Showing results for 
Search instead for 
Did you mean: 
Create a Post
Logging and Reporting

Have questions about viewing logs with SmartView, generating reports with SmartEvent Event Management, or exporting logs to a SIEM with Log Exporter? This is where to ask!

inside Logging and Reporting 5 hours ago
views 9591 17 17

*New* Splunk App for Check Point Logs

Hello all, I’m happy to announce about a new Splunk app for Check Point logs. Check Point brings you an advanced and real-time threat analysis and reporting tool for Splunk. The Check Point App for Splunk allows you to respond to security risks immediately and gain network true insights. You can collect and analyze millions of logs from all Check Point technologies and platforms across networks, Cloud, Endpoints and Mobile. (view in My Videos) Key features are: Infinity Dashboards General overview Top attacks Detected and prevented events Events timeline Blades statistics Cyber Attack View – a unique ability to aggregate Check Point events per attack vector (cross all blades) Reconnaissance actions against the network Delivery methods Malicious emails Malicious file download Server Exploit Infected hosts SandBlast Events – predefined aggregation for mail and web attack vectors CIM Support – Check Point logs are mapped into CIM (Common Information Model) and can be analyzed using standard dashboards (such as Splunk Enterprise Security)More information on CIM can be found here: Fast Deploy – an easy and fast deployment using the new Log Exporter     The app can be downloaded from Splunk base: Check Point App for Splunk | Splunkbase    User Guide – SK about the Log Exporter –   For any question, comment or suggestion, please contact   Thank you! Dan Zada, Group Manager.
Christoph_Muell inside Logging and Reporting 6 hours ago
views 4865 6 1

order logs by time

HiThis is maybe stupid question but I can't find the answer anywhere. In R77.30 I could click on the time column in the Smartview Tracker to change the order from ascending to descending. How can I do this in R80.10?Regards Christoph
quanglnh inside Logging and Reporting Friday
views 1037 19

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
inside Logging and Reporting Friday
views 77059 120 48

Log Exporter guide

Hello All,We have recently released the Log Exporter solution.A few posts have already gone up and the full documentation can be found at sk122323.However, I've received a few questions both on and offline and decided to create a sort of log exporter guide.But before I begin I’d like to point out that I’m not a Checkpoint spokesperson, nor is this an official checkpoint thread.I was part of the Log Exporter team and am creating this post as a public service.I’ll try to only focus on the current release, and please remember anything I might say regarding future releases is not binding or guaranteed. Partly because I’m not the one who makes those decisions, and partly because priorities will shift based on customer feedback, resource limitations and a dozen other factors. The current plans and the current roadmap is likely to drastically change over time.And just for the fun of it, I’ll mostly use the question-answer format in this post (simply because I like it and it’s convenient). Log Exporter – what is it?PerformanceFiltersFilters: Example 1Filters: Example 2Gosh darn it, I forgot something! (I'll edit and fill this in later)Feature request

Cluster high availability with more that two gateways

Hello,Can someone confirm if it is possible to have a high availability cluster with 3 gateways acting in a Active / Passive / Passive set-up?This kind of set-up may sound a bit strange, so I will explain the design challenge. Maybe someone else has a design for this specific set-upWe have a virtual data center made up of two physical locations in different cities. Currently we have a HA cluster with a security gateway in each location. The data center is is active / passive, with all the active machines in one of the physical locations. When the active security gateway is in the passive data center location the inter-VLAN latency increases from <1 ms  to 6 ms and this causes some application issues.  We can make sure that the when the security gateway in active data center location is available that it is the active security gateway of the cluster.There is a concern that if the security gateway in the active data center location is down for a long time that this will cause issues. The question was raised about having two firewalls in the active data center location an and a third firewall in the passive data center location. The idea would be to have a fail over in the active data center location to the second firewall and only fail over to the third security gateway in the passive data center location, if both firewalls in the active data center location are both unavailable.Many thanks,Michael
FM inside Logging and Reporting Thursday
views 86 2

Where do I locate exported excel file in

Where do I locate the excel file I exported in I saw the download dialogue pop-up on the status bar but disappeared as my session expired, and had to re-login.Thank youFaisal
Linus_Espach inside Logging and Reporting Wednesday
views 229 3

Sequence Number in Log does not match per connection

HI 2 All, I have a case, where a connection passes several firewalls until its final destination. I can see the Connection within the log on all 3 (FW) hops.Because it is the same segment, I was expecting the same sequence number within the logs on all 3 FWs. Unfortunately it is not the same number.The sequence number is increasing. Any hints what could be the reason for this? Best regards 
Tomas_Hamrle inside Logging and Reporting Wednesday
views 234 3 1

SmartEvent - deleting of archived pdf reports

Hello,Customer has R80.30 management server (JHA Take 111) and there are about ten pdf SmartEvent reports scheduled and sent via email everyday. Right now, there are more than 2000 pdf reports stored on management server. I want to delete the old reports, but I'm able to delete only one by one in SmartConsole, so to delete all reports it would take a lot of time. Is is possible to delete multiple stored pdf SmartEvent reports?Thank you
inside Logging and Reporting Tuesday
views 4041 11 2

Limited Permission Profile

Can I setup a read only user with a profile that only allows him to read logs and view his policy only?  This is on a SMS not an MDM.  The purpose is to allow a limited admin the ability to be restricted to just what they control or have a business need to see.  They do not see all the policies or logs, just their own at their remote location.  
ITler inside Logging and Reporting Tuesday
views 154 1

Log entries for gateway connection status

Hi,I'm looking for a method to log the connection status of the security gateways that are connected / not connected to the managment server.At the moment i dont't get any message or log entry, when a gateway is disconnected. The thresholds in the smartview monitor are set and the system alert daemon is active, but I think it isn't working.So how is the best practice? Thx in advance,Robert
Support_Team_Bi inside Logging and Reporting Monday
views 193 3 1

Do system utilization logs of Check Point Firewall collect in the Management?

Do system utilization logs of Check Point Firewall collect in the Management? Or the Management pull the "System utilization" from the firewalls to show via Gateway monitor window?
Runan_Chaung inside Logging and Reporting Monday
views 903 14 1

Traffic calculations question

environment:R80.20 on HP Server Gen10bridge modeI have some question about traffic log and calculations.1. When Application Name is "Unknown Traffic" , traffic log display wrong 2. And I found some log display nothing about traffic3. I use view or report to calculate traffic, can not calculate by destination ip address    log:  view:How could I change my configuration and make it right ?
Bill_Ng inside Logging and Reporting Monday
views 497 2 1

Disk Space Managment

Anyone know of a reason why the Disk Space Management of the management server may not be working?    We have the following settings on our management and I would expect it to self clean so to speak after reaching the threshold.running a df -h reports 87% usage on vg_splat-lv log.thanks in advance,Bill
B_P inside Logging and Reporting Monday
views 678 15

R80.30 Netflow Setup

Pre R80.10 Netflow worked fine.Now on R80.30 I have two flows that are identical -- but one only shows Outbound and the other only shows Inbound BUT -- and this is perplexing -- it is the exact same traffic for both inbound and outbound flows -- i.e. source and destination are the same.Yes.. let that simmer for a while.I have one rule that's configured on the firewall and it's a rule that a lot of web traffic hits on.I'm using ManageEngine's Netflow Analyzer.For this traffic, I would expect there should be one flow and it should include both inbound and outbound traffic on the one interface (the internal interface it's hitting).
Chinmaya_Naik inside Logging and Reporting Sunday
views 200 1 1

Forescout NAC Integration with checkpoint EDR (Endpoint)

Hi Team,As of my old query which one is to integration with Checkpoint Management Server which gives us the Firewall Threat Prevention detection and Remediates information on ForeScout.Link: My requirement is about to see the information on ForeScout of all the Endpoint Client which installed in our Infra.Information needs to visible on ForeScout such as:-1. Endpoint Client Version2. Checkpoint Endpoint Services3. Encryption Status of all connected clients4. Antimalware UpdatesAs of now we able to achieve point first, Second and third. CP Endpoint Version Informationscreenshot 02 We try to add the Checkpoint EDR on ForeScout antivirus policy but unable to see the Checkpoint vendor name but we able to see the checkpoint vendor on the encryption section on ForeScout policy and after added the checkpoint on encryption policy (ForeScout) then we able to see the encryption status. (Above Screenshot 02).But as I check with ForeScout team and find that a custom policy needs to be created on ForeScout for Antimalware visibility in order to posture the Checkpoint Antimalware updates but ForeScout required a DAT file from Checkpoint Endpoint Agent.But I unable to find which DAT file required also that file must be stored the Anti-Malware Signature version information (in Checkpoint Endpoint). Basically, other third-party vendors have contained DAT file in each of the machines and that DAT file will usually update once a new signature fetched by the client from Server.Kindly help whether it's possible to see on ForeScout that, whether the Checkpoint Antimalware Signature is up-to-date or not Because the NAC agent have that functionality to move the machine to an isolated network if the Endpoint machine antimalware or antivirus signature is not up to date and this functionality is very important for most of the organization. Thanks and Regards@Chinmaya_Naik