cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Marc_Burie
Marc_Burie inside Logging and Reporting Friday
views 65 1

Windows Remote client Version in logs R80.20

Hello,I want to study version of my remote clients connecting to my gatewayI search the client version in logs fieds ( others )  ... nothingIt's possible in R80.20 tracker ,  but not in SmartConsole ...We are in R80.20 An idea ?
Lucas_Planchere
Lucas_Planchere inside Logging and Reporting Friday
views 865 7 2

OPSEC lea missing log information

Ho all, We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.Anybody knows if we can forward those information as well ?I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet.. Thanks ! 
Rajput_Arvind
Rajput_Arvind inside Logging and Reporting Friday
views 114 3 2

R80.10 integration with SIEM tool

Hi All,We are upgrading our MDS from R77.30 to R80.10. And there few SIEM tool integrated with it.So I just wanted to know if anything needs to be done either on Checkpoint or SIEM tool to make it compatible with R80.10. Customer doesn't want to go for Log-Exporter for now.Below are the SIEM tool integrated at the moment with R77.30ArcsightIntegralsLoglogicTufinSplunkeiq-testwebtrends41-lea2 
apara
apara inside Logging and Reporting Thursday
views 141 4

Checkpoint VSX log don't filter the origin virtual system name

Checkpoint VSX log don't filter the virtual system name origin, if i search for destination and/or source i see the gateway name on origin, but if i want use the filter on Origin, i don't find the virtual systemIt's Gaia 80.30What could be the problem? 
Tom_Cripps
Tom_Cripps inside Logging and Reporting Monday
views 216 2

Is it possible to see hits on the HTTPS Inspection Rulebase?

Hi there,Does anyone know if it possible to see hits against rules within HTTPS Inspection?
Richard_Nock
Richard_Nock inside Logging and Reporting a week ago
views 199 6 1

Logging not working for Azure CloudGuard gateways and SMS behind NAT

Our topology is as follows:10.3.3.4/27 - BackEnd SubnetAzure Firewall (R80.10)10.2.2.4/27 - FrontEnd Subnet|Azure Check Point Cluster Public IP|( Internet )|1.2.3.4/29On-Prem Check Point 5400 Series Appliance Cluster (R80.10)10.1.1.1/24|10.1.1.5/24 (1.2.3.5/29 NAT IP)SmartCenter/Security Management Server (R80.30)As you can see our SMS is NATed behind our 5400 series appliances which it also manages. The management object has the private 10.1.1.5/24 defined as the IP in the General Properties tab and then public 1.2.3.5/29 is defined in the NAT tab, set to static IP, install on 5400 series gateway and Apply for Security Gateway control connections ticked.This works for all of our other physical appliances - logging and CRL checking, all fine. However, this does not work for the Azure gateways as they persistently want to get to the SMS on the private IP, which doesn't work.Things we've tried:1. Editing the masters file by replacing the SMS name with the public IP of the management then locking the file changes using the chattr command. We've had limited success with this - if we make the change and restart the FWD service it will start working, but if we push policy again it will start using the private IP again. I'm looking for something more permanent.2. Creating a dummy object with the IP of 1.2.3.5, tick Logging & Status blade, then select this as the logging server for the Azure gateways. The Azure gateways pick up the change, but they still persist in sending logs to the private IP.3. Tried adding a NAT rule to the top of the NAT policy for anything from src:10.2.2.4/27 (FrontEnd Subnet) to dst: 10.1.1.5 (private SMS) then translate to dst:1.2.3.5 (public SMS). No luck here either.I originally thought it was because we were using an older R80.10 template, but I've deployed a new R80.20 cluster in Azure and updated to the latest jumbo and we still get the same issue.Running out of ideas now, any help/suggestions would be appreciated 🙂
GGiorgakis
GGiorgakis inside Logging and Reporting a week ago
views 205 2

Firewall R77.30 stop logging IPS logs on SMS R.80.20

Firewall R77.30 stop logging IPS logs on SMS R80.20.Please note that FW logs are still logging properly.I confirm that GW has install latest IPS policy pockage and all services are up.Also verify disk space log server and i i try again install policy without any changes.Anyone faces something similar?   
Greg_Galowitz
Greg_Galowitz inside Logging and Reporting a week ago
views 226 3

Identity Awareness' is not responding

I noticed  users are being shown in my logs. When I check the Device Stats I am getting this error message. Warning ('Identity Awareness' is not responding. Verify that 'Identity Awareness' is installed on the gateway. If 'Identity Awareness' should not be installed verify that it is not selected in the Products List of the gateway (SmartDashboard > Security Gateway > General Properties > Software Blades List).)The blade is turned on and  AD is  connect. # adlog a dcDomain controllers:Domain Name IP Address Events (last hour) Connection state============================================================================================================x.local 192.168.100.X 28 has connectionx.local 192.168.100.X 601 has connectionx.local 192.168.100.X 36 has connectionI am in production right now and cant restart the firewall.  How do I restart just Identity Awareness?Thank you,Greg
Olga_Kuts
Olga_Kuts inside Logging and Reporting a week ago
views 5175 20 6

Number of connections depending on dst addresses

Hi!We have a certain group of destination addresses. We need to calculate the total number of connections for this group for a certain period of time. How can we do this at R80.10 in SmartConsole as well as from cli? It is necessary exactly the number of connections, not events.Thank you!
Dan_Zada
inside Logging and Reporting 2 weeks ago
views 198
Employee+

Log Exporter - Links

Hello all, I'm happy to inform you that we added a new feature to the log exporter - the ability to export links to the log card in SmartView and to the log attachment (such as Forensics report, TE report and more) When drilling down into the exported the link, the customer will be requested to login to SmartView and then the log card or the log attachment will be opened automatically. You can now enjoy better integration with your SIEM product and get quick value from our log attachments.   More information, including basic and advanced instructions, can be found in SK122323. If you have any question or comment, let me know.   Thanks! Dan.
kobilevi
kobilevi inside Logging and Reporting 2 weeks ago
views 155 3

Smart event script reactions

hello  im using smart event console to reaction the event and make some changes in my organization.  as i see there is option to "external script"have some examples to scripts ?  tanks
Paul_Mainhardt1
Paul_Mainhardt1 inside Logging and Reporting 2 weeks ago
views 547 7

Firewalls stop logging to Management Server (R80.20)

We are currently experiencing issues with logging from our firewalls to the management server. It logs correctly for awhile then all off a sudden stops logging. We are running 5600 appliances for our gateways and our management server is an open server.We are running R80.20 T87 for both our firewalls and SMS.I suspect its something related to high cpu for fw_full as i notice it reaches 80- 90% CPU but fw_worker_0 - 2 have low CPU usage.I do have identity awareness, App Control, URL Filtering, IPS, Threat Emulation and Anti-bot and Antivirus turned on for the gateways. I am not sure if one of these blades are causing us issues.
Sried
Sried inside Logging and Reporting 2 weeks ago
views 368 11

CP R.80.30 Not allowed SSL version

Hi Everyone,im currently encountering an issue with several drops of  different sevices being rejected with the message Not allowed SSL version.I checked the DB settings: ssl_min_ver is set to sslv3 while max is set to tls1.2 . I also created a seperate rule for ssl inspect like described in sk34182., yet i still receive the error. Currently it blocks me from initiating a rdp session within an existing Site 2 Site VPN Connection.Remote_Desktop_Protocol (TCP/3389)RejectNot allowed SSL version So far i was not able to find any other sk article regarding this issue,Has anyone else encountered this problem? 
TheRealDiZ
TheRealDiZ inside Logging and Reporting 2 weeks ago
views 276 4

NAT Rule Number 0

Hi Guys,We got some weird issues with NAT on R80.20 (no hf installed).When we check logs we notice that basically the traffic was hitting a rule called "NAT Rule Number 0".What does it stands for?I have tried to check NAT Rules/Objects/implied rules/global properties and I was not able to find anything related to it or anything related to NAT for that specific network/objects. Let me know,RealD!Z
Ntsolution
Ntsolution inside Logging and Reporting 2 weeks ago
views 244 3

Custom Mail alert

Hi, we want to get mail alert : HeaderDateHour: 25Sep2019 11:04:47;ContentVersion: 5;HighLevelLogKey: 6192227919086323757;Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001};SequenceNum: 68;Action: drop;Origin: fw1;IfDir: >;InterfaceName: bond1.600;Alert: mail;and etc.but we have: HeaderDateHour: 25Sep2019 11:04:47; ContentVersion: 5; HighLevelLogKey: 6192227919086323757; Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001}; SequenceNum: 68; Action: drop; Origin: fw1; IfDir: >; InterfaceName: bond1.600; Alert: mail; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; HighLevelLogKey: 6192227919086323757; inzone: Internal; outzone: External; service_id: https; src: ******; dst: **********; proto: tcp; xlatesrc: fw-cluster; xlatedst: ; NAT_rulenum: 39; NAT_addtnl_rulenum: 1; UserCheck_incident_uid: A35E45FE-7E0B-1761-BA71-151F0654E3EF; user: Efimov-t (Efimov-t)(+)********** (V.Efimov)(+); src_user_name: Efimov-t (Efimov-t)(+)*******(V.Efimov)(+); src_machine_name: ws091@kfim.int; src_user_dn: CN=Efimov-t,OU=Admins,OU=Special Users,DC=kfim,DC=int(+)CN=V.Efimov,OU=Spb-users,OU=User Departments,DC=kfim,DC=int(+); snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TAB E_START; ROW_START: 0; match_id: 178; layer_uuid: a26ede25-151d-4e2f-a863-ebea21a98bfd; layer_name: Network; rule_uid: 41195f98-14b7-4b3e-b582-726db64e9333; rule_name: Users_HTTP_HTTPS; action: 2; parent_rule: 0; ROW_END: 0; ROW_START: 1; match_id: 16777234; layer_uuid: 91658237-8cf4-45ab-8726-bad986646bb7; layer_name: Application; rule_uid: 894cc470-c30c-4d83-b12b-f66866da1219; rule_name: Teamviewer_Block; action: 0; parent_rule: 0; ROW_END: 1; UP_match_table: TABLE_END; context_num: 1; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 30570; xlatedport_svc: ; xlatesport_svc: 37809; ProductFamily: Network; what we should use in Run mail alert script ? thank you