This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marki
Collaborator
4 weeks ago

Find rules hit (with a certain filter)

Hello,

So what I want to do is, get a distinct (i.e. unique items) list of what rules were hit with a certain filter in place. E.g. Give all rules hit in the last month for filter "src:192.168.1.0/24 OR dst:192.168.1.0/24". All of them not just the top ten or something.

SmartConsole (Logs) do not seem to be able to produce this information on the fly, i.e. that does not seem to be something you can specify as a query like in SQL (using SELECT DISTINCT) or otherwise.
Smartconsole does not generate exports, but Smartview does. So I tried that.
When I start an export with maximum amount of data (1M), nothing happens, it stays running in "Tasks->Archive" screen and searches are meanwhile no longer working, so I had to reboot smartcenter.

What do I need to do to obtain this simple piece of information without assigning it a dozen CPU cores and tens or hundreds of gigabytes of RAM (which is I guess the issue with an export)?

Thanks.

0 Kudos
7 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
4 weeks ago

It’s just a spontaneous idea from me.
You can possibly do this with SmartEvent and generate a report for it.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
MVP Platinum
MVP Platinum
4 weeks ago

I see point Heiko made. I have dedicated smart event in the lab, let me see if I can make this work.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
4 weeks ago

I played around with it a bit in the lab and attached some screenshots, hope it helps.

 

Best,
Andy
Preview file
54 KB
Preview file
50 KB
Preview file
74 KB
0 Kudos
marki
Collaborator
3 weeks ago
In response to the_rock

Thanks for the effort, but we don't have a license for that.

I'll just go through the Policy and apply a filter with Packet Mode enabled and hope I don't miss anything.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to marki

You mean license for smart event? If not, you can try eval.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
4 weeks ago

On top of screenshots I sent, will do some more tests tomorrow in the lab to see what the final report would look like.

Best,
Andy
0 Kudos
JozkoMrkvicka
Authority
Authority
4 weeks ago

Exports from SmartView works, you just need to wait 😉 It can take up to 30 minutes to generate the export, depending on amout of logs and selected filter.

One issue in case of SmartView export is that you need to ensure each and every rule has Log enabled.

Another option would be to create some script to get all rules from specific rulebase and check for hits within specific timeframe.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events