cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Logging and Reporting

Have questions about viewing logs with SmartView, generating reports with SmartEvent Event Management, or exporting logs to a SIEM with Log Exporter? This is where to ask!

Unable to get audit logs from Checkpoint R80.10

Hi Team,I am a SIEM engineer and wants to integrate Checkpoint firewall R80.10 version with ArcSight SIEM. We have used Syslog exporter module in order to receive logs through syslog.  Currently we are receiving Traffic logs.Please somebody help me with the exact configurations to be done at the firewall end in order to receive audit logs along with traffic logs. Regards,Mitesh Agrawal 
Michael_Horne
Michael_Horne inside Logging and Reporting Wednesday
views 302 4

Traffic dropped with message information: "Rulebase Internal Error"

Hello, We have are having some traffic that is being dropped with the message information: "Rulebase Internal Error"As of yet I have not found any information related to what this message and how it can be remedied.Normally this traffic should be allowed, but because of the issue, it appears the traffic is being dropped.Has anyone have any information that might help in resolving this or might aid the invesitgation?Many thanks,Michael
Runan_Chaung
Runan_Chaung inside Logging and Reporting Wednesday
views 788 10

Traffic calculations question

environment:R80.20 on HP Server Gen10bridge modeI have some question about traffic log and calculations.1. When Application Name is "Unknown Traffic" , traffic log display wrong 2. And I found some log display nothing about traffic3. I use view or report to calculate traffic, can not calculate by destination ip address    log:  view:How could I change my configuration and make it right ?
marcherren
marcherren inside Logging and Reporting Wednesday
views 93 3

How to get the total number of hits of a query in Smartview?

How can I get the total number of hits of a given query in a given timeframe in Smartview?I need to the total number to perform some tuning/behavior analys. Currently I'm using fw log | <grep> | wc -l , but this is very very very slow......
MattDunn
MattDunn inside Logging and Reporting Tuesday
views 237 5

Custom Reports Help

Hi everyone,I've recently upgraded a customer from R77.30 to R80.30.  Previously they had SmartReporter and had reports emailed in automatically every month.  I've had to start again from scratch recreating the reports in R80.30, and I'm really struggling to get my head around how to recreate some of the reports.  R80.x reporting is sooooo different.Here is one of the old reports that the customer still wants.  Can anyone tell me how to recreate this?  I've tried all sorts and can't figure out how to get a table showing the same info as before.Thanks,Matt 
Juraj_Skalny
Juraj_Skalny inside Logging and Reporting Tuesday
views 863 16 2

URL filtering vs Anti-Bot vs Anti-Virus

Hello, Hope you are doing good.We are just wondering, why there are loads of sites detected by URL filtering as botnets or Spyware/Malicious sitesbut those are not prevented by active Anti-Bot or Anti-Virus blade.  Thanks, Juraj 
GGiorgakis
GGiorgakis inside Logging and Reporting Monday
views 191 10

show different object name in logs

Dear Support Team,I had an object name XXX with sample IP address 1.2.3.4.Then i create a new object with name ZZZZ and  IP address 1.2.3.4 and they didn't inform me that there was already created object.By searching on object explorer i saw new object name ZZZZ for IP address 1.2.3.4.Then when i search in logs i saw name XXX. Any advice how to resolve it?  
Juraj_Skalny
Juraj_Skalny inside Logging and Reporting Sunday
views 543 11 6

DNS Trap Protection

Hello Guys, I would like to follow up on the following posts :https://community.checkpoint.com/t5/Logging-and-Reporting/Threat-Prevention-dns-trap-and-resource-categorization/td-p/18638https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Some-DNS-request-not-block-by-AV-blade/m-p/26588#M784 What we would like to find out is how log firewalls keeps the information about malicious domain in cache?DNS request is changed for Bogus IP by firewall as long as the malicious domain is in cache.The problem we see is that the cache is maybe too short as "Connection was allowed because background classification mode was set. See sk74120 for more information." for the same malicious domain appears in logs too often.We would expect to see this classification event once and then lots of changes to Bogus IP. But that is not the case.There is no documentation on CP covering this info or how to change it. Or we have just overlooked it.In our understanding this way lots of malicious activities are just allowed only because firewall needs to let go of DNS resolution requests because those needs to be classified in the first place over and over again.         Thanks and regards, Juraj
Henning_Aga
Henning_Aga inside Logging and Reporting Sunday
views 766 6 2

Cannot add log server to smartevent

We have configured SmartEvent R80.10 (dedicated) and by following sk110894 gotten av few domains and logs into SmartEvent. (We get the "Correlating logs to events. The log correlation unit is not able to read logs from Log server: . Please run 'cpstat cpsead' " but we see logs and events, so we're assuming this is cosmetic). However, we are _only_ so far able to add logs from domains where the firewall logs to a dedicated log server. If the firewalls in the domain we add log to the management, it does not appear in "General settings -> Inital settings -> Correlation Units -> Add (select domain where firewall logs to managment (not do dedicated log server). Anybody seen anything similar.
Zocki82
Zocki82 inside Logging and Reporting a week ago
views 173

Dropping instead of rejecting SAM rules created by SmartEvent Automatic Block Reactions

Hello all,we are using SmartEvent in our R80.20 Jumbo Hotfix Take 118 enviroment for quite a while to track suspicious activities such as DoS attacks.Like designed for DDoS attacks, we use the automatic reaction "block event activity", to block multiple sources for this type of event. Unfortunately, when such an event occures, the automatically created SAM rule in SmartviewMonitor only rejects the traffic. When manually creating a SAM rule, you can configure the type of action (Notify/Reject/Drop).I couldn't find the option in the R80.20 Logging and Monitoring AdminGuide or anything else, to (globally) set this Action from SmartEvent created SAM rules from Reject to Drop. Does anyone have an idea?Best regardsOliver
quanglnh
quanglnh inside Logging and Reporting a week ago
views 912 16

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
Rodarcqu
Rodarcqu inside Logging and Reporting a week ago
views 175 3

Could not receive data from the server (CPMI error code: Failed to process request - 800415f2)

Hello, Please let me know if you had this error before On the SmartView Monitor if we run the Top Services on one of the interfaces I receive these messages:     All the Best,    
Syad_Sulthan
Syad_Sulthan inside Logging and Reporting a week ago
views 189 3

VPN Users activity report

We are using R80.30 i am trying to get report for group of VPN users activity. For Eg. What are the sites they accessed using VPN along with the bandwidth. Can some one help me on this report. 
pnorman821
pnorman821 inside Logging and Reporting a week ago
views 209 2

Checkpoint Log Exporter

Hi,Question around the use of the Log Exporter:We have an environment where the SmartCentre server is used as the logging server. Can the Log Exporter be installed on the Smart Centre server or can it only specifically be setup on a SmartLog Server?ThanksPaul Norman
Sried
Sried inside Logging and Reporting a week ago
views 238 4

Skype for business content sharing R80.20 shows private IP destination in logs

Good Morning everyone, i have experienced a weird behaviour in past weeks regarding skype for business and Cisco Any Connect.Issue: Users trying to connect via CiscoAnyConnect or attend a skype meeting with shared content are unable to establish a connection.Environment: R80.20 running one the gateways. Https Bypass set for all known Skype URLs .Any Service allowed for all known Microsoft Skype Server IPs set in Application filter.Behaviour: when i check the logs of the failed clients, i see a few packets to a valid microsoft server range (e.g. 52.112.0.0 /14). The traffic to this ip gets a rejext with message "First packet isn't SYN" Then i see a lot of packets trying to connect to a private 10.* range which is of course blocked in the firewall ruleset. Did anybody experience the same problem? With best regards