Showing results for 
Search instead for 
Did you mean: 
Create a Post
f22d99fd-e856-4 inside Logging and Reporting 10 hours ago
views 1601 1

SmartEvent features lost in R80.20

We recently upgraded our DEV environment from 77.30 to 80.20 and I have been working in SmartEvent trying to get my bearings in the new platform. There seems to be some loss of features, like in 77.30 I would review IPS events collected over 30+ days grouping by columns like Attack Info or Source, and then also sorting by columns like the count number when grouped, and unless I am missing something none of this is possible in 80.20. I've played around with the different views available but they just aren't as interactive as the old platform.Is anyone else having this experience? Am I missing something?
Hugo_vd_Kooij inside Logging and Reporting 10 hours ago
views 3497 7 2

How to debug Policy Installation Errors

I get some BETA Dejavu experiences. Where I would break the EA version by activating the DNS server on the object for my Active Directory server.Ia noe have this gracefull error "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000040)." But I can't even recall having put anything as naughty as a DNS server in my policy...... Checking myself again ....Guess what. I actually did enable the DNS server on my Domain Controller. So what is the logic of this failure?
Tim_Bernat inside Logging and Reporting 10 hours ago
views 27

Threat Prevention log 'Resource' vs 'Destination'

Hi all and thank you for input, just an easy one; looking at a Card from the Threat Prevention log, I am a bit confused by the difference between the 'Resource' field (in the Forensics Details section) and the 'Destination' (in the Traffic section). What does the 'Resource' really reveal? I understand that the 'Suppressed Logs' number signifies a number of attempted connections, is that right? Thanks, Tim
Sanja_Rakic inside Logging and Reporting 15 hours ago
views 21

Endpoint management server and QRADAR

Hi,My Endpoint management server is sending all the logs to the SIEM Qradar solution. There are too many logs sourcing from Endpoint Mgmt so I would like to optimize it. I don't want to see logs that are related to active directory scanning in siem logs, which happens too often. Is there any way to do it?
Alexander inside Logging and Reporting 16 hours ago
views 20

Error: FW-1 failed to generate the Delayed log record.

Hi everyone,With a checkpoint clusterXL security gateway (R80.20;2.6.18-92cpx86_64), after installing the following hot fix <Check_Point_R80_20_JUMBO_HF_Bundle_T33_sk137592_GL_FULL.tgz> no logs are being generated and I can see the following errors in /var/log/messages :Jun 26 10:37:03 2019 fw01 kernel: FW-1: stopping debug messages for the next 57 secondsJun 26 10:37:03 2019 fw01 kernel: [fw4_0];fwloghandle_create: FW log format error (124). Please check your log formats files (*.lf).Jun 26 10:37:03 2019 fw01 kernel: [fw4_0];Error: FW-1 failed to generate the Delayed log record.Jun 26 10:37:03 2019 fw01 kernel: [fw4_0];[ ->] [ERROR]: up_unified_log_send_network_chain_log: fw_up_fw_delayed_log_conn_ex (via hook) failedJun 26 10:37:03 2019 fw01 kernel: [fw4_0];[ ->] [ERROR]: up_manager_create_net_log: up_unified_log_send_network_chain_log failedJun 26 10:37:03 2019 fw01 kernel: [fw4_0];fwloghandle_create: FW log format error (124). Please check your log formats files (*.lf).I verified sk121612 and sk117288 and output is as expected, although the solutions are respectively for R77.30 and R80.10. Anyone else an idea what can be done to verify what's going on ? many thanksAlexander
stevenhudson622 inside Logging and Reporting Monday
views 182 4 1

SmartView Tracker Not Working Properly

Hello I am having a problem getting SmartView Tracker to show traffic that is actually allowed to pass through the Firewall. If I Edit Filter and just filter on Accept/Allow I'm not seeing anything.Using Provider 1 Smartdashboard R77.30 and Gateways R70On the Same Set up all the hit Counts are on 0 also. Any ideas? Thanks Kind Regards
Marek_Pietrulew inside Logging and Reporting Monday
views 873 4 4

CPview and Top-connections in R80.20

Hi,We recently upgraded from 80.10 to 80.20 and noticed that BW Top-Connections view has been removed from Cpview. There is only top-connections information in regards to CPU utilization.Where can we quickly get BW top-connections info in R80.20 from cli?Regards,Marek

Unable to filter out Network Access Rule Number in logs

I'm trying to migrate a customer into using an inline policy. To do this, I've added the inline rules, and kept the Application layer there as well to catch what I missed. Now I need to remove the Application layer. To do that, I click on a rule, look at the logs for the rule, and filter on the column Access Rule Number in order to see if I missed any inline rules.The problem is that for drops, which are the most important, the Access Rule Number column doesn't show the Network Rule, but the Application Rule.I know this info (the Network rule) is there because if I drill down into the log, I see it in the Matched Rules tab.But, there are millions of logs so rather than look into each one, I'd like a way to filter them out like I filter the accepts by Access Rule Number in the first screenshot. I've looked at the columns available in the profiles and don't see anything that would give me the Network Rule the traffic is using when it gets dropped on the Application Rule. If I don't add an inline drop for the relevant rules, like 144 above, then users can get out to blocked sites. If I keep the Application layer in place, then the Inline rules are not making the policy more efficient. Any ideas how I can find the rules that I need to add the block rule on inline?
Mubarizuddin_Mo inside Logging and Reporting Monday
views 1147 2

Remote VPN users report

Hello,Is there a way to export a list of Remote VPN users in the local MGMT database which includes last login time etc. ?Something similar to fwm dbexport.
Sergei_M inside Logging and Reporting Sunday
views 418 5

Log Exporter Reexport

For the purpose of restoration of logs after accidents we tried to apply command cp_log_export reexport. In practice unloading of logs was executed in the period of last 4 hours that did not suit us. Whether there is an opportunity to unload the logs fora longer period? How to make it?
ThomasD inside Logging and Reporting Thursday
views 609 3

Sending Check Point logs via LogExporter to SkyBox

Hello,I am curious if anyone has successfully sent Check Point logs to SkyBox via the LogExporter tool. I was able to send the syslogs to the SkyBox server, but apparently SkyBox cannot interpret it correctly due to a date/time format issue.According to SkyBox, they are expecting the format below from Check Point CMA (Provider-1):2013-01-06 16:07:55 Local4.Info cma1: 16Sep2012 15:53:54 accept >eth0 rule: 1; rule_uid: {42B0B1D4-73B6-4FEC-97D0-9BBE0AF18742}; service_id: ssh_version_2; src:; dst:; proto: tcp; product: VPN-1 & FireWall-1; service: 22; s_port: 53753; product_family: Network;But, this is what SkyBox is receiving from the Provider-1 instead:Jun 5 04:00:01 XXXXXXXXXX 2019-06-05T07:59:58Z XXXXXXXXXX CheckPoint 9066 - [action:"XXXXXXXXXX"; flags:"XXXXXXXXXX"; ifdir:"XXXXXXXXXX"; ifname:"XXXXXXXXXX"; loguid:"XXXXXXXXXX"; origin:"XXXXXXXXXX"; time:"XXXXXXXXXX"; version:"XXXXXXXXXX"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={XXXXXXXXXX};mgmt=XXXXXXXXXX;date=XXXXXXXXXX;policy_name=XXXXXXXXXX]"; dst:"XXXXXXXXXX"; origin_sic_name:"XXXXXXXXXX,O=XXXXXXXXXX"; product:"XXXXXXXXXX"; proto:"XXXXXXXXXX"; rule:"XXXXXXXXXX"; rule_name:"XXXXXXXXXX"; rule_uid:"{XXXXXXXXXX"; s_port:"XXXXXXXXXX"; service:"XXXXXXXXXX"; src:"XXXXXXXXXX"; ] Thank you in advance for your help/suggestions. Thomas
deepwaraich143 inside Logging and Reporting Thursday
views 106 1

Zero Phishing

Hi there,I am facing problem while creating a report for blade:"Zero Phishing". I filtered for password reused but SmartView shows no data found. However, I can see there are some events within R80.20.You help will be appreciated. Thanks
Michael_Horne inside Logging and Reporting a week ago
views 826 5 2

Logs & Monitoring - Reverse DNS lookups incorrect

Hello,I have been looking for information about how the reverse DNS lookup works for the "logs" in R80.10. The issue we have is that the FQDN being displayed in the Logs is incorrect. In the log view ZRH-L00053" is displayed for the IP we check the DNS on the management server the host ZRH-D00008 is the actual owner of this IP Address in both directions and ZRH-L00053 maps to another IPIf anyone has any information about how this reverse DNS lookup is working it would be greatMany thanks,Michael
Yonghao_Gao inside Logging and Reporting a week ago
views 937 10

smartevent status attention

Dear all My SMS is R80.10,provide smartevent service,but it have as follow attention:"Scale is not according to recommendation"What does that mean?
Maik inside Logging and Reporting a week ago
views 257 1

Management server version != log server version != gateway version

Hello guys, I have a small question regarding a specific given setup. Let's say we have the following:- Management server running R80.20 (no "M" release)- Dedicated log server running R80.10- Security gateway running R80.20 Will it be possible for the gateway to send logs to the log server with a "minor" version? I know that it is problematic and without a specific patch not possible at all to manage R80.20 gateways with a R80.10 management site. But I could not find any information about a situation when just the logging is "older".Currently we have just the management on R80.20 and log + gw's running R80.10 - I'm just wondering if the log needs to be updated before the gateways receive the upgrade.Best regards & thanks for any hints,Maik