This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aaron_Pritchard
Contributor
‎2017-08-09 04:26 AM

Application URL blade - with SmartLog R80.10

Recently working with a customer to get upto speed with R80.10, and replacing a proxy solution with Checkpoints App&URL blade solution, an interesting issue came up when it came to hand over the project to BAU.

When a block page is generated, Checkpoint has a few auto-generated fields that help with the tshooting. such as source IP, the Application.

but what use is this, really, in a fast paced environment when there could be thousands of hits. You need to find a specific log entry.

Checkpoint have a source field for this, called 'Incident ID', which is inserted into the UserCheck page.

When a block page is presented, the log that Checkpoint generates looks like this: (i used www.thesun.co.uk for example purposes)

next step:

this block page has just been emailed to your Support Guys. How do they find this Block Log?

ok, well lets jump onto SmartLog and search for this reference number...

Well that isnt ideal. OK, lets search for that reference in the incident_id field instead:

As you can see, this is not a quick find for your support guys.

instead, lets try looking for the specific log with a full filter, and ignoring the Incident_ID reference number. (this is a pure test machine, so traffic flow is minimal)

If i now open the log with the 12:03 timestamp and try to find my log reference number, of 81817825 i find it is a suffix of the field 'UserCheck ID'

however this field is not selectable within SmartLog. Interesting....

The Solution:

What i have then enabled, is i have modified my Block Page to contain a wildcard prior to the log ref number. This allows for the userCheck ID field to be correctly searched, and also allows for Support to perform quick searches and saves alot of time, as now a simply copy-and paste will pull up the log.

example of the Source Code in userCheck:

Which gives this output in Support Ticket generation:

Now Support can enter this into SmartLog to get the specific log

I hope that helps. i couldnt find an SK on this but it must exist.

also, i tried this in SmartTracker on a R77.30 device, the field was then called 'UID', but wildcards dont word when filtering, nor does the 'contain' option. How did this used to work? if anyone has another way to parse this log IDs i'd love to hear it.

Many Thanks

Aaron

2 Replies
PhoneBoy
Admin
Admin
‎2017-08-09 11:16 AM

That's a useful tip, thank you for sharing.

It's definitely useful feedback for R&D.

John_Ulrich
Explorer
‎2017-10-19 01:25 AM

https://community.checkpoint.com/people/aarone27a49ec-52c2-4663-ac47-a220fa13e3cc‌, I would like to thank you as well for sharing this.

I ran into the same issue today (R80.10) and came to the same conclusion as you.

Even though the field "incident_id" exists in the "Logs & Monitor" section of the SmartConsole - and is referenced to as such in the UserCheck object - it is not provided within the raw log files and therefore cannot be searched for.

Searching with the wildcard (*) for the suffix does the trick.

Thanks again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events