Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Louis_Poulin
Collaborator
Jump to solution

How to track IPS (Threat Prevention) by SNMP trap

Running R80.10, how do you "track" IPS rules hit by SNMP trap to get useful (or custom) information?

For example, I would like the following information in the trap when the IPS prevent or detect something :

Severity

Confidence Level

Attack Name

Attack Information

Performance Impact

Protection Name

Protection Type

Action

But by default, there is no real valuable information in the trap in my own humble opinion.

0 Kudos
1 Solution

Accepted Solutions
Louis_Poulin
Collaborator

It seems like the issue we are facing is related to sk123240 - Email alerts are truncated and missing fields :
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

If you look at your logs via the CLI (e.g. fw log -n | grep IPS), you'll see what can be sent.

You may just want to verify you get the same information by capturing it with a script using a User Defined alert.

These are set in Global Properties.

You can write a script to parse the information as required and use the snmp_trap command to send it.

Louis_Poulin
Collaborator

Hello Dameon,

I'm not familiar with scripts. Could you share some info/doc/website to get started please?

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

The kind of scripting in question is for bash or cshell (depending on your preference.

As these are standard Unix shells that have been around for many years, there are numerous sources of information for this.

Louis_Poulin
Collaborator

I just came to same deduction. I was about to edit my post Smiley Happy Thank you, I'll be able to get something done with this.

0 Kudos
Louis_Poulin
Collaborator

After playing around with the "fw log" command, I discovered recently that the alert received (either by mail or by SNMP trap) for Threat Prevention Policy rules is incomplete. We are only receiving about half the log information.

 

And guess what? The usefull information is mostly in the other half...

 

A service request is open in order to know how to get the full log information by alert and we are awaiting for the resolution.

 

In the meantime, if anyone has a solution, it would be appreciated!

0 Kudos
Louis_Poulin
Collaborator

It seems like the issue we are facing is related to sk123240 - Email alerts are truncated and missing fields :
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events