cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
inside Logging and Reporting 8 hours ago
views 2781 5

Smart Reporter

We considering upgrading to R80, and we are using the Smart Reporter many times.Can I generate reports like I did in R77.30 with Smart Reporter?
quanglnh
quanglnh inside Logging and Reporting 10 hours ago
views 490 12

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
Ants
Ants inside Logging and Reporting 12 hours ago
views 79 3

FW logs shows in tracker but not in smartconsole logs

Hi All,Weird scenario atm.. we have a management server (with log server) running R80.30 with 4 clusters sending logs to it al working as expected..We added a new cluster (80.10) recently but for some weird reason I cannot see logs in the smartconsole..I can confirm logs are being sent correctly to the sms..If I open the console, go to 'logs & monitor', select 'new tab' and select logs and log view.. I see all the other FWs logs.. but no logs from the new cluster.. now here's the kicker..- the new cluster's logs are showing in the tracker fine.. along with al the other FWs..- also I can see the new cluster's logs in smartconsole only if I go to logs, select 'options', 'file' and then choose to 'open log file' and select the 'fw.log' - then i can see them.It is just when you open the default log tab none of the logs shows.. which is using the fw.log file also.so its only if I manually select to open the fw.log file that I can see the logs.. if that makes sense.Could this be a bug perhaps? or maybe need to reindex? any ideas?thanks in advance. 
NeilDavey
NeilDavey inside Logging and Reporting 14 hours ago
views 78 2

Logs and Monitor Rule:7 to 27

I am reviewing logs for services and I have a list of rules that I want to search against rather than my whole rule base.Is there a search criteria that I can use for this?ie rule:7 will show this rule but I want to search rules:7-27 but I don't know if this is possible?
TheRealDiZ
TheRealDiZ inside Logging and Reporting 17 hours ago
views 314 6

NAT Rule Number 0

Hi Guys,We got some weird issues with NAT on R80.20 (no hf installed).When we check logs we notice that basically the traffic was hitting a rule called "NAT Rule Number 0".What does it stands for?I have tried to check NAT Rules/Objects/implied rules/global properties and I was not able to find anything related to it or anything related to NAT for that specific network/objects. Let me know,RealD!Z
Enyi_Ajoku
Enyi_Ajoku inside Logging and Reporting 19 hours ago
views 540 6

All online jobs-The Correlation Unit can't connect to one of its Log Servers

Had to shutdown over the weekend for some power installation. Got in this morning, booted up the management station (R80.10) and had this errorWarning (All online jobs-The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job.)Would appreciate all the helpThank You  
Kenneth_Greger1
Kenneth_Greger1 inside Logging and Reporting yesterday
views 1828 6 2

Log Indexer crashing - SmartLog not working

HiWe have been struggling, since before Christmas, with our R80.10 SmartCenter server (R80.10 - Build 439).Every now and then (after a few hours and/or days) the SmartLog is not working. Meaning that it is not possible to view the log files in the SmartDashboard GUI client (SmartView).We can see that the SmartCenter is receiving the logs, but the INDEXER service is crashing.A workaround has been to do evstop.Then look into $INDEXERDIR/log/log_indexer.elg and find the offending log file that the INDEXER process is not able to parse. Typically the file name it will show up right before an entry that reads:log_indexer 30145 3804232592] Jan 16:05:41] Start reading 127.0.0.1:2019-01-02_151203_1.log [1546423998] at position 5738761 [2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUE[2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUEThen we edit the file $INDEXERDIR/data/FetchedFiles, mark the offending file as finished - and the INDEXER will move on to the next log file. This procedure is described in sk116117.In some cases it does not indicate which files is problematic at all. What we do then is to evstop;evstart - and (usually) after some time it will show the offending log file.We have tried to re-install SmartCenter, but the problem persists.Both our vendor and CheckPoint is involved in the case, but so far they have not come up with a solution.Any input is greatly appreciated./Kenneth
John_Fulater
John_Fulater inside Logging and Reporting Tuesday
views 115 2

SmartEvent Smartview Read-only access

I would like to give users web access to view the SmartEvent information. I have set up the users with read-only profiles and this works great for the logs.  This issue is that all the other screens have "query failed" on all the panels of the General Overview, Access Control and Threat tabs.I would like to just give read access but do not want to have all users install the client. Thank you,John Fulater
Gomboragchaa_Ja
Gomboragchaa_Ja inside Logging and Reporting Monday
views 3449 14 1

Log Time difference

I have Management R80.10 take 121. Times in logs is one hour late.I tried sk61941 but no success, enabling NTP didn't help.When running #hwclock --systohc time is synchronized but not the logs timestamp.We using few time based rules. Time issue affected rules also.It looks like there is a bug.Is there any information if this is bug or maybe I am doing something wrong?
Marc_Burie
Marc_Burie inside Logging and Reporting Sunday
views 197 3

Windows Remote client Version in logs R80.20

Hello,I want to study version of my remote clients connecting to my gatewayI search the client version in logs fieds ( others )  ... nothingIt's possible in R80.20 tracker ,  but not in SmartConsole ...We are in R80.20 An idea ?
Lucas_Planchere
Lucas_Planchere inside Logging and Reporting Friday
views 912 7 2

OPSEC lea missing log information

Ho all, We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.Anybody knows if we can forward those information as well ?I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet.. Thanks ! 
Rajput_Arvind
Rajput_Arvind inside Logging and Reporting Friday
views 231 3 3

R80.10 integration with SIEM tool

Hi All,We are upgrading our MDS from R77.30 to R80.10. And there few SIEM tool integrated with it.So I just wanted to know if anything needs to be done either on Checkpoint or SIEM tool to make it compatible with R80.10. Customer doesn't want to go for Log-Exporter for now.Below are the SIEM tool integrated at the moment with R77.30ArcsightIntegralsLoglogicTufinSplunkeiq-testwebtrends41-lea2 
apara
apara inside Logging and Reporting a week ago
views 147 4

Checkpoint VSX log don't filter the origin virtual system name

Checkpoint VSX log don't filter the virtual system name origin, if i search for destination and/or source i see the gateway name on origin, but if i want use the filter on Origin, i don't find the virtual systemIt's Gaia 80.30What could be the problem? 
Tom_Cripps
Tom_Cripps inside Logging and Reporting 2 weeks ago
views 256 2

Is it possible to see hits on the HTTPS Inspection Rulebase?

Hi there,Does anyone know if it possible to see hits against rules within HTTPS Inspection?
Richard_Nock
Richard_Nock inside Logging and Reporting 2 weeks ago
views 218 6 1

Logging not working for Azure CloudGuard gateways and SMS behind NAT

Our topology is as follows:10.3.3.4/27 - BackEnd SubnetAzure Firewall (R80.10)10.2.2.4/27 - FrontEnd Subnet|Azure Check Point Cluster Public IP|( Internet )|1.2.3.4/29On-Prem Check Point 5400 Series Appliance Cluster (R80.10)10.1.1.1/24|10.1.1.5/24 (1.2.3.5/29 NAT IP)SmartCenter/Security Management Server (R80.30)As you can see our SMS is NATed behind our 5400 series appliances which it also manages. The management object has the private 10.1.1.5/24 defined as the IP in the General Properties tab and then public 1.2.3.5/29 is defined in the NAT tab, set to static IP, install on 5400 series gateway and Apply for Security Gateway control connections ticked.This works for all of our other physical appliances - logging and CRL checking, all fine. However, this does not work for the Azure gateways as they persistently want to get to the SMS on the private IP, which doesn't work.Things we've tried:1. Editing the masters file by replacing the SMS name with the public IP of the management then locking the file changes using the chattr command. We've had limited success with this - if we make the change and restart the FWD service it will start working, but if we push policy again it will start using the private IP again. I'm looking for something more permanent.2. Creating a dummy object with the IP of 1.2.3.5, tick Logging & Status blade, then select this as the logging server for the Azure gateways. The Azure gateways pick up the change, but they still persist in sending logs to the private IP.3. Tried adding a NAT rule to the top of the NAT policy for anything from src:10.2.2.4/27 (FrontEnd Subnet) to dst: 10.1.1.5 (private SMS) then translate to dst:1.2.3.5 (public SMS). No luck here either.I originally thought it was because we were using an older R80.10 template, but I've deployed a new R80.20 cluster in Azure and updated to the latest jumbo and we still get the same issue.Running out of ideas now, any help/suggestions would be appreciated 🙂