXXXXX"; rule_name:"XXXXXXXXXX"; rule_uid:"{XXXXXXXXXX"; s_port:"XXXXXXXXXX"; service:"XXXXXXXXXX"; src:"XXXXXXXXXX"; ] Thank you in advance for your help/suggestions. Thomas
deepwaraich143
deepwaraich143 inside Logging and Reporting Thursday
views 100 1

Zero Phishing

Hi there,I am facing problem while creating a report for blade:"Zero Phishing". I filtered for password reused but SmartView shows no data found. However, I can see there are some events within R80.20.You help will be appreciated. Thanks
Michael_Horne
Michael_Horne inside Logging and Reporting Wednesday
views 811 5 2

Logs & Monitoring - Reverse DNS lookups incorrect

Hello,I have been looking for information about how the reverse DNS lookup works for the "logs" in R80.10. The issue we have is that the FQDN being displayed in the Logs is incorrect. In the log view ZRH-L00053" is displayed for the IP 10.166.138.158When we check the DNS on the management server the host ZRH-D00008 is the actual owner of this IP Address in both directions and ZRH-L00053 maps to another IPIf anyone has any information about how this reverse DNS lookup is working it would be greatMany thanks,Michael
Yonghao_Gao
Yonghao_Gao inside Logging and Reporting Tuesday
views 921 10

smartevent status attention

Dear all My SMS is R80.10,provide smartevent service,but it have as follow attention:"Scale is not according to recommendation"What does that mean?
Maik
Maik inside Logging and Reporting Tuesday
views 254 1

Management server version != log server version != gateway version

Hello guys, I have a small question regarding a specific given setup. Let's say we have the following:- Management server running R80.20 (no "M" release)- Dedicated log server running R80.10- Security gateway running R80.20 Will it be possible for the gateway to send logs to the log server with a "minor" version? I know that it is problematic and without a specific patch not possible at all to manage R80.20 gateways with a R80.10 management site. But I could not find any information about a situation when just the logging is "older".Currently we have just the management on R80.20 and log + gw's running R80.10 - I'm just wondering if the log needs to be updated before the gateways receive the upgrade.Best regards & thanks for any hints,Maik
Leon_Jaimes
Leon_Jaimes inside Logging and Reporting a week ago
views 365 4

Missing connection logs from 6500 gateway with R80.20 Take 18

Hello,I just set up a 6500 gateway running the R80.20 Take 18 image and Security Management Server on VMware running R80.20 M2, don't have the build handy on that. This is a fairly sensitive environment, so I am hesitant to deploy R80.30 yet, but I have not done any technical digging into the relationship between the 6000 series and R80.30. I set up a handful of very basic policies, essentially the "Admin Access to Gateways", "Stealth", and then a few other rules which I have since removed and now only have those two followed by a Test rule that is any/any/accept/log to troubleshoot.The Gatewat topology is:Mgmt connected to 10.20.20.0/24 as 10.20.20.100eth1 connected to a laptop as 10.30.30.0/24 and 10.30.30.1 on the interface and the 10.30.30.2 on laptop-A.eth8 connected to another laptop as 34.34.34.0/29 and 34.34.34.1 on the interface and 34.34.34.5 on the laptop-B.There is a static NAT on the 10.30.30.2 object with IP 34.34.34.2, and a webserver running on laptop-A.The SMS is:eth1 connected to 10.20.20.0/24 as 10.20.20.200Blades enabled are:FirewallApplication ControlURL FilteringIdentity AwarenessContent AwarenessIPSAnti-VirusAnti-BotSIC is fine, and there are some logs from the gateway about system events, but nothing for traffic. I can ping from Laptop-B to Laptop-A and I can see the connections with fw monitor hitting i I O o. The webpage loads, so NAT is working.I have been troubleshooting using sk40090 and none of the suggestions there have helped.I noticed that $FWDIR/conf/log_policy.C did not match, but that was not something that I recall having to set up in the past.I also noticed that in the General Properties of the gateway object, there is not a selection fro 6000 series, so I have that set to Other right now, but had initially tried using the settings for the 5000 series.The topology in the gateway object matches the the way the interfaces are configured, and anti-spoofing is turned off.I feel like I am missing something that is right in front of me. I'm away from the project for the next week, and I just went through DemoPoint and didn't see anything that looked different than the way I have it set up. Thought I'd put this out to you all and see what suggestions might come back.Cheers,Leon
Aitor_Carazo
Aitor_Carazo inside Logging and Reporting a week ago
views 844 2

How can i print "Destination DNS Hostname" on an automatic reaction Mail

Hello Checkmates, I am looking for show the field "Destination DNS Hostname" in the email which Smartevent sends as an automatic reaction.The field is the one on the image.Is there any way to do this? Also i have other question regarding this post.Is there any kibnd of documentation about Smartevent's event fields?Thanks and regards
Jacques_Spelier
Jacques_Spelier inside Logging and Reporting a week ago
views 580 2

Custom view/report for application usage by user broken out by week over time

Hi there,Looking if anyone has a view/report to share or steps How to...Would like a report listing by user the top x application usage shown and a weekly basis over a period of x weeks.Example: a report showing user's app usage over the last 9 weeksuser Application Name Week1 Week2 Week3 Week4 Week5 Week6 etc.Joe YouTube-HD 2GB 4GB 100Gb 30GB 4GB 400GBJoe Twitter 1GB 1GB 1Gb 1GB 0GB 200MB Any ideas would be appreciated. We are running R80.10 with SmartEvent and accounting is on for logging. The User Activity report doesn't give us the form we would like to see. Thanks.
Alexander_Schuh
Alexander_Schuh inside Logging and Reporting a week ago
views 937 1

VPN Problem after Mgmt Upgrade to R80.20

Hi, i had this weekend some problems with the upgrade to R80.20.Following:Mgmt R77.30 upgrade to R80.20 ( Fresh install / Migrate Import)Cluster Enviroment is on R77.30.After a Policy Install from the R80.20 Mgmt one of the two Site to Site tunnels goes down. ( Third Party Tunnel to Palo Alto GW)Only in P1 and in the VPND.elg i saw that there is a problem with the Pre Shared Secrect ( but i did not changed them)When i switch back to the old R77.30 Mgmt there are no issues on the Tunnel and it works without some problems.At the moment I don´t have the logs from the peer GW.In the FW Monitor I saw traffic on port 500 Had someone this issue?In the Remotesession with CP we did not found some issues, SE told we need the Logs from the other site.
Yonghao_Gao
Yonghao_Gao inside Logging and Reporting a week ago
views 835 8

If can R77.30 send log to R80.30

Dear all I have a R77.30 SMS,now, i want to R80.30 as my smartlog and smartevent server,if can i do it,thanks!