cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Logging and Reporting

Have questions about viewing logs with SmartView, generating reports with SmartEvent Event Management, or exporting logs to a SIEM with Log Exporter? This is where to ask!

Runan_Chaung
Runan_Chaung inside Logging and Reporting 21m ago
views 819 13

Traffic calculations question

environment:R80.20 on HP Server Gen10bridge modeI have some question about traffic log and calculations.1. When Application Name is "Unknown Traffic" , traffic log display wrong 2. And I found some log display nothing about traffic3. I use view or report to calculate traffic, can not calculate by destination ip address    log:  view:How could I change my configuration and make it right ?
Yonatan_Philip
inside Logging and Reporting 7 hours ago
views 76680 118 48
Employee+

Log Exporter guide

Hello All,We have recently released the Log Exporter solution.A few posts have already gone up and the full documentation can be found at sk122323.However, I've received a few questions both on and offline and decided to create a sort of log exporter guide.But before I begin I’d like to point out that I’m not a Checkpoint spokesperson, nor is this an official checkpoint thread.I was part of the Log Exporter team and am creating this post as a public service.I’ll try to only focus on the current release, and please remember anything I might say regarding future releases is not binding or guaranteed. Partly because I’m not the one who makes those decisions, and partly because priorities will shift based on customer feedback, resource limitations and a dozen other factors. The current plans and the current roadmap is likely to drastically change over time.And just for the fun of it, I’ll mostly use the question-answer format in this post (simply because I like it and it’s convenient). Log Exporter – what is it?PerformanceFiltersFilters: Example 1Filters: Example 2Gosh darn it, I forgot something! (I'll edit and fill this in later)Feature request
Chinmaya_Naik
Chinmaya_Naik inside Logging and Reporting 8 hours ago
views 25 1

Forescout NAC Integration with checkpoint EDR (Endpoint)

Hi Team,As of my old query which one is to integration with Checkpoint Management Server which gives us the Firewall Threat Prevention detection and Remediates information on ForeScout.Link: https://community.checkpoint.com/t5/Logging-and-Reporting/Forescout-Integration-with-checkpoint-management-Server/m-p/66240#M3938Now My requirement is about to see the information on ForeScout of all the Endpoint Client which installed in our Infra.Information needs to visible on ForeScout such as:-1. Endpoint Client Version2. Checkpoint Endpoint Services3. Encryption Status of all connected clients4. Antimalware UpdatesAs of now we able to achieve point first, Second and third. CP Endpoint Version Informationscreenshot 02 We try to add the Checkpoint EDR on ForeScout antivirus policy but unable to see the Checkpoint vendor name but we able to see the checkpoint vendor on the encryption section on ForeScout policy and after added the checkpoint on encryption policy (ForeScout) then we able to see the encryption status. (Above Screenshot 02).But as I check with ForeScout team and find that a custom policy needs to be created on ForeScout for Antimalware visibility in order to posture the Checkpoint Antimalware updates but ForeScout required a DAT file from Checkpoint Endpoint Agent.But I unable to find which DAT file required also that file must be stored the Anti-Malware Signature version information (in Checkpoint Endpoint). Basically, other third-party vendors have contained DAT file in each of the machines and that DAT file will usually update once a new signature fetched by the client from Server.Kindly help whether it's possible to see on ForeScout that, whether the Checkpoint Antimalware Signature is up-to-date or not Because the NAC agent have that functionality to move the machine to an isolated network if the Endpoint machine antimalware or antivirus signature is not up to date and this functionality is very important for most of the organization. Thanks and Regards@Chinmaya_Naik 
Support_Team_Bi
Support_Team_Bi inside Logging and Reporting 8 hours ago
views 57 1

R80.30 Management : Empty action in custom report

Hello All,I have upgraded Management by changing from appliance R77.30 to open server R80.30. Migrate export are done (Gateway is R77.30 12600). Then I moved logs from r77.30 to r80.30 and set index in r80.30 to 365 days. I have some questions about report that I generated.1. In action count of firewall blade on custom report view, there are empty action show in table. what is the empty action ? please explain it. 
B_P
B_P inside Logging and Reporting 8 hours ago
views 622 13

R80.30 Netflow Setup

Pre R80.10 Netflow worked fine.Now on R80.30 I have two flows that are identical -- but one only shows Outbound and the other only shows Inbound BUT -- and this is perplexing -- it is the exact same traffic for both inbound and outbound flows -- i.e. source and destination are the same.Yes.. let that simmer for a while.I have one rule that's configured on the firewall and it's a rule that a lot of web traffic hits on.I'm using ManageEngine's Netflow Analyzer.For this traffic, I would expect there should be one flow and it should include both inbound and outbound traffic on the one interface (the internal interface it's hitting).
Tomas_Hamrle
Tomas_Hamrle inside Logging and Reporting 8 hours ago
views 16

SmartEvent - deleting of archived pdf reports

Hello,Customer has R80.30 management server (JHA Take 111) and there are about ten pdf SmartEvent reports scheduled and sent via email everyday. Right now, there are more than 2000 pdf reports stored on management server. I want to delete the old reports, but I'm able to delete only one by one in SmartConsole, so to delete all reports it would take a lot of time. Is is possible to delete multiple stored pdf SmartEvent reports?Thank you

Unable to get audit logs from Checkpoint R80.10

Hi Team,I am a SIEM engineer and wants to integrate Checkpoint firewall R80.10 version with ArcSight SIEM. We have used Syslog exporter module in order to receive logs through syslog.  Currently we are receiving Traffic logs.Please somebody help me with the exact configurations to be done at the firewall end in order to receive audit logs along with traffic logs. Regards,Mitesh Agrawal 
Young_Wook_Choi
Young_Wook_Choi inside Logging and Reporting Friday
views 13735 23 4

[Issue] R80.10 SmartConsole: Export Logs to CSV

Hi,In SmartConsole, I want to export logs to CSV for some period. (For example, 30 days)I applied the filter(30 days) and export it to a CSV file.However, the log of 30 days was not exported and only a part was exported.
Michael_Horne
Michael_Horne inside Logging and Reporting Wednesday
views 316 4

Traffic dropped with message information: "Rulebase Internal Error"

Hello, We have are having some traffic that is being dropped with the message information: "Rulebase Internal Error"As of yet I have not found any information related to what this message and how it can be remedied.Normally this traffic should be allowed, but because of the issue, it appears the traffic is being dropped.Has anyone have any information that might help in resolving this or might aid the invesitgation?Many thanks,Michael
marcherren
marcherren inside Logging and Reporting Wednesday
views 123 3

How to get the total number of hits of a query in Smartview?

How can I get the total number of hits of a given query in a given timeframe in Smartview?I need to the total number to perform some tuning/behavior analys. Currently I'm using fw log | <grep> | wc -l , but this is very very very slow......
MattDunn
MattDunn inside Logging and Reporting Tuesday
views 245 5

Custom Reports Help

Hi everyone,I've recently upgraded a customer from R77.30 to R80.30.  Previously they had SmartReporter and had reports emailed in automatically every month.  I've had to start again from scratch recreating the reports in R80.30, and I'm really struggling to get my head around how to recreate some of the reports.  R80.x reporting is sooooo different.Here is one of the old reports that the customer still wants.  Can anyone tell me how to recreate this?  I've tried all sorts and can't figure out how to get a table showing the same info as before.Thanks,Matt 
Juraj_Skalny
Juraj_Skalny inside Logging and Reporting Tuesday
views 886 16 2

URL filtering vs Anti-Bot vs Anti-Virus

Hello, Hope you are doing good.We are just wondering, why there are loads of sites detected by URL filtering as botnets or Spyware/Malicious sitesbut those are not prevented by active Anti-Bot or Anti-Virus blade.  Thanks, Juraj 
GGiorgakis
GGiorgakis inside Logging and Reporting Monday
views 221 10

show different object name in logs

Dear Support Team,I had an object name XXX with sample IP address 1.2.3.4.Then i create a new object with name ZZZZ and  IP address 1.2.3.4 and they didn't inform me that there was already created object.By searching on object explorer i saw new object name ZZZZ for IP address 1.2.3.4.Then when i search in logs i saw name XXX. Any advice how to resolve it?  
Juraj_Skalny
Juraj_Skalny inside Logging and Reporting a week ago
views 547 11 6

DNS Trap Protection

Hello Guys, I would like to follow up on the following posts :https://community.checkpoint.com/t5/Logging-and-Reporting/Threat-Prevention-dns-trap-and-resource-categorization/td-p/18638https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Some-DNS-request-not-block-by-AV-blade/m-p/26588#M784 What we would like to find out is how log firewalls keeps the information about malicious domain in cache?DNS request is changed for Bogus IP by firewall as long as the malicious domain is in cache.The problem we see is that the cache is maybe too short as "Connection was allowed because background classification mode was set. See sk74120 for more information." for the same malicious domain appears in logs too often.We would expect to see this classification event once and then lots of changes to Bogus IP. But that is not the case.There is no documentation on CP covering this info or how to change it. Or we have just overlooked it.In our understanding this way lots of malicious activities are just allowed only because firewall needs to let go of DNS resolution requests because those needs to be classified in the first place over and over again.         Thanks and regards, Juraj
Henning_Aga
Henning_Aga inside Logging and Reporting a week ago
views 772 6 2

Cannot add log server to smartevent

We have configured SmartEvent R80.10 (dedicated) and by following sk110894 gotten av few domains and logs into SmartEvent. (We get the "Correlating logs to events. The log correlation unit is not able to read logs from Log server: . Please run 'cpstat cpsead' " but we see logs and events, so we're assuming this is cosmetic). However, we are _only_ so far able to add logs from domains where the firewall logs to a dedicated log server. If the firewalls in the domain we add log to the management, it does not appear in "General settings -> Inital settings -> Correlation Units -> Add (select domain where firewall logs to managment (not do dedicated log server). Anybody seen anything similar.