This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ants
Contributor
‎2018-07-25 12:38 AM

R80.10 Smartview Reports not showing allowed traffic

Hi All,

R80.10 Openserver - Mngmt running Log Server/Smartevent also
Having an issue with running reports atm..

Using Filter - 'service=ssh'

Withing Smartview logs I can see logs all fine.. accept/drop etc etc
But when running a report however it doesn’t show 'ssh' packets accepted/allowed.. but shows only ssh dropped packets.
It appears I cannot get a report on packets that are allowed/accepted etc..
In my normal logs I can see them.. but in the report.. it shows nothing for accept/allow. I have only one filter (service = ssh) defined and nothing being inherited also that I can see that will exclude accept/allowed from being omitted.

Running the pre-defined report - Network Activity - Access control.

In my SmartEvent policy config I have ‘Firewall Session’ checked under 'Event Policy -> Consolidation Sessions'

Any ideas?
thanks in adv

Labels
4 Replies
Timothy_Hall
Legend Legend
Legend
‎2018-07-25 05:18 AM

There are two different services representing SSH (i.e. ssh, ssh_version_2), try matching against port 22 in your report filter.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Ants
Contributor
‎2018-07-25 07:05 AM
In response to Timothy_Hall

Thanks.. but not that.

it shows the correct service.. but it only shows blocked traffic for that service.. not allowed traffic.. so it is as if somewhere there is a filter hard coded that excludes services for allow/accept.. yet the filters are only for ssh.. nothing else.

thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-25 09:16 AM

I'm guessing SSH is being treated as a "connection" and not a "session."

As such, this thread is likely relevant: https://community.checkpoint.com/message/14475-re-creating-reports-with-tracking-per-connection 

0 Kudos
Ants
Contributor
‎2018-07-27 01:27 AM
In response to PhoneBoy

Issue resolved - it appears to have been related to the correlation unit not able to talk to the log server (all on one box and was a separate issue being investigated)

we have a log aggregator puling logs using lea cleartext on custom port 18185 and sending it to arcsight SIEM.

And then Correlation unit was not able to connect on 18184 using ssl.

so after changing lea to auth port 18184, reinstalling the database then evstop/evstart it was able to connect which fixed 2 issues for me.. so now I can see accept/allowed traffic in reports.. both lea clear text and ssl is working which is a bonus also.

Was weird that it was showing blocked/drop traffic but not allow/accept when the correlation unit cannot connect.. 

anyways.. all good. thanks

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events