More of the Q&A.
You guys had a LOT of questions
For SmartEvent to know if i opened the mail / access the link on the mail do i need the EPM clients ?
Not necessarily, as the other software blades can see the activity.
If you do use our Endpoint solutions (e.g. SandBlast Agent), that activity can also be correlated with the Network-based solutions.
To get the users receive malicious mail logs, do I have to relay email via the firewall and enable MTA?
When used in MTA mode, Threat Emulation and Extraction can prevent end users from receiving the malicious mail in the first place.
When MTA is not in use, it is still be possible to see (and report on) the malicious activity in email.
Is it possible to use this based on domain and then set viewers (users) to see only the events/reports for their domain?
Generally speaking, yes, though there are a few limitations, as discussed here: SmartEvent in mixed multi domain environment
Is all this only available on 80.10? Or this GUI can be populated with 77.30 version?
What we're showing here is on R80.10 Management.
While we strongly recommend upgrading your management to R80.10 to leverage the full benefits, you can integrate R80.10 SmartEvent with R77.30 Management.
Refer to: How to configure an R80/R80.10 SmartEvent Server with an R77.x Security Management
Hi, will be (already is?) possible to use the objects in the SmartView to filter the reports, views....?
SmartView won't necessarily auto-complete the object names like SmartConsole will in search queries, but yes, you can use object names.
If we don't use AD integration, will SmartEvent show 82 hosts received malicious mail?
Identity Awareness will provide more context if it is used.
Even without this, it's possible to count (by number of IPs) the number of infected hosts.
What would cause an external public IP address, not owned by us to show up in our dashboard as an infected host with bots?
It could point to a misconfiguration or a possible asymmetric traffic condition.
Recommend engaging with the TAC for further troubleshooting: Contact Support | Check Point Software
Can we resize the height & width of a custom widget?
All widgets are resizable.
We have issue with Auto-Update feature for SmartEvent views, every time we need to manually refresh to reflect the latest statistics. Is there any solution?
It's a known limitation that we plan to address in later releases.
Is there an auto-rotate feature between different views?
Not currently.
Can we send mobile device security logs to SmartEvent? or only gateway logs?
SandBlast Mobile logs can be sent to SmartEvent using syslog.
Further integration is planned in later releases.
Please show how alarming to cellular phone is configured
While not an officially supported function, a fellow CheckMates member has figured out how to do this.
Refer to: iPhone Real-time Push notification on SmartEvent
Have any performance/sizing tests been done to help understand scalability and platform requirements?
Yes, and tests are ongoing in this area to ensure our recommendations will provide optimal experience.
We also plan to do a TechTalk on this exact topic at a later date.
It is best practice for SmartEvent to be on the same system as the Security Management or in a separate machine?
For smaller environments (with a few gateways), it is fine for SmartEvent and Security Management to be on the same system, provided it meets the minimum hardware requirements.
For medium to larger environments, these should be separated.
For multi-domain environments, SmartEvent needs to be on a dedicated appliance.
Is it possible to exclude some networks from all reports and views in general? Or do I have to define a filter for every report and view?
In R77.30 and earlier, if you don't want events to be correlated for specific hosts (and thus not show in reports or views), you can exclude them in the Event Policy.
In R80.x, you will have to define a filter for every report and view as Global Exclusions only apply to traffic processed by the Correlation Unit (CU) and R80.x only uses CUs for firewall logs.
Do we have predefined template's apart from customization?
When you click on the +, you can see a number of pre-defined views and reports.
You can open one of these or clone it to customize as desired.
More Q&A is coming, stay tuned!