Showing results for 
Search instead for 
Did you mean: 
Create a Post
_Daniel_ inside Logging and Reporting 2 hours ago
views 10

Standalone upgrade to R80.20

Hi There, Just trying to get some thoughts about upgrading a standalone cluster in load sharing mode from R77.30 to R80.20 with minimal downtime. We’re fully aware that load sharing is not supported on R80.20 and we need to go to HA mode, also standalone isn’t recommended, though these firewalls are used purely for remote access and they’re on the road map to be replaced in less than a year. We’re planning it as below: Already checked the hardware compatibility and we’re upgrading the firewalls (pair of 4600's) memory to 8GBCopy R80.20 upgrade tools , run a pre upgrade verifier and then do a migrate export –on primary gateway- scp’g it outCopy Gaia configurationTake member 1 (M1) offlineFresh install R80.20, followed by migrate import and latest HFA (based on few experiences, fresh install is still better than using CPUSE), then copy the GAIA config, install the policy (after changing the clusterXL mode and the version, etc.) Here we’re not 100% how to proceed as we’re not sure the 2 members will sync, but we’re thinking ofConnect M1 back to the networkHope that the 2 members will sync (keep an eye on HA status), though we’re not sure as we changed the clustexl modeIn case it’s sync’d, cpstop on M2Take M2 off the network, fresh install (making it as secondary) and then put it back online Have anyone came across this scenario, any input/thoughts are much appreciated Cheers,
Eric_Lindsey1 inside Logging and Reporting 13 hours ago
views 36

MTA email data missing from logging

We are using our checkpoint appliance as an MTA. External email is directed to checkpoint and then to our internal email servers. We are also threat emulating attachments. If an email comes into the system and passes through checkpoint with no attachment we do not see any of the email data in the smartlog. If the email has an attachment and threat emulation emulates the file we see the subject, sender, receipient in smartlog. Is there any reason the normal email just passing through the appliance does not show in smartlog?
KLN inside Logging and Reporting yesterday
views 116 6

Log Exporter R80.10 add on for eval

Hi All,Does anyone know if it possible to get the Log Exporter add-on for R80.10 gateway for 30 day eval? I would like to test/try out.If not, if I upgraded my R80.10 eval to R80.20, does that include the Log Exporter (alternative to OPSEC LEA).Thanks
inside Logging and Reporting yesterday
views 1720 19 6

Log Exporter Filtering

Hello all,I'm happy to inform you that we added a new feature to the log exporter - the ability to filter logs.Starting today, you will be able to configure which logs will exported, based on fields and values, including complex statements.More information, including basic and advanced filtering instructions, can be found in SK122323.If you have any question or comment, let me know.Thanks!Dan.
slay39 inside Logging and Reporting Tuesday
views 109 4

Checkpoint Management Log Size Problem

Hi Checkmates,When I check the disk situation I saw log directory was full so that I removed old logs from $FWDIR/log/ directory. disk situation is okay now. When I controlled /var/log/opt directory, I saw 854G space allocated. Is that normal? If not, what should I do? [Expert@hostname:0]# pwd/var/log/opt[Expert@hostname:0]# lsCPSmartLog-R77 CPSmartLog-R80 CPrt-R77 CPrt-R80 CPshrd-R77 CPshrd-R80 CPsuite-R77 CPsuite-R80[Expert@hostname:0]# du -h --max-depth=1233M ./CPshrd-R77173G ./CPsuite-R80158M ./CPshrd-R80143G ./CPrt-R77391G ./CPsuite-R7760G ./CPrt-R8088G ./CPSmartLog-R77200M ./CPSmartLog-R80854G .[Expert@hostname:0]#
Maarten_Sjouw inside Logging and Reporting Monday
views 127 6

Is CP-Logexporter able to export events?

Hi, I got a question this question from our SIEM team, is it possible to export correlated events with CP-Log Exporter?
Sal_Previtera inside Logging and Reporting Monday
views 109 2

SMART EVENTS server move to a different hardware version 80.xx and above ?

Can someone at Checkpoint possibly , come up with a decent documentation on how to move a SMARTEVENT server from server A to Server B, with the understanding that the IP will be kept the same but the HARDWARE may be different ? 1. Snapshots will not be any good.....2. Backup and restore .....useful or not ...probably not...?3. Migrate Export does not move database file....? There were somewhat, almost decent documents in R77.xx but cant find anything halfway decent in R80.xx. Please, someone point me in the right direction... Thanks,
Hugo_vd_Kooij inside Logging and Reporting a week ago
views 4104 8 3

How to debug Policy Installation Errors

I get some BETA Dejavu experiences. Where I would break the EA version by activating the DNS server on the object for my Active Directory server.Ia noe have this gracefull error "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000040)." But I can't even recall having put anything as naughty as a DNS server in my policy...... Checking myself again ....Guess what. I actually did enable the DNS server on my Domain Controller. So what is the logic of this failure?
Daniel_Hainich inside Logging and Reporting a week ago
views 453 4 1

R80.20 SmartReporter : how to do a report "rule base analysis"?

Hello, how can i do an report for rule-base analysis?i want to report 0-Hit Rules and Rules which has no hits since x days. please help! Daniel
VENKAT_S_P inside Logging and Reporting a week ago
views 7958 7 1

Log export to excel CSV

general question:Is there a option to export all (not first 50 records) the 7days / 30days logs to CSV file from Logs & Monitor pane?
Matthias_Haas inside Logging and Reporting a week ago
views 1005 4 1

log accounting does not work

Hello all,we are facing the problem, that after upgrading a Cluster to R80.10, log accounting does not work any more. (worked with R77.30) So- just the FW blade is used (no App Control etc.)- accounting is enabled for the rule- nevertheless, the accounting fields are empty in the logWe have waited quite a while to make sure the fields are filled up.Case is open, but TAC told us that the App Control blade is necessary for accouting which i don´t think is true(at least in my lab it works with the fw blade only)I did not find any usefull SK/information for analysing this problem.Does anyone had the same situation? Thanks a lotMatthias
inside Logging and Reporting a week ago
views 59 3 1

Is it possible to filter access to Management GUI or SmartView Login Pages

While we can use "User Management / GUI Clients" to filter access to SmartConsole, that filter doesn't get applied to GUI or the SmartView web page. Is there any way to restrict access to the Management GUI or SmartView web pages??
Peter_Baumann inside Logging and Reporting 2 weeks ago
views 45

Log Exporter stopped reading logs

Hello again,A new problem, this time with the log exporter:[Expert@cplog01p:0]# date Tue Jul 02 09:40:40 CEST 2019 [Expert@cplog01p:0]# cp_log_export status name: status: Running (3986) last log read at: 27 Jun 11:51:02 debug file: /opt/CPrt-R80.20/log_exporter/targets/> Log Exporter has stopped reading logs since some days but is still running.We did a cp_log_export restart and it worked again.Does someone know how to monitor the Log Exporter stopped working even when the process is still running?Is this problem known?Installed version of cplog01p:[Expert@cplog01p:0]# cpinfo -y all This is Check Point CPinfo Build 914000182 for GAIA [IDA] No hotfixes.. [CPFC] HOTFIX_R80_20_JUMBO_HF_MAIN [MGMT] HOTFIX_R80_20_JUMBO_HF_MAIN [FW1] HOTFIX_R80_20_JUMBO_HF_MAIN FW1 build number: This is Check Point Security Management Server R80.20 - Build 007 This is Check Point's software version R80.20 - Build 047 [SecurePlatform] HOTFIX_GOGO_LT_HALO_JHF [CPinfo] No hotfixes.. [DIAG] No hotfixes.. [Reporting Module] HOTFIX_R80_20_JUMBO_HF_MAIN [CPuepm] HOTFIX_R80_20_JUMBO_HF_MAIN [VSEC] HOTFIX_R80_20_JUMBO_HF_MAIN [SmartLog] No hotfixes.. [MGMTAPI] No hotfixes.. [R7520CMP] No hotfixes.. [R7540CMP] No hotfixes.. [R76CMP] No hotfixes.. [SFWR77CMP] No hotfixes.. [R77CMP] HOTFIX_R80_20_JHF_COMP [R75CMP] No hotfixes.. [NGXCMP] No hotfixes.. [EdgeCmp] No hotfixes.. [SFWCMP] No hotfixes.. [FLICMP] No hotfixes.. [SFWR75CMP] No hotfixes.. [CPUpdates] BUNDLE_R80_20_JUMBO_HF_MAIN_gogoKernel Take: 47 [rtm] No hotfixes..
MattDunn inside Logging and Reporting 2 weeks ago
views 46 1 1

R80 Logging Query

I want to send a screenshot of the Logs view to a customer to demonstrate an issue and highlight a point I'm trying to make.The issue is VPN related, where we continually try and set up a tunnel, then send a "delete", then set up, then send a delete.I want to show this in my log view so I can take a screenshot, but the one field I want to add to my log view is not available.If I open the log card, I see the "Ike" field, highlighted in red below. I want to add that column to my log view. Other log cards have "Methods" showing info of the key exchange, but again "Methods" is not available to select as a column in my log view. If I go to my log and "Edit Profile", neither the "Ike" or "Methods" fields are available to select as a column in my log view. Why aren't these columns available to add?How can I add them?
Ants inside Logging and Reporting 2 weeks ago
views 44 1 1

Auto Export scheduled reports to a remote server possible?

Hi All.We have a set of scheduled reports running on R80.10 CMA and want to know if possible to have them exported to a remote server using scp or similar (only option i see is via email)Our aim is to have these raw reports copied (scp etc) to a remote server where it will be analyzed further with an inhouse automation location/opt/CPrt-R80/smartview/exported_files/41e821a0-3720-11e3-aa6e-0800200c9fde/<objid_for_admin>/alternative plan would be to create a user with scponly shell so they can pull these reports from the FW.. my last resortthanks in advance