Showing results for 
Search instead for 
Did you mean: 
Create a Post
MattDunn inside Logging and Reporting 2 hours ago
views 23 1

Upgrade Reporter to R80.x

Hi all,Does anyone know the best way to upgrade Reporter from R773.30 to R80.30?  I don't care about previous events - what I really need is all of the custom reports to be migrated over, because Reports in R80 are so different to R77 and I just can't figure out how to accurately replicate what they customer used to have, and wants to retain.Previously I had a Smart-1 205 for Management and another Smart-1 205 for Logs/Event/Reporter.  When both R77.30 and the appliance hardware went end of life I replaced with a single Smart-1 405 to run it all.  I did a migrate export/import to take the rules across.  Happy days.  But I'm struggling to get the old reports migrated over. The old appliance won't take R80.30, so I can't do an in place upgrade then export the upgraded config.So far I've tried building a new server in my lab, R77.30, "evs_backup" from the old appliance, restore to my lab server and everything works fine, as expected.  But then the R80.30 upgrade always bombs out.  I've tried too many times to count.  It does the first bit of upgrade and reboots, then continues the upgrade after the reboot and bombs at 40% while it's importing the database, then it reverts to the R77.30 snapshot.I've tried, which leads to sk110173.  Everything appears to work fine, but when I go back in to SmartConsole - Reports, the custom reports from the previous appliance are not there, so I guess this procedure doesn't copy the custom report config.Is there  a way to migrate over the R77.30 custom reports to R80?  Or do I just have to start from sratch with the R80 default reports?Cheers,Matt  
Laurent_LF inside Logging and Reporting yesterday
views 50 1

Lots of "Missing OS route" logs after upgrade R77.30 -> R80.30

Hi, We recently upgraded our cluster from R77.30 to R80.30. Following this upgrade we have a very high number of "Missing OS route" logs because of Multicast traffic not being handled by the firewall. We had no Multicast routing enabled on R77.30 neither but this was not causing this kind of logs. Is there a way to disable those logs for Multicast traffic reaching the FW interfaces ? or any other ideas that could suppress those logs ?Thanks.Laurent
Ants inside Logging and Reporting Friday
views 140 5

FW logs shows in tracker but not in smartconsole logs

Hi All,Weird scenario atm.. we have a management server (with log server) running R80.30 with 4 clusters sending logs to it al working as expected..We added a new cluster (80.10) recently but for some weird reason I cannot see logs in the smartconsole..I can confirm logs are being sent correctly to the sms..If I open the console, go to 'logs & monitor', select 'new tab' and select logs and log view.. I see all the other FWs logs.. but no logs from the new cluster.. now here's the kicker..- the new cluster's logs are showing in the tracker fine.. along with al the other FWs..- also I can see the new cluster's logs in smartconsole only if I go to logs, select 'options', 'file' and then choose to 'open log file' and select the 'fw.log' - then i can see them.It is just when you open the default log tab none of the logs shows.. which is using the fw.log file its only if I manually select to open the fw.log file that I can see the logs.. if that makes sense.Could this be a bug perhaps? or maybe need to reindex? any ideas?thanks in advance. 
TheRealDiZ inside Logging and Reporting Friday
views 340 7

NAT Rule Number 0

Hi Guys,We got some weird issues with NAT on R80.20 (no hf installed).When we check logs we notice that basically the traffic was hitting a rule called "NAT Rule Number 0".What does it stands for?I have tried to check NAT Rules/Objects/implied rules/global properties and I was not able to find anything related to it or anything related to NAT for that specific network/objects. Let me know,RealD!Z

Traffic dropped with message information: "Rulebase Internal Error"

Hello, We have are having some traffic that is being dropped with the message information: "Rulebase Internal Error"As of yet I have not found any information related to what this message and how it can be remedied.Normally this traffic should be allowed, but because of the issue, it appears the traffic is being dropped.Has anyone have any information that might help in resolving this or might aid the invesitgation?Many thanks,Michael
inside Logging and Reporting Thursday
views 2803 5

Smart Reporter

We considering upgrading to R80, and we are using the Smart Reporter many times.Can I generate reports like I did in R77.30 with Smart Reporter?
quanglnh inside Logging and Reporting Thursday
views 496 12

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
NeilDavey inside Logging and Reporting Thursday
views 112 2

Logs and Monitor Rule:7 to 27

I am reviewing logs for services and I have a list of rules that I want to search against rather than my whole rule base.Is there a search criteria that I can use for this?ie rule:7 will show this rule but I want to search rules:7-27 but I don't know if this is possible?
Enyi_Ajoku inside Logging and Reporting Thursday
views 546 6

All online jobs-The Correlation Unit can't connect to one of its Log Servers

Had to shutdown over the weekend for some power installation. Got in this morning, booted up the management station (R80.10) and had this errorWarning (All online jobs-The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job.)Would appreciate all the helpThank You  
Kenneth_Greger1 inside Logging and Reporting Wednesday
views 1835 6 2

Log Indexer crashing - SmartLog not working

HiWe have been struggling, since before Christmas, with our R80.10 SmartCenter server (R80.10 - Build 439).Every now and then (after a few hours and/or days) the SmartLog is not working. Meaning that it is not possible to view the log files in the SmartDashboard GUI client (SmartView).We can see that the SmartCenter is receiving the logs, but the INDEXER service is crashing.A workaround has been to do evstop.Then look into $INDEXERDIR/log/log_indexer.elg and find the offending log file that the INDEXER process is not able to parse. Typically the file name it will show up right before an entry that reads:log_indexer 30145 3804232592] Jan 16:05:41] Start reading [1546423998] at position 5738761 [2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUE[2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUEThen we edit the file $INDEXERDIR/data/FetchedFiles, mark the offending file as finished - and the INDEXER will move on to the next log file. This procedure is described in sk116117.In some cases it does not indicate which files is problematic at all. What we do then is to evstop;evstart - and (usually) after some time it will show the offending log file.We have tried to re-install SmartCenter, but the problem persists.Both our vendor and CheckPoint is involved in the case, but so far they have not come up with a solution.Any input is greatly appreciated./Kenneth
John_Fulater inside Logging and Reporting Tuesday
views 139 2

SmartEvent Smartview Read-only access

I would like to give users web access to view the SmartEvent information. I have set up the users with read-only profiles and this works great for the logs.  This issue is that all the other screens have "query failed" on all the panels of the General Overview, Access Control and Threat tabs.I would like to just give read access but do not want to have all users install the client. Thank you,John Fulater
Gomboragchaa_Ja inside Logging and Reporting Monday
views 3462 14 1

Log Time difference

I have Management R80.10 take 121. Times in logs is one hour late.I tried sk61941 but no success, enabling NTP didn't help.When running #hwclock --systohc time is synchronized but not the logs timestamp.We using few time based rules. Time issue affected rules also.It looks like there is a bug.Is there any information if this is bug or maybe I am doing something wrong?
Marc_Burie inside Logging and Reporting Sunday
views 224 3

Windows Remote client Version in logs R80.20

Hello,I want to study version of my remote clients connecting to my gatewayI search the client version in logs fieds ( others )  ... nothingIt's possible in R80.20 tracker ,  but not in SmartConsole ...We are in R80.20 An idea ?
Lucas_Planchere inside Logging and Reporting a week ago
views 917 7 2

OPSEC lea missing log information

Ho all, We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.Anybody knows if we can forward those information as well ?I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet.. Thanks ! 
Rajput_Arvind inside Logging and Reporting a week ago
views 246 3 3

R80.10 integration with SIEM tool

Hi All,We are upgrading our MDS from R77.30 to R80.10. And there few SIEM tool integrated with it.So I just wanted to know if anything needs to be done either on Checkpoint or SIEM tool to make it compatible with R80.10. Customer doesn't want to go for Log-Exporter for now.Below are the SIEM tool integrated at the moment with R77.30ArcsightIntegralsLoglogicTufinSplunkeiq-testwebtrends41-lea2