Here are some of the questions asked during the Q&A that we did not get to in the session.

Note that many similar questions were summarized.

Additional Q&A will be posted over the coming days.

Is the SmartEvent "Policy" still valid/needed ?  Up till R77.30 we could select what events should be taken in consideration.  To my surprise, in R80.10, it looks like most selectable types are deselected "out-of-the-box".  So, should we add types ?  Or is the policy ignored, in R80.10 ?

Yes, the Event Policy is still used and you may select those predefined events if you wish to look for them in your environment.

How can I use SmartEvent to correlate windows logs and take action and alert?

First, the Windows logs must be imported into SmartEvent, using the WinEventToCPLog tool.

Once you've done that, you can create events based on them.

In the SmartEvent client, go to Actions > New Custom Event

As you step through the Wizard, one of the Product options is Windows OS.

The options you can create events on are below.

What is the different between logs directly go to Solr DB and Correlation Unit?

It boils down to the level of classification that is required for a given log entry. 

Basic firewall/access control logs require correlating multiple log entries to be classified as an event.

Logs that go through other blades are generally already classified and can go directly to the Solr DB. 

Is the Solr DB accessible for external API calls? If so where is the documentation for that?

Not currently, but it's something we can look at for a future release.

Will/can non-admins be able to create a customized query/report?

Yes, this is already possible.

My organization is still in R80 rollout phase, we have Management server at R80.10 along with around 10% of the security gateway. Log server and bulk of the appliances are still at R77.30. Do we need to have everything at R80.10 to get the full benefits of SmartEvent?

Yes, you can leverage the full benefit on SmartEvent. Your gateways do not have to be at R80.10.

Can SmartEvent produce reports on Rule Use within a Gateway Policy?

Yes, this was covered in a previous CheckMates thread: R80 SmartReporter : how to do a report "rule base analysis"? is it possible ? 

Can we use SmartEvent to analyse logs from 3rd party vendors (FW/Routers/Switches etc.)?

While not it's primary purpose, SmartEvent does support logs from other vendors.

You can see a complete list when you create a new custom event as described above.

Is SmartEvent an additional purchase/license?

It depends on what appliances or licenses you have. Please check with your Check Point account team or partner.

I notice within my views that some of the numbers don't line up. seem low in counts. Example is "general overview" on firewall Blade. With a 7day filter it says 355K for log value. I know that I have millions of entries daily. Is there some limitations in the background collection?

Note that many log entries are summarized into sessions by default, which may account for this difference. 

Up to R77.30, customer needed separate license for SmartEvent and SmartReporter. Is it the same in R80+?

SmartReporter was deprecated in R80 and above. All reporting capabilities should now be done with SmartEvent. 

Can custom views or widgets be exported as a template?

In the view you have created, click on Options and select Export Template.

Can your presented views afterwards be distributed on the community to import on own environments?

As noted during the presentation, the view shown in the presentation is undergoing additional testing now.

It will be provided on CheckMates at a later date. 

Thanks for the great session.     I wanted to repeat (ditto) the topic about "best practices" guide.

Thanks for the posted Q&A.     I posed a question that was missed:

The new HTML5 web interface is FANTASTIC.   Great work to CP engineers on this. 

Do you see the thick client Analyzer.exe being deprecated?

Along this same line of reasoning, with the great HTML results on display in Smartview, do you foresee any other portions of Console thick client becoming exclusively web-based?    

I suggest there may be a huge audience to support this move.

thanks -GA

We probably should have similar thread to top 3 CLI commands with Smart Event; your TOP Smart Event queries. 

More of the Q&A.

You guys had a LOT of questions

For SmartEvent to know if i opened the mail / access the link on the mail do i need the EPM clients ?

Not necessarily, as the other software blades can see the activity. 

If you do use our Endpoint solutions (e.g. SandBlast Agent), that activity can also be correlated with the Network-based solutions.

To get the users receive malicious mail logs, do I have to relay email via the firewall and enable MTA?

When used in MTA mode, Threat Emulation and Extraction can prevent end users from receiving the malicious mail in the first place.

When MTA is not in use, it is still be possible to see (and report on) the malicious activity in email.

Is it possible to use this based on domain and then set viewers (users) to see only the events/reports for their domain?

Generally speaking, yes, though there are a few limitations, as discussed here: SmartEvent in mixed multi domain environment 

Is all this only available on 80.10? Or this GUI can be populated with 77.30 version?

What we're showing here is on R80.10 Management.

While we strongly recommend upgrading your management to R80.10 to leverage the full benefits, you can integrate R80.10 SmartEvent with R77.30 Management. 

Refer to: How to configure an R80/R80.10 SmartEvent Server with an R77.x Security Management 

Hi, will be (already is?) possible to use the objects in the SmartView to filter the reports, views....?

SmartView won't necessarily auto-complete the object names like SmartConsole will in search queries, but yes, you can use object names.

If we don't use AD integration, will SmartEvent show 82 hosts received malicious mail?

Identity Awareness will provide more context if it is used.

Even without this, it's possible to count (by number of IPs) the number of infected hosts.

What would cause an external public IP address, not owned by us to show up in our dashboard as an infected host with bots?

It could point to a misconfiguration or a possible asymmetric traffic condition. 

Recommend engaging with the TAC for further troubleshooting: Contact Support | Check Point Software 

Can we resize the height & width of a custom widget?

All widgets are resizable. 

We have issue with Auto-Update feature for SmartEvent views, every time we need to manually refresh to reflect the latest statistics. Is there any solution?

It's a known limitation that we plan to address in later releases.

Is there an auto-rotate feature between different views?

Not currently.

Can we send mobile device security logs to SmartEvent? or only gateway logs?

SandBlast Mobile logs can be sent to SmartEvent using syslog.

Further integration is planned in later releases.

Please show how alarming to cellular phone is configured

While not an officially supported function, a fellow CheckMates member has figured out how to do this.

Refer to: iPhone Real-time Push notification on SmartEvent‌

Have any performance/sizing tests been done to help understand scalability and platform requirements?

Yes, and tests are ongoing in this area to ensure our recommendations will provide optimal experience.

We also plan to do a TechTalk on this exact topic at a later date. 

It is best practice for SmartEvent to be on the same system as the Security Management or in a separate machine?

For smaller environments (with a few gateways), it is fine for SmartEvent and Security Management to be on the same system, provided it meets the minimum hardware requirements.

For medium to larger environments, these should be separated.

For multi-domain environments, SmartEvent needs to be on a dedicated appliance.

Is it possible to exclude some networks from all reports and views in general? Or do I have to define a filter for every report and view?

In R77.30 and earlier, if you don't want events to be correlated for specific hosts (and thus not show in reports or views), you can exclude them in the Event Policy.

In R80.x, you will have to define a filter for every report and view as Global Exclusions only apply to traffic processed by the Correlation Unit (CU) and R80.x only uses CUs for firewall logs.

Do we have predefined template's apart from customization?

When you click on the +, you can see a number of pre-defined views and reports.

You can open one of these or clone it to customize as desired.

More Q&A is coming, stay tuned!

More Q&A (corrected a few of the answers, also):

I have a problem with my 1400 in SmartEvent. When I query for drops, I do not see the drops from them (R80.10 Management, 1400 with R77.20). Is this problem known?

Firewall Session correlation needs to be enabled in the SmartEvent Policy.

In which cases is Correlation Unit needed or recommended?

In R80+, it is only needed when you want Firewall (not other blade) logs to be correlated for the sake of reporting as well as creating correlated events such as “port scanning” “simultaneous login”, etc.

Are the custom views/reports available to all local users or are they pinned to the user who created them?

Currently they are specific to the user who created them. We do plan to add a feature that will allow sharing reports/views with all administrators.

Can you import a report into R80.10 SmartEvent that was exported from SmartEvent NGSE?

Provided the report is exported from latest NGSE 005 and above, it should be possible. 

Is there a SK teaching how to create a template for the reports? For example to create a report in another language.

Not that I'm aware of. 

However, we already have localized all the predefined reports to many languages.

To create a localized version of your report, just change your locale, and edit the report.
All changes will be saved to the localized version.

Is it possible to export to HTML format ?

Not currently.

Can you consider to allow to enter a comment for a scheduling? Because if you want one report to be sent multiple times with different filters, you cannot tell them apart in the "Scheduled" List view.

This feature has already been added to recent R80.10 Jumbo Hotfix. 

Regarding scheduled reports, have we fixed the reporting for monthly reports, to be able to run a report on the 1st of the month, for last month? In the past we weren't able to do that AFAIK.

You should be able to set the report to "Last Month."

If you're still having issues, please check with the TAC.

More Q & A:

Is there any way to create a repository for smartview reports to share between colleagues? (outside of exporting and importing reports through the smart console)

Currently not. We are working on a new feature to allow sharing views and reports between ALL colleagues. This would also share the generated PDFs of these shared reports between all admins.

Can I control access / data range based on site or department per users?

We have a customer HotFix which allows to limit certain views/reports to specific users based on AD groups.
It is also possible to block the catalog, edit mode, and add a predefined filters for these users.

Please contact me through email if you want to get this HotFix.

Can I narrow down a rule that is open too wide (e.g. rule 10.x/8 to the internet to 10.10.10.0/24 to on https)?

You can do it manually. Open the logs lower panel below the rulebase and select the specific rule.

Filter out the subnets and services you see until there are no logs - "NOT src:10.15.0.0/16 NOT src:10.26.0.0/16 NOT service:https". These are the actual services and subnets that are in use.

Is there any widgets with the status of the S2S VPN?

Currently not.

Is it possible to customize the title page of a SmartEvent report e.g. to add a customer logo?

Yes, it is possible. To change the title, just edit the report, click the title to edit, and change it.

To add a company logo, check out the SmartEvent admin guide - Views and Reports 

Where views/reports queries are stored? Would they be lost after upgrading SmartConsole?

Views and Reports settings are stored on the server, and thus will survive upgrade of both SmartConsole and the server itself.

What is the danger of adding custom views right now, in R80.10, to interfere (negatively) in later upgrades?

No danger at all. This is the main functionality of SmartView, and you are encouraged to create new views and reports.

For someone used to SmartReporter in R77, are there any plans to have those Predefined reports be moved into R80.10?

good one!