This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sajin
Contributor
‎2019-05-15 01:37 AM
Jump to solution

Smart Event not showing Accepted Log

Smart Event not showing Accepted and the Clean up rule is ANY ANY ALLOW. 

In the Event when i select the policy package in the filter, the ACCEPT logs shows 0. I changed the Log  to Detailed and Extended and after the Accept log was available but when expanding the logs again it shows only DETECT logs.

Please any one help on this issue.

1 Solution

Accepted Solutions
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2019-11-17 04:34 AM
In response to tpoole_global
Jump to solution

What Phoneboy suggested is the older but possible option to correlate FW logs into Correlated Events that the SME will show (should work).

the better R80.10 & above alternative option is to generate a 'Session' log from your FW Rulebase policy, as All Session logs are indexed & shown by the SME.

using this method, you can decide which rules specifically to log into Session logs to also get indexed & shown by the SME.

How-To: Relevant rule > Track > R-Click > More > Activate log 'per Session'.

I'd advise to disable the 1st suggested option of activating Consolidated FW Sessions, if you decide on the 2nd Rulebase 'per Session' option, as it only puts an unnecessary load on your SME server to consolidate All FW logs into correlated events.

 

 

 

 

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2019-05-17 01:27 PM
Jump to solution

Generally firewall logs are NOT correlated by SmartEvent by default.
They must be enabled in the Event Policy.
sajin
Contributor
‎2019-05-17 01:32 PM
In response to PhoneBoy
Jump to solution

Is the above solution works for Rule Name and Rule Number Filter as am not able to filter with these two option.

PhoneBoy
Admin
Admin
‎2019-05-20 12:13 PM
In response to sajin
Jump to solution

You need to ensure Firewall Sessions are correlated (they are not by default).
Click on Logs and Monitor > New Tab > SmartEvent Settings and Policy and enable Firewall Sessions as shown.
Push the Event Policy afterwords.

Capture.PNG

abihsot__
Advisor
‎2019-11-15 07:46 AM
In response to PhoneBoy
Jump to solution

Hello,

I did it as per screenshot, however I don't see any events from firewall blade.  Am I missing something more? 

PhoneBoy
Admin
Admin
‎2019-11-15 11:47 AM
In response to abihsot__
Jump to solution

What is it that you're actually trying to get from SmartEvent related to these logs?
0 Kudos
Mark_Metry
Employee Employee
Employee
‎2021-03-03 12:35 PM
In response to PhoneBoy
Jump to solution

Does this setting have any effect if enabling in a completely R80 environment? Is it possible, in all R80 environment, to have Firewall logs with type:Control processed by SmartEvent?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-03 02:12 PM
In response to Mark_Metry
Jump to solution

What are you hoping to get out of those logs in particular?
Yes, the only way they'd get processed by SmartEvent is if that option is enabled.

0 Kudos
Mark_Metry
Employee Employee
Employee
‎2021-03-23 06:36 AM
In response to PhoneBoy
Jump to solution

For example, I would like to trigger a correlated event when there is a cluster failover (those logs have type=control).

0 Kudos
tpoole_global
Employee
Employee
‎2019-05-20 04:20 PM
Jump to solution

SE does not correlate standard fw logs by default.
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2019-11-17 04:34 AM
In response to tpoole_global
Jump to solution

What Phoneboy suggested is the older but possible option to correlate FW logs into Correlated Events that the SME will show (should work).

the better R80.10 & above alternative option is to generate a 'Session' log from your FW Rulebase policy, as All Session logs are indexed & shown by the SME.

using this method, you can decide which rules specifically to log into Session logs to also get indexed & shown by the SME.

How-To: Relevant rule > Track > R-Click > More > Activate log 'per Session'.

I'd advise to disable the 1st suggested option of activating Consolidated FW Sessions, if you decide on the 2nd Rulebase 'per Session' option, as it only puts an unnecessary load on your SME server to consolidate All FW logs into correlated events.

 

 

 

 

0 Kudos
abihsot__
Advisor
‎2019-11-18 05:20 AM
In response to Dror_Aharony
Jump to solution

Very nice! This is exactly what I wanted. Now in SmartEvent I can see statistics of how many connections were made and how much data was transferred. Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events