Showing results for 
Search instead for 
Did you mean: 
Create a Post
Dale_Lobb inside Logging and Reporting 5 hours ago
views 50 1

SmartView and SmartLog idiosyncrasies

Fairly frequently, I see spurious results in the log listing to a simple query in SmartView and SmartConsole's SmartLog function.  Specifically, a query with a simple source and destination selected will include a few log entries that do not match the query.  The same query will produce this result in both tools.  Here's an example. Notice the entry in the selector and detailed at right does not match the simple selection criteria. 
rajesh_s inside Logging and Reporting yesterday
views 19139 16 8

Checkpoint Gateways are not sending the logs to Checkpoint management server

Hi All,We are using Checkpoint R77.30 firewall, Gateways are not sending the logs to Checkpoint management server, Is anyone has similar issue?.
resu inside Logging and Reporting yesterday
views 40 1

Log query R80.10

I would like to run a query (something like NOT action:drop) on a list of unique IP addresses. I've looked through documentation and tried IP's with a space between, with "AND" (no quote marks) between. Neither worked. Any advice is appreciated.
kobilevi inside Logging and Reporting yesterday
views 61 1

Smart event script reactions

hello  im using smart event console to reaction the event and make some changes in my organization.  as i see there is option to "external script"have some examples to scripts ?  tanks
inside Logging and Reporting Wednesday
views 2476 5 6

Log Exporter - Splunk Integration Update

Hello Everyone,We are currently in advanced stages of developing a Log Exporter update that will add CIM support.This will give us better Splunk integration for CIM oriented apps and dashboards (e.g. Splunk Enterprise Security). We are currently looking for customers who wish to test this new feature (in either their lab or production) and share their feedback with us. I would also really appreciate if in your email you could also add the following details:what version of Check Point do you use? And what version of Splunk server?Is your Splunk environment installed as a single-instance or is it a distributed environment?Have you already tested out previous releases of the Log Exporter or is this your first use of the add-on?       The new update will also enable the Log Exporter to work in a semi-unified mode.For those who are unfamiliar with this setting, it means that updates are unified with their original log before they are exported. This makes the information in the update log complete and makes the update log itself more readable (in raw mode you had to manually search for the original log to make sense of the update).Best Regards, Yonatan 
apara inside Logging and Reporting Wednesday
views 54

Checkpoint VSX log don't filter the origin virtual system name

Checkpoint VSX log don't filter the virtual system name origin, if i search for destination and/or source i see the gateway name on origin, but if i want use the filter on Origin, i don't find the virtual systemIt's Gaia 80.30What could be the problem? 
B_P inside Logging and Reporting Tuesday
views 291 8

R80.30 Netflow Setup

Pre R80.10 Netflow worked fine.Now on R80.30 I have two flows that are identical -- but one only shows Outbound and the other only shows Inbound BUT -- and this is perplexing -- it is the exact same traffic for both inbound and outbound flows -- i.e. source and destination are the same.Yes.. let that simmer for a while.I have one rule that's configured on the firewall and it's a rule that a lot of web traffic hits on.I'm using ManageEngine's Netflow Analyzer.For this traffic, I would expect there should be one flow and it should include both inbound and outbound traffic on the one interface (the internal interface it's hitting).
inside Logging and Reporting Monday
views 4401 3 2

How to exclude the SmartEvent object from the SSL Inspection group

Hello All,I'm reviewing sk112814 which explains how to overcome the the following error."SmartView server certificate is invalid" error when opening a new tab in the R80 SmartConsole "logs & monitor" In the solution steps it is said that one should exclude the SmartEvent object from the SSL inspection group, but I haven't found straight forward instructions on how to perform this step online.Any assist with screen shots will be much appreciated.Regards,AdielKobi Eisenkraft‌ 
lajie93 inside Logging and Reporting Sunday
views 114 2

exporting logs from one SMS to another newly created

Greetings,This is my first post here. I really enjoy the community, which posts help me to fix some issues that i was facing.we have a smartevent server  (SMS A) which store logs from installed customers gateways.we project to move systems configuration and logs from the SMS A to the newly installed SMS B but my worry is about exporting can i easily realized it?
Marko_Keca inside Logging and Reporting Sunday
views 4075 8 3

Is there a way to share View created by one user with other users?

I have created custom View and I'm the only admin who can see it.How can I share it with others?Also when I click on Export template, nothing happens.Thanks in advance!Regards,--Marko
quanglnh inside Logging and Reporting Saturday
views 326 11

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
Raj_Khatri inside Logging and Reporting Friday
views 3686 16 3

How to monitor virtual systems on VSX?

We are running R80 MDS and would like to monitor our VSX clusters that are running R77.20 via Solarwinds using SNMP.  Has anyone had any success getting the virtual systems monitored?  Even after modifying the snmp mode from "default" to "vs" we are unable to poll the virtual system.Could API be used to pull the snmp data?Thanks
Blason_R inside Logging and Reporting a week ago
views 93 3

How do I attach licenses Policy servers?

Hi Team,I have one EPM server R80.20 and licenses for unlimited Policy Servers. I have attached the central license to EPM server and my query is how do I attach licenses to Policy servers since I have installed 3 Policy servers. Which shows eval licenses only.TIABlason R
Ethan_Keaton inside Logging and Reporting a week ago
views 107 2

LEA Not Starting

Trying to get an R77.30 CMA & CLM working with LEA. Able to pull cert from the CMA w/o issue put getting following errors when launching LEA:store_open: Failed stat: Value too large for defined data typeFailed to open LEA state fileTrying running LEA in DEBUG mode wasn't too helpful either. 
Stuart_Green inside Logging and Reporting a week ago
views 5924 11 7

MUH Identity Awareness Agent on Citrix randomly disconnects

Hi,Has anyone encountered this issue with the MUH Identity Awareness Agent running on Citrix servers?  Initial connection works just fine but then after a few days it just disconnects and stops forwarding identities.  Event log on the server says that it is connected but the agent doesn't report that.  Screenshot is attached.  There doesn't seem to be an sk relating to this so I'm wondering if it is a bug?  It's an R80.10 environment running JHF112 and SC Take 056.TIA,Stu