- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: How to track IPS (Threat Prevention) by SNMP t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to track IPS (Threat Prevention) by SNMP trap
Running R80.10, how do you "track" IPS rules hit by SNMP trap to get useful (or custom) information?
For example, I would like the following information in the trap when the IPS prevent or detect something :
Severity
Confidence Level
Attack Name
Attack Information
Performance Impact
Protection Name
Protection Type
Action
But by default, there is no real valuable information in the trap in my own humble opinion.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like the issue we are facing is related to sk123240 - Email alerts are truncated and missing fields :
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you look at your logs via the CLI (e.g. fw log -n | grep IPS), you'll see what can be sent.
You may just want to verify you get the same information by capturing it with a script using a User Defined alert.
These are set in Global Properties.
You can write a script to parse the information as required and use the snmp_trap command to send it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Dameon,
I'm not familiar with scripts. Could you share some info/doc/website to get started please?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The kind of scripting in question is for bash or cshell (depending on your preference.
As these are standard Unix shells that have been around for many years, there are numerous sources of information for this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just came to same deduction. I was about to edit my post Thank you, I'll be able to get something done with this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After playing around with the "fw log" command, I discovered recently that the alert received (either by mail or by SNMP trap) for Threat Prevention Policy rules is incomplete. We are only receiving about half the log information.
And guess what? The usefull information is mostly in the other half...
A service request is open in order to know how to get the full log information by alert and we are awaiting for the resolution.
In the meantime, if anyone has a solution, it would be appreciated!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like the issue we are facing is related to sk123240 - Email alerts are truncated and missing fields :
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...