cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Ants
Ants inside Logging and Reporting 11 hours ago
views 124 5

FW logs shows in tracker but not in smartconsole logs

Hi All,Weird scenario atm.. we have a management server (with log server) running R80.30 with 4 clusters sending logs to it al working as expected..We added a new cluster (80.10) recently but for some weird reason I cannot see logs in the smartconsole..I can confirm logs are being sent correctly to the sms..If I open the console, go to 'logs & monitor', select 'new tab' and select logs and log view.. I see all the other FWs logs.. but no logs from the new cluster.. now here's the kicker..- the new cluster's logs are showing in the tracker fine.. along with al the other FWs..- also I can see the new cluster's logs in smartconsole only if I go to logs, select 'options', 'file' and then choose to 'open log file' and select the 'fw.log' - then i can see them.It is just when you open the default log tab none of the logs shows.. which is using the fw.log file also.so its only if I manually select to open the fw.log file that I can see the logs.. if that makes sense.Could this be a bug perhaps? or maybe need to reindex? any ideas?thanks in advance. 
TheRealDiZ
TheRealDiZ inside Logging and Reporting 13 hours ago
views 336 7

NAT Rule Number 0

Hi Guys,We got some weird issues with NAT on R80.20 (no hf installed).When we check logs we notice that basically the traffic was hitting a rule called "NAT Rule Number 0".What does it stands for?I have tried to check NAT Rules/Objects/implied rules/global properties and I was not able to find anything related to it or anything related to NAT for that specific network/objects. Let me know,RealD!Z
Michael_Horne
Michael_Horne inside Logging and Reporting 14 hours ago
views 34 1

Traffic dropped with message information: "Rulebase Internal Error"

Hello, We have are having some traffic that is being dropped with the message information: "Rulebase Internal Error"As of yet I have not found any information related to what this message and how it can be remedied.Normally this traffic should be allowed, but because of the issue, it appears the traffic is being dropped.Has anyone have any information that might help in resolving this or might aid the invesitgation?Many thanks,Michael
Laurent_LF
Laurent_LF inside Logging and Reporting 18 hours ago
views 20

Lots of "Missing OS route" logs after upgrade R77.30 -> R80.30

Hi, We recently upgraded our cluster from R77.30 to R80.30. Following this upgrade we have a very high number of "Missing OS route" logs because of Multicast traffic not being handled by the firewall. We had no Multicast routing enabled on R77.30 neither but this was not causing this kind of logs. Is there a way to disable those logs for Multicast traffic reaching the FW interfaces ? or any other ideas that could suppress those logs ?Thanks.Laurent
inside Logging and Reporting yesterday
views 2800 5

Smart Reporter

We considering upgrading to R80, and we are using the Smart Reporter many times.Can I generate reports like I did in R77.30 with Smart Reporter?
quanglnh
quanglnh inside Logging and Reporting yesterday
views 494 12

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
NeilDavey
NeilDavey inside Logging and Reporting yesterday
views 104 2

Logs and Monitor Rule:7 to 27

I am reviewing logs for services and I have a list of rules that I want to search against rather than my whole rule base.Is there a search criteria that I can use for this?ie rule:7 will show this rule but I want to search rules:7-27 but I don't know if this is possible?
Enyi_Ajoku
Enyi_Ajoku inside Logging and Reporting yesterday
views 541 6

All online jobs-The Correlation Unit can't connect to one of its Log Servers

Had to shutdown over the weekend for some power installation. Got in this morning, booted up the management station (R80.10) and had this errorWarning (All online jobs-The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job.)Would appreciate all the helpThank You  
Kenneth_Greger1
Kenneth_Greger1 inside Logging and Reporting Wednesday
views 1835 6 2

Log Indexer crashing - SmartLog not working

HiWe have been struggling, since before Christmas, with our R80.10 SmartCenter server (R80.10 - Build 439).Every now and then (after a few hours and/or days) the SmartLog is not working. Meaning that it is not possible to view the log files in the SmartDashboard GUI client (SmartView).We can see that the SmartCenter is receiving the logs, but the INDEXER service is crashing.A workaround has been to do evstop.Then look into $INDEXERDIR/log/log_indexer.elg and find the offending log file that the INDEXER process is not able to parse. Typically the file name it will show up right before an entry that reads:log_indexer 30145 3804232592] Jan 16:05:41] Start reading 127.0.0.1:2019-01-02_151203_1.log [1546423998] at position 5738761 [2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUE[2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUEThen we edit the file $INDEXERDIR/data/FetchedFiles, mark the offending file as finished - and the INDEXER will move on to the next log file. This procedure is described in sk116117.In some cases it does not indicate which files is problematic at all. What we do then is to evstop;evstart - and (usually) after some time it will show the offending log file.We have tried to re-install SmartCenter, but the problem persists.Both our vendor and CheckPoint is involved in the case, but so far they have not come up with a solution.Any input is greatly appreciated./Kenneth
John_Fulater
John_Fulater inside Logging and Reporting Tuesday
views 131 2

SmartEvent Smartview Read-only access

I would like to give users web access to view the SmartEvent information. I have set up the users with read-only profiles and this works great for the logs.  This issue is that all the other screens have "query failed" on all the panels of the General Overview, Access Control and Threat tabs.I would like to just give read access but do not want to have all users install the client. Thank you,John Fulater
Gomboragchaa_Ja
Gomboragchaa_Ja inside Logging and Reporting Monday
views 3457 14 1

Log Time difference

I have Management R80.10 take 121. Times in logs is one hour late.I tried sk61941 but no success, enabling NTP didn't help.When running #hwclock --systohc time is synchronized but not the logs timestamp.We using few time based rules. Time issue affected rules also.It looks like there is a bug.Is there any information if this is bug or maybe I am doing something wrong?
Marc_Burie
Marc_Burie inside Logging and Reporting Sunday
views 212 3

Windows Remote client Version in logs R80.20

Hello,I want to study version of my remote clients connecting to my gatewayI search the client version in logs fieds ( others )  ... nothingIt's possible in R80.20 tracker ,  but not in SmartConsole ...We are in R80.20 An idea ?
Lucas_Planchere
Lucas_Planchere inside Logging and Reporting a week ago
views 914 7 2

OPSEC lea missing log information

Ho all, We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.Anybody knows if we can forward those information as well ?I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet.. Thanks ! 
Rajput_Arvind
Rajput_Arvind inside Logging and Reporting a week ago
views 245 3 3

R80.10 integration with SIEM tool

Hi All,We are upgrading our MDS from R77.30 to R80.10. And there few SIEM tool integrated with it.So I just wanted to know if anything needs to be done either on Checkpoint or SIEM tool to make it compatible with R80.10. Customer doesn't want to go for Log-Exporter for now.Below are the SIEM tool integrated at the moment with R77.30ArcsightIntegralsLoglogicTufinSplunkeiq-testwebtrends41-lea2 
apara
apara inside Logging and Reporting a week ago
views 150 4

Checkpoint VSX log don't filter the origin virtual system name

Checkpoint VSX log don't filter the virtual system name origin, if i search for destination and/or source i see the gateway name on origin, but if i want use the filter on Origin, i don't find the virtual systemIt's Gaia 80.30What could be the problem?