This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2021-11-11 06:17 AM
Jump to solution

Getting specific report about Geo locations

Hey guys,

Wondering if anyone was ever able to get this info...so, we are trying to get info for the customer for number of hits from any given country in the world for say last week or month or 6 months. The reason they wanted to have this is because if there are other countries hitting them, then they would want to block traffic from those countries and not just 8 countries they are currently blocking.

We played around with filters and reporter settings in dashboard, but no luck. Opened TAC case, but all they said was they would research and get back to us, bot nothing so far.

If anyone has any ideas/suggestions, greatly appreciated as always.

 

Thanks!

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion
‎2021-11-11 11:33 PM
In response to the_rock
Jump to solution

So your challenge is actually that SmartEvent isn't yet capable of working with hit counts.
This doesn't relate to Geo locations specifically. Now I get it.

I suggest the following workaround:

  1. Create a preordered access control layer and name it 'Geo' or similar (implicit accept action)
  2. Within that new 'Geo' layer, delete the last drop rule and create accept rules for each country or region
  3. Show the hit count column in your 'Geo' policy layer
  4. Install Policy
  5. Update the IPtoCountry database on your SmartCenter
  6. Verify that more and more country rules show a raising hit count
  7. Export your Security Policy to Excel
  8. Use Excel to create any diagrams you wish based on hit count data

I'd create a video for this, but I don't get any hit count data in demo mode and Check Point never sent me an appliance to play with and develop these tools at home.

View solution in original post

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2021-11-11 11:04 AM
Jump to solution

I suspect this is not one of the fields that is indexed, thus you can’t run reports on it.
Makes it an RFE.

0 Kudos
the_rock
Legend
Legend
‎2021-11-11 12:39 PM
In response to PhoneBoy
Jump to solution

Thats unfortunate...we definitely thought it would be easy to get that info, but guess not possible. O well...

0 Kudos
Danny
Champion Champion
Champion
‎2021-11-11 03:36 PM
In response to the_rock
Jump to solution

Just create a rule for each country and you should be able to create a report for your country rules.

0 Kudos
the_rock
Legend
Legend
‎2021-11-11 03:57 PM
In response to Danny
Jump to solution

Thanks Danny, I really appreciate you putting effort into making that video, means a lot. Sadly, it does not help get what we need...I showed that exact filter to TAC yesterday and we could not get any data at all. I will wait for their feedback and see what they suggest next. 

0 Kudos
JoSec
Collaborator
‎2021-11-11 08:22 PM
In response to the_rock
Jump to solution

I was able to create a report by Source Country which appears to allow you to report on the Geo Protection logs generated by the Geo Policy. You can try the following below if utilizing a shared Geo Policy and not rule based. If utilizing Geo in a rule, I would think that would generate the appropriate log as well.

1. Change the "Policy for other countries" action to "Log". 

2. You could add other countries currently not blocked, though a painstaking task, to the GEO Policy and set the action to Accept and Log to generate the appropriate log which would then allow you to create the report. This seems to work per some logs I reviewed when I compared them to the report I generated.

Preview file
44 KB
Preview file
14 KB
0 Kudos
the_rock
Legend
Legend
‎2021-11-11 08:59 PM
In response to JoSec
Jump to solution

We tried that, but that only gives logs, NOT hits. Its definitely not the same, because when we compare amount of logs for some countries, math just does not add up at all.

0 Kudos
Danny
Champion Champion
Champion
‎2021-11-11 11:33 PM
In response to the_rock
Jump to solution

So your challenge is actually that SmartEvent isn't yet capable of working with hit counts.
This doesn't relate to Geo locations specifically. Now I get it.

I suggest the following workaround:

  1. Create a preordered access control layer and name it 'Geo' or similar (implicit accept action)
  2. Within that new 'Geo' layer, delete the last drop rule and create accept rules for each country or region
  3. Show the hit count column in your 'Geo' policy layer
  4. Install Policy
  5. Update the IPtoCountry database on your SmartCenter
  6. Verify that more and more country rules show a raising hit count
  7. Export your Security Policy to Excel
  8. Use Excel to create any diagrams you wish based on hit count data

I'd create a video for this, but I don't get any hit count data in demo mode and Check Point never sent me an appliance to play with and develop these tools at home.

0 Kudos
the_rock
Legend
Legend
‎2021-11-12 04:56 AM
In response to Danny
Jump to solution

Thanks Danny. I actually did do something similar while ago, but its surprising to me that report does not give that sort of ability. So, yes, hits number shows probably correct value, but its not very useful if you cannot break it down by country and filter for specific amount of time. So say if customer is blocking 30 countries and hits shows 120 million hits in the rule since the beginning...well, thats great, BUT, how do you know how many hits "belong" to each source country that is being blocked? So, you are probably correct after all, its most likely that CP smart even does not have that ability...cant think of any other reason really.

0 Kudos
Danny
Champion Champion
Champion
‎2021-11-12 05:01 AM
In response to the_rock
Jump to solution

You can easily break down the hits by country if you create a preordered Geo layer that has an accept rule for each country. Even more Check Point logs first hit and last hit events that allows you to create more advanced diagrams in Excel related to rule hit events.

Again, this is something meant to work in the future > first you need to have such a preordered Geo layer in place, then it creates hits for each country, then you can export these values and only then you can create reports/diagrams in Excel.

0 Kudos
the_rock
Legend
Legend
‎2021-11-12 05:07 AM
In response to Danny
Jump to solution

Thanks everyone for your inputs, appreciated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events