- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi everyone!, I hope you're feeling very well.
Firts thanks for yours replies, I'm new at this, I'm learning.
I have some log files I need to study to refine the firewall rules. Do you know of any software I can install on my computer where I can upload these files and look at the statistics?
Assuming your log-files of the needed time (~3 months) still exist & weren't deleted due to log storage capacity (log maintenance), then it's fairly easy.
follow sk111766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...),
and add these lines After stopping the Indexer (evstop) & configuring the no. of days you choose (-days_to_index <90> or beyond) to have it completely re-index with your chosen no. of days.
cp $INDEXERDIR/data/FetchedFiles{,.Orig}
rm -f $INDEXERDIR/data/FetchedFiles
then start it (evstart)
Also make sure to disable/up the daily index files deletion to avoid it from being deleted again.
This will cause a re-Indexing of these last 3 months of logs (or as many days back as you've configured).
which has a performance impact during the re-indexing process which should take roughly several days (depending on your log-rate vs. HW strength).
if you need a better estimation, you can send us your log-rate (or size of log-files) & HW CPU/memory details to better estimate.
The log files are a proprietary binary format that can only be read by a Check Point Management/Log Server.
If you want to view them offline, you’d basically have to set up a separate management server with those logs imported.
Thanks PhoneBoy, u can recommended me a sotfware?
Hi
You can also connected to your Security Management Server with SmartConsole using Read Only credentials or have your administrator set up a dedicated administrator with only the relevant permissions.
Another option would be to connect to SmartView Log Browser for viewing the logs -> https://<management_server>/smartview/
HTH
Tal
Hello Tal_Peace_Fridman, thank you for responding. How could I load these logs that are no longer on the physical device so that I can view them again on the smartview web and see the statistics there? Thank you
SmartView is unable to load logs. The logs have to be on the SMS to be viewed in SmartLog (after indexing), SVTracker (with an open file... option) or elsewhere. To transfer and use the logs on the SMS, see SMB security log files that speaks about SMB logs viewed on SMS. Also read sk39573: How to read a Check Point log file in its native format and sk92920: How to open FireWall log (fw.log) from a different Security Management Server in SmartView ....
Thanks G_W_Albrecht, I'll take a look at it, if I have problems can I ask you?
You can post here...
Hi again
You can use SmartView Web Browser by connecting to the Security Management Server that holds the original files or as I wrote, connecting with Read Only SmartConsole.
This will save you the need to load the files to another machine.
Tal
Tal_Paz-Fridman thank you very much for helping me, could you explain me how to make these two options or provide me with material to study it?. again thank you and I remain attentive.
In SmartConsole go to Manage & Settings > Permissions and Administrators > Administrators
Define a new Administrator and use the Read Only All Permission Profile
Now when you login using the new Administrator to the Security Management Server you can view the Rules and Logs but without have the option to change anything, just to analyze the logs and rules.
Or, after defining the new Administrator, connect in browser to https://<SMS_IP>/smartview/ and log in there !
Hi again, thanks
Context:
I have to make a log study for the previous 3 months, but the index of the firewall administrator is 14 days, I can't access for example in the smartview to consolidated logs of the last 3 months. Do you know if the smartevent also works with this index?
How can I reconstruct a 3-month index for statistics?
I have the information but it is very fragmented in daily files and to make 90 statistics and then consolidate them would be a tedious process.
Hi again, thanks.
Context:
I have to make a log study for the previous 3 months, but the index of the firewall administrator is 14 days, I can't access for example in the smartview to consolidated logs of the last 3 months. Do you know if the smartevent also works with this index?
How can I reconstruct a 3-month index for statistics?
I have the information but it is very fragmented in daily files and to make 90 statistics and then consolidate them would be a tedious process.
Assuming your log-files of the needed time (~3 months) still exist & weren't deleted due to log storage capacity (log maintenance), then it's fairly easy.
follow sk111766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...),
and add these lines After stopping the Indexer (evstop) & configuring the no. of days you choose (-days_to_index <90> or beyond) to have it completely re-index with your chosen no. of days.
cp $INDEXERDIR/data/FetchedFiles{,.Orig}
rm -f $INDEXERDIR/data/FetchedFiles
then start it (evstart)
Also make sure to disable/up the daily index files deletion to avoid it from being deleted again.
This will cause a re-Indexing of these last 3 months of logs (or as many days back as you've configured).
which has a performance impact during the re-indexing process which should take roughly several days (depending on your log-rate vs. HW strength).
if you need a better estimation, you can send us your log-rate (or size of log-files) & HW CPU/memory details to better estimate.
Thanks bro I done!
No problem.
Glad I could help:)
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY