This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rick_Isbell
Explorer
‎2017-12-18 09:36 AM

80.10 and SmartLog queries

I have been using CheckPoint firewalls for about 6 years and since day 1 have thought that they 'did it right' for both the firewall admin and the security analyst.  However, the lack of flexibility to get data, reports, and alerts out of the SmartLog and SmartEvent makes we want to rip it out and put in a Linksys with Kiwi syslogging.

For example, why does (NOT protection_type:"blockbycountries") give me all logs except for geo-location ones, and (protection_type:"blockbycountries") returns nothing?

I feel that 80.10 is a SERIOUS step backwards in regards to logging, monitoring, & event analysis.  I previously used R75.40, R77.30, and even NGSE and was able to create a detailed view of the inbound and outbound traffic on a daily basis.  Now, the exported log output shows a handful of columns whereas the older versions had dozens.

If I am missing something can someone please shed some light on it? 

6 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2017-12-18 02:03 PM

I'm with you on this Rick. Have seen really strange "behaviour" of the log search, for example searching /24 subnet returns nothing but entering a specific host in the same subnet suddenly displays lots of logs. There are more examples, but at the moment our biggest issue is the speed of the search that intermittently grinds to halt. We have increased RAM and CPU and it run for a while but eventually it came back. We managed to isolate one scenario where running API script on MDS that was creating large groups of subnets pretty much stopped log search ability on MLM. Case has been open for over a month with very little progress. 

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2017-12-19 08:53 AM
In response to Kaspars_Zibarts

How many gateways and how many events do you have per day to make your smartcenter too slow?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2017-12-19 10:05 AM
In response to Vincent_Bacher

Rough estimate 30 gateways, not too sure about the day but I know over 15k events total per second on ave, so if guestimate over 1000M events

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2017-12-19 10:12 AM
In response to Kaspars_Zibarts

Well. 15 K/sec sounds quite much. Would be interesting what output the CPinvestigator would deliver

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2017-12-19 08:51 AM

Just a handful of columns? When I have a look at the columns which can be displayed in a custom profile, they are much more than just a handful.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2017-12-24 05:25 AM

Hi Rick,

Your question is super important to me as the product owner, and would like to talk to you about your experience.

please send me your contacts and timezone so we can schedule a phone call.

my email is: yaakovo@checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events