This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
3 weeks ago
Jump to solution

Port scan correlated event not created by Smartevents

 

We have a Smart event definition which was working before but suddenly not anymore to detect a port scan with following conditions.

We launch a port scan and we see around 1000 connections being dropped in the logs but no correlated event is generated (anymore)

smartevent.png

Should we engage with TAC or does someone have an idea how to fix this perhaps?

 

 

0 Kudos
1 Solution

Accepted Solutions
frankcar
Contributor
3 weeks ago
Jump to solution

Hi we have this working.

did you enable host port scan in IPS as per

https://support.checkpoint.com/results/sk/sk110873

then you need to enabled smart event to see the events occuring.

if you use the sam rule you want to do this also.

Connect with SmartDashboard to Security Management Server / Domain Management Server.
Open the relevant Security Gateway / Cluster object.
Expand 'Other' - go to 'SAM' pane - check the box 'Purge SAM file when it reaches:' - set the desired limit - click in 'OK'.
Notes: The minimal size is 50 KB.
Save the changes: go to 'File' menu - click on 'Save'.
Install the policy onto relevant Security Gateway / Cluster object.

 

Thanks

Frank

 

View solution in original post

0 Kudos
5 Replies
frankcar
Contributor
3 weeks ago
Jump to solution

Hi we have this working.

did you enable host port scan in IPS as per

https://support.checkpoint.com/results/sk/sk110873

then you need to enabled smart event to see the events occuring.

if you use the sam rule you want to do this also.

Connect with SmartDashboard to Security Management Server / Domain Management Server.
Open the relevant Security Gateway / Cluster object.
Expand 'Other' - go to 'SAM' pane - check the box 'Purge SAM file when it reaches:' - set the desired limit - click in 'OK'.
Notes: The minimal size is 50 KB.
Save the changes: go to 'File' menu - click on 'Save'.
Install the policy onto relevant Security Gateway / Cluster object.

 

Thanks

Frank

 

0 Kudos
dehaasm
Collaborator
3 weeks ago
In response to frankcar
Jump to solution

Hi,

No we dont rely on IPS to correlate this event but should be triggered by the amount of logs (100 within 60 seconds), I know it is another way of doing this.

0 Kudos
frankcar
Contributor
3 weeks ago
In response to dehaasm
Jump to solution

what is the name of the event you using in smartevent ?

I have this enable with IPS and smartevent is correlating the events to only way I got to to work, think I tried to just use smartevent before couldn't get it to work.

attached what we see from high connection rate smartevent event email

not much help to you.

 

 

 

Preview file
86 KB
0 Kudos
dehaasm
Collaborator
3 weeks ago
In response to frankcar
Jump to solution

port scan from internal network event and yours is the legacy IPS event which should also work indeed

0 Kudos
frankcar
Contributor
3 weeks ago
In response to frankcar
Jump to solution

im using high connection rate to internal host on a service event from smartevent.

not using the portscan from internal network on my config.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events