cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Marek_Pietrulew
Marek_Pietrulew inside Logging and Reporting 5 hours ago
views 1000 6 5

CPview and Top-connections in R80.20

Hi,We recently upgraded from 80.10 to 80.20 and noticed that BW Top-Connections view has been removed from Cpview. There is only top-connections information in regards to CPU utilization.Where can we quickly get BW top-connections info in R80.20 from cli?Regards,Marek
Flaver1078
Flaver1078 inside Logging and Reporting 11 hours ago
views 14

How to load logs from external hard drive to Security Management Server

Hello,I just upgraded my company's SMS R77.30 to R80.20. Before the upgrade i copied old logs of the past 3 months on an external hard drive.After a sucessful upgrade, i loaded the old logs to the newly upgraded R80.20 SMS to the following directory"/opt/CPsuite-R80.20/fw1/log/". But until now the SMS was only able to process or read the logs.How long does it take for the SMS to process the log?
Kaloyan_Kirchev
Kaloyan_Kirchev inside Logging and Reporting 12 hours ago
views 73 3

SmartEvent not showing accurate info

Hello Guys,My Company has old CP 4800 with R77.30 which we are using for Security Checkups.I have been doing this like 3,4 times but this it get....."stuck".First I want to mention that I went through almost all articles last couple of days and did many troubleshooting steps but without any success.So, last time when appliance was at client site 'gathering' network info it get very hot. This is because it was with 4GB of ram, so CPU was all the time like 98% utilization and same for the RAM.Now, since yesterday(I was waiting weeks for delivery) it has 8GB of RAM.So, my problem is that I had 8gb of log files but SmartEvent is showing 256MB for the last 2 weeks.This is very strange. Bellow you can find some screenshots from:1. #cpstat cpsead - seems ok but the number of analyzed logs still growing2. Number of logs:3. Lately SmartEvent crashes but report is empty - 0 in size4. SmartReported DB - no logs/sec, status - processingEVERY help will be highly appreciated!I want to thank in advance for those who ever make an effort to read 🙂P.S.: I do not want to update at that moment - just want to keep raw data logs which are VERY IMPORTANT.If you have suggestion to how to do a clean/fresh/good install or refresh of the appliance saving the logs - will be perfect.P.S.2: I have logs through WinSCP at my PC.Have a nice day!Greetings K.Kirchev!
Bob_Bent
inside Logging and Reporting yesterday
views 2222 2 3
Mod

Log Exporter LEEF Field Mappings

Please use this discussion as a guide to understand how Check Point syslog Log Exporter maps Check Point logs to the LEEF format. This discussion is based upon R80.30 and may change in future versions. LEEF fields have their own names such as cat, devTime, url, etc. Check Point fields such as src and dst that already match a LEEF field name do not need to be mapped from a Check Point to a LEEF name so are not covered in this discussion. Note: in this discussion we refer to the raw Check Point field value. Check Point may translate the raw field name to show a different display name in the user interface like Tracker in R77.30 or SmartConsole in R80.x. LEEF Event Components, IBM Knowledge Center The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. The LEEF format consists of the following components. LEEF Header Mapping The LEEF header is a required field and is composed of a pipe delimited (|) set of values that identifies Check Point events to QRadar. Check Point fields are added to the header as specified in assign_order in the file $EXPORTERDIR/conf/LeefFormatDefinition.xml: first (use first added value - default) last (use last added value) join (join between values) init (set value once to header formatted string on init and do not generate per every log) LEEF Format Header Definition Examples (note: a space is added between the “|” delimiter to make it easier to see the values). LEEF:Version | Vendor | Product | Version | Event ID | LEEF: 2.0 | Check Point | Log Update | 1.0 | Check Point Log | LEEF Version: assign_order is set to init LEEF: 2.0 Vendor: the assign_order is set to init Check Point Product: the assign_order is set to first This default is Log Update, but may also be the value from the fields; product or productname. Version: the assign_order is set to init 1.0 Event ID, the assign_order is set to init The default is Check Point Log, but may also be the value from the fields protection_name, appi_name, action. Event Attributes The event attributes identify the payload information of the event in a set of key value pairs that provide detailed information about the security event. Each event attribute is separated by the tab delimiter character. Examples key=value<tab>key=value<tab>key=value<tab>key=value<tab> src=192.0.2.0 dst=172.50.123.1 sev=5 cat=accept srcPort=81 dstPort=21 usrName=joe.black Predefined LEEF Event Attributes, IBM Knowledge Center The LEEF format contains a number of predefined name=value pairs event attributes, which allow QRadar to categorize and display the event. Log Exporter uses these keys when possible. Custom Event Keys, IBM Knowledge Center Vendors and partners have the option to define their own custom event keys and include them in the payload of the LEEF format. Check Point events that do not fall into one of the pre-defined LEEF event attributes are non-normalized, which means they are not displayed by default on the Log Activity tab of QRadar. To view custom attributes and non-normalized events on the Log Activity tab of QRadar, you must create a custom event property. Non-normalized event data is still part of your LEEF event, is searchable in QRadar, and is viewable in the event payload. Mapping of Check Point Fields to Pre-defined LEEF Event Attributes The below is the Log Exporter LEEF Field Mapping from R80.30 from $EXPORTERDIR/conf/LeefFieldsMapping.xml where origName is the Check Point raw field name and dstName is the LEEF attribute sorted by the LEEF dstName field name. Callback Functions In the name column are example uses of the callback functions where the value is replace_value. This function swaps values based on a key:value chart. We use this to map the Check Point severity (and other fields) to known LEEF values. origName dstName name key value tableName attack_information attackInformation attack_name attackName status attackStatus business_impact businessImpact action cat industry_reference cve resource destinationDnsDomain resource_table time devTime client_dst dst ipv6_dst dst received_bytes dstBytes server_inbound_bytes dstBytes client_inbound_bytes dstBytes mac_destination_address dstMAC d_port dstPort destination_port dstPort xlatedst dstPostNAT xlatedport dstPostNATPort recipient-recipients emailRecipient from emailSender sender emailSender subject emailSubject supress_logs eventsCoalesced extracted_files extractedFiles extracted_file_types extractedFileTypes extracted_hash extractedHash file_MD5 fileHash file_id fileID file_id fileId file_table file_name filename file_size fileSize filetype fileType file_name fname aggregated_file_table file_name fname file_table file_size fsize file_table OU_group identGrpName source_machine_name identHostName malware_family malware malware_activity malwareActivity packet_capture pcap performance_impact performanceImpact phone_number phoneNumber policy_name policy policy policyName profile profileName protocol proto remediated_files remediatedFiles app_risk sev replace_value default 0 app_risk sev replace_value 0 0 app_risk sev replace_value 1 2 app_risk sev replace_value 2 4 app_risk sev replace_value 3 6 app_risk sev replace_value 4 8 app_risk sev replace_value 5 10 severity sev replace_value default 0 severity sev replace_value 0 0 severity sev replace_value 1 2 severity sev replace_value 2 5 severity sev replace_value 3 8 severity sev replace_value 4 10 app_risk sev replace_value default Unknown match_table app_risk sev replace_value 0 Unknown match_table app_risk sev replace_value 1 Low match_table app_risk sev replace_value 2 Low match_table app_risk sev replace_value 3 Medium match_table app_risk sev replace_value 4 High match_table app_risk sev replace_value 5 Very-High match_table app_risk sev replace_value default Unknown primary_application app_risk sev replace_value 0 Unknown primary_application app_risk sev replace_value 1 Low primary_application app_risk sev replace_value 2 Low primary_application app_risk sev replace_value 3 Medium primary_application app_risk sev replace_value 4 High primary_application app_risk sev replace_value 5 Very-High primary_application sha1 sha1 sha256 sha256 protection_name signature client_ip src ipv6_src src sent_bytes srcBytes server_outbound_bytes srcBytes client_outbound_bytes srcBytes imsi srcMAC mac_source_address srcMAC s_port srcPort xlatesrc srcPostNAT xlatesport srcPostNATPort proxy_source_ip srcProxyIP suspicious_events suspiciousEvents destination_dns_hostname url resource url orig_from usrName user usrName
Leandro_Nicolet
Leandro_Nicolet inside Logging and Reporting Tuesday
views 1230 11 2

Smartevent R80.10 Custom Reporting

Hi all. Just looking at R80.10 SmartEvent for the first time. I'm particularly interested in the reporting side of things, but struggling with a custom report.I would like to generate a 'Network Activity' report for each one of my domains (cma's), but I've not yet figured out how to do this.Anyone been down this route ?
christophe
christophe inside Logging and Reporting Tuesday
views 61

SNMP MIB Files for R80.30?

Hello everyone,Will there be new MIB Files for R80.30 or are there no changes to R80.20?SK: sk90470 Greetings,Chris
CHINMAYA_NAIK
CHINMAYA_NAIK inside Logging and Reporting Monday
views 2351 7 5

CP Firewall Health Checkup Tool (Tools name added)

Dear Team,I need to know is there any alternative tool for checking the Firewall Health for both R77.30 or R80.1. CPSizeme (sk88160)2. healthcheck.sh (sk121447)3. CPView Utility (sk101878)4. Common Check Point Commands (ccc)(Link:-Common Check Point Commands (ccc))5. Indeni (Link:-Check Point Solution | Indeni )Please suggest me if you know any alternate tool.Based on the comments I update that tool name on the list.Thank you #Chinmaya Naik

How to restore logs and logging questions ...

Just as a disclaimer i have only been working with checkpoint products for a few months and have been somewhat thrown in at the deep end! I'm not complaining as it seems to be a good product and its the best way to learn. What is the difference between Log correlation and IndexingHow can i see what has and has not been correlated / indexed? Can i monitor the current process of correlation / indexing?In the scenario i describe below do I also need to import the policy to get the best results? #In the scenario i describe below can we be doing anything better?The situation I am in is we have been contacted by someone who needs to see the logs from around 3 months ago. We currently run a task overnight to take files that are in $FWDIR/log/ and over 10 days old zip them up and put them onto a remove server. To restore these logs i have...spun up a temporary management serverrun cpstopcopied the zipped log files into a tmp directory and then unzipped them back into $FWDIR/log/we have edited vi $INDEXERDIR/log_indexer_custom_settings.conf to include " :days_to_index (365)" run cpstart Configured the management server to run the "SmartEvent Server" and "SmartEvent Correlation Unit" and published the change.Confirmed the management server object is configured for "Enable Log Indexing" under the logs section. Confirmed the management server object is has "Delete index files older than" unticked under the Logs->Storage section. When i then go into Logs and Monitor and search for stuff in these logs i cant see anything, suggesting the log files have not been indexed? What i can do is go File -> Open Log File..., select a specific log file and then search for what i need. What i need to do is work with the full 24 hours worth of logs in one go though (we generate about a log and hour)?! If i configure a report to run on the data am i only able to run it on one log file at a time? This all seems very in-efficient for a production well known for its logging capabilities so I'm pretty sure this is PICNIC/Layer8!

All online jobs-The Correlation Unit can't connect to one of its Log Servers

Had to shutdown over the weekend for some power installation. Got in this morning, booted up the management station (R80.10) and had this errorWarning (All online jobs-The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job.)Would appreciate all the helpThank You

Wrong mostly weird value show ed in log

Hey check mates does anyone encountered the same issue?Logged traffic are showed with incorrect value , security gateway is 80.20 with thake 47 same as management station env is multidomain
et_splunker
et_splunker inside Logging and Reporting Sunday
views 48 1

Need Help in How to Ingest Checkpoint Firewall Health Status Logs into Splunk.

We are currently using the Splunk App for Checkpoint to ingest traffic logs into Splunk. We want to start ingesting firewalls health check logs (CPU, disk space, Memory utilization...) into Splunk. The logs that are being sent to the syslog server from the management server don't include these health check logs. Can we configure the management server (OPSEC LEA) to do polling on the firewalls and ingest the logs from OPSEC LEA server? Or, is there any other way to do it?
Gareth_Kik
Gareth_Kik inside Logging and Reporting Friday
views 111 5

Does Check Point support Web Browser Agent Logging?

We want to find Web Browser User Agent details in to the logging. I mean this info, picture below:In the Application/URL Filtering logging events, I can see only "Web browser" name eg Chrome, but not the full Web Browser User Agent info.Can we somehow log this in the rules or it is not supported feature?
NAMKYUN_KIM
NAMKYUN_KIM inside Logging and Reporting Friday
views 86 1

Log Exporter - Log Field description

Hello All,This is Tim. I'm using Checkpoint 4600 and Log Exporter to get Syslog from device into my log server.Actually, It is pretty good well. but I don't know that when i explore the syslog which comes from checkpoint, I couldn't understand what each fields mean. https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060Above link, there are lots of filed of syslog. but they don't tell us what each fields mean. So, Where can I get information of syslog field?
Michael_Horne
Michael_Horne inside Logging and Reporting a week ago
views 3627 10 1

R80.20: Administrators cannot log into Web Smartview GUI

Hello,I have a management server running R80.20.Some administrators can log into the Smartview Web GUI, while some of them can. The affected administrators can log into the Smart Console. The can access the Log and Monitoring section and can query and view logs using SmartConsole. The same user is not able to connect to the SmartView Web GUI. The message "Invalid username and password"When you look at the active sessions in the SmartConsole you can see the user has a "SmartView" session.I have recreated the affected administrators.I have restarted the management server.Does anyone have any ideas?
TheRealDiZ
TheRealDiZ inside Logging and Reporting a week ago
views 1497 5

Not able to access SmartView R80.20

Hi Guys! I'm not able to access SmartView on R80.20 with error "Authentication to server failed".I'm using the same "admin" user with which I'm able to access SmartConsole, SSH, Gaia Portal. Anyone is experiencing the same?I have to configure something in specific? @RealD!Z