cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Michael_Horne
Michael_Horne inside Logging and Reporting 4 hours ago
views 779 5 2

Logs & Monitoring - Reverse DNS lookups incorrect

Hello,I have been looking for information about how the reverse DNS lookup works for the "logs" in R80.10. The issue we have is that the FQDN being displayed in the Logs is incorrect. In the log view ZRH-L00053" is displayed for the IP 10.166.138.158When we check the DNS on the management server the host ZRH-D00008 is the actual owner of this IP Address in both directions and ZRH-L00053 maps to another IPIf anyone has any information about how this reverse DNS lookup is working it would be greatMany thanks,Michael
Yonghao_Gao
Yonghao_Gao inside Logging and Reporting yesterday
views 867 10

smartevent status attention

Dear all My SMS is R80.10,provide smartevent service,but it have as follow attention:"Scale is not according to recommendation"What does that mean?
Maik
Maik inside Logging and Reporting yesterday
views 232 1

Management server version != log server version != gateway version

Hello guys, I have a small question regarding a specific given setup. Let's say we have the following:- Management server running R80.20 (no "M" release)- Dedicated log server running R80.10- Security gateway running R80.20 Will it be possible for the gateway to send logs to the log server with a "minor" version? I know that it is problematic and without a specific patch not possible at all to manage R80.20 gateways with a R80.10 management site. But I could not find any information about a situation when just the logging is "older".Currently we have just the management on R80.20 and log + gw's running R80.10 - I'm just wondering if the log needs to be updated before the gateways receive the upgrade.Best regards & thanks for any hints,Maik
Sergei_M
Sergei_M inside Logging and Reporting yesterday
views 368 2

Log Exporter Reexport

For the purpose of restoration of logs after accidents we tried to apply command cp_log_export reexport. In practice unloading of logs was executed in the period of last 4 hours that did not suit us. Whether there is an opportunity to unload the logs fora longer period? How to make it?
Leon_Jaimes
Leon_Jaimes inside Logging and Reporting Monday
views 332 4

Missing connection logs from 6500 gateway with R80.20 Take 18

Hello,I just set up a 6500 gateway running the R80.20 Take 18 image and Security Management Server on VMware running R80.20 M2, don't have the build handy on that. This is a fairly sensitive environment, so I am hesitant to deploy R80.30 yet, but I have not done any technical digging into the relationship between the 6000 series and R80.30. I set up a handful of very basic policies, essentially the "Admin Access to Gateways", "Stealth", and then a few other rules which I have since removed and now only have those two followed by a Test rule that is any/any/accept/log to troubleshoot.The Gatewat topology is:Mgmt connected to 10.20.20.0/24 as 10.20.20.100eth1 connected to a laptop as 10.30.30.0/24 and 10.30.30.1 on the interface and the 10.30.30.2 on laptop-A.eth8 connected to another laptop as 34.34.34.0/29 and 34.34.34.1 on the interface and 34.34.34.5 on the laptop-B.There is a static NAT on the 10.30.30.2 object with IP 34.34.34.2, and a webserver running on laptop-A.The SMS is:eth1 connected to 10.20.20.0/24 as 10.20.20.200Blades enabled are:FirewallApplication ControlURL FilteringIdentity AwarenessContent AwarenessIPSAnti-VirusAnti-BotSIC is fine, and there are some logs from the gateway about system events, but nothing for traffic. I can ping from Laptop-B to Laptop-A and I can see the connections with fw monitor hitting i I O o. The webpage loads, so NAT is working.I have been troubleshooting using sk40090 and none of the suggestions there have helped.I noticed that $FWDIR/conf/log_policy.C did not match, but that was not something that I recall having to set up in the past.I also noticed that in the General Properties of the gateway object, there is not a selection fro 6000 series, so I have that set to Other right now, but had initially tried using the settings for the 5000 series.The topology in the gateway object matches the the way the interfaces are configured, and anti-spoofing is turned off.I feel like I am missing something that is right in front of me. I'm away from the project for the next week, and I just went through DemoPoint and didn't see anything that looked different than the way I have it set up. Thought I'd put this out to you all and see what suggestions might come back.Cheers,Leon
Aitor_Carazo
Aitor_Carazo inside Logging and Reporting Monday
views 827 2

How can i print "Destination DNS Hostname" on an automatic reaction Mail

Hello Checkmates, I am looking for show the field "Destination DNS Hostname" in the email which Smartevent sends as an automatic reaction.The field is the one on the image.Is there any way to do this? Also i have other question regarding this post.Is there any kibnd of documentation about Smartevent's event fields?Thanks and regards

Custom view/report for application usage by user broken out by week over time

Hi there,Looking if anyone has a view/report to share or steps How to...Would like a report listing by user the top x application usage shown and a weekly basis over a period of x weeks.Example: a report showing user's app usage over the last 9 weeksuser Application Name Week1 Week2 Week3 Week4 Week5 Week6 etc.Joe YouTube-HD 2GB 4GB 100Gb 30GB 4GB 400GBJoe Twitter 1GB 1GB 1Gb 1GB 0GB 200MB Any ideas would be appreciated. We are running R80.10 with SmartEvent and accounting is on for logging. The User Activity report doesn't give us the form we would like to see. Thanks.

VPN Problem after Mgmt Upgrade to R80.20

Hi, i had this weekend some problems with the upgrade to R80.20.Following:Mgmt R77.30 upgrade to R80.20 ( Fresh install / Migrate Import)Cluster Enviroment is on R77.30.After a Policy Install from the R80.20 Mgmt one of the two Site to Site tunnels goes down. ( Third Party Tunnel to Palo Alto GW)Only in P1 and in the VPND.elg i saw that there is a problem with the Pre Shared Secrect ( but i did not changed them)When i switch back to the old R77.30 Mgmt there are no issues on the Tunnel and it works without some problems.At the moment I don´t have the logs from the peer GW.In the FW Monitor I saw traffic on port 500 Had someone this issue?In the Remotesession with CP we did not found some issues, SE told we need the Logs from the other site.
Yonghao_Gao
Yonghao_Gao inside Logging and Reporting Saturday
views 791 8

If can R77.30 send log to R80.30

Dear all I have a R77.30 SMS,now, i want to R80.30 as my smartlog and smartevent server,if can i do it,thanks!
Lee_Cassey
Lee_Cassey inside Logging and Reporting Thursday
views 40472 11 4

OPSEC LEA pull from a SIEM on R80.10 Smart-1 Log Server

So we have access to a SMART-1 Log Server with R80.10 and it is configured only as a logging server, no management server or other blades. Its receiving logs from several CP firewalls into a management server (which we don't have access to) and then these logs get forwarded to the above Smart-1 Logging server which we do have access to.Trying to set up an OPSEC/LEA connection for our SIEM to pull down from the Logging Server. We can create the connection and SIC generated and activated. Trouble is the SIEM is complaining that it cant connect on 18120 to get the cert. We can access 18184 ok via the SIEM and telnet but we get no response from either on port 18120. our CP support engineer told us that because it is only configured as a logging server with no management blade we wont be able to use OPSEC/LEA to pull logs from it and that syslog is the only option. Syslog doesnt work especially well with our SIEM as needs some major parsing to account for the originating sources devices being different from the server our SIEM receives syslogs for (ie the logging server)Does anyone know if OPSEC/LEA is possible in this setup? Our SIEM providers say that this is the standard way most of their other clients retrieve logs form CP products. Just wondered if there is a way to use OPSEC/LEA at all in this scenario or whether we have to live with the PITA syslog option thats not idea for us?Ta
HeikoAnkenbrand
HeikoAnkenbrand inside Logging and Reporting a week ago
views 78658 50 46

R80.10 Syslog Exporter

Via Check Point Support you get a Syslog exporter for SIEM applications for R80.10 Managment. Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats. Log Exporter supports: Splunk Arcsight RSA LogRhythm QRadar McAfee Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target. Installation on R80.10 Jumbo Hotfix Take 56 or higher. Syntax: # cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> [optional arguments] Command Name Command Description add Deploy a new Check Point logs exporter. set Updates an exporter's configuration. delete Removes an exporter. show Prints an exporter's current configuration. status Shows an exporter's overview status. start Starts an exporter process stop Stops an exporter process. restart Restarts an exporter process. reexport Resets the current position, and re-exports all logs per the configuration. Regards, Heiko
Muditha_Thelisi
Muditha_Thelisi inside Logging and Reporting a week ago
views 3745 15

Searching for Address Spoofing Logs in R80

With SmartLog in R80 how can I search for 'Address Spoofing' logs? Which field should I select? With SmartView Tracker I could add a filter on Information column but with SmartLog I can't do the same.
Phaneath_Phourn
Phaneath_Phourn inside Logging and Reporting a week ago
views 264 2

Generate all Incident Report on SmartEvent

Hello CheckMates,I got an inquiry from my client that they need to generate all Incidents category as hight light in the below figure. The default reports it summy only 11,636 Hight and Critical Incidents it doesn't show another of 30,846 Incidents which are Medium or Low Incidents. So, is there a place that we can see all Incident (not only High and Critical Incidents)? Thank you!Phaneath
Bishal_Upadhyay
Bishal_Upadhyay inside Logging and Reporting a week ago
views 1438 6

Smartconsole not showing Gateway Status, cluster members and Management Server

Hi Everyone,At Smartconsole, we are not able to view gateway status, along with cluster members and Management server too. However, it seems only GUI issue since every other logical functions are working properly like cphaprob stat in cli command shows both active and standby members, database installation and policy installation also taking place. We tried sk112058 but to no avail.The screenshots are attached herewith.With Regards,Bishal