This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jberg712
Collaborator
‎2022-06-23 06:48 AM

Searching for logs by country

Hi,

I'm trying to do some queries on the traffic to outbound to other countries.  I can't seem to do a query string that would show traffic by country.  Actually what i'm trying to do is look at the traffic that's NOT in the US.  We're looking at enhancing our GeoProtect policy, but i'm not able to figure out how to do so.  

One thing i've done is turned on Debug for SmartLog and I can see all the fields in the xml format and the dst_country is always coming up as "other".  Is this an issue or this something that can be fixed so this field can be used in searches?  Or is there a better way to search for traffic going to other countries and omit the ones I don't want to see?

Jonathan

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2022-06-23 06:55 AM

We don’t log the actual country, if I recall.
What you see in SmartView is generated from a local IP to Country mapping.

Your best bet is to create an ordered layer that will generate a log if not in the US (or whatever countries you wish to exclude).
It should be after all your other layers. 
You can then see what log entries match that rule.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-01-23 05:17 AM
In response to PhoneBoy

To add to what PhoneBoy wrote, you can create rules or Layers with Updatable Objects using relevant countries and then filter the matching rules in the Logs:

2023-01-23 15_16_09-Cloud Demo Server [ID_588387544] - SmartConsole.png

0 Kudos
jberg712
Collaborator
‎2022-06-23 07:44 AM

So then would I need to know the IP range for the US and omit that in the destination?  or rather put that and do a negate cell to omit it?

0 Kudos
the_rock
Legend
Legend
‎2023-01-23 05:41 AM
In response to jberg712

You can do what @Sorin_Gogean suggested, but also below link has the actual good example.

Cheers,

Andy

https://community.checkpoint.com/t5/Management/Filter-Logs-by-geo-location/td-p/73745

0 Kudos
Sorin_Gogean
Advisor
‎2022-06-23 07:57 AM

You can search the logs based on country like in the screenshots:

Untitled.pngUntitled.png

 

 

Si_Dunford
Explorer
‎2023-01-23 02:36 AM
In response to Sorin_Gogean

This also searches both the source and the destination fields, but there seems to be a maximum length for the country name: If I search for "United States Of America" or "United States Of" I get nothing, but using "United States" gets results.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events