This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paulo_Balau
Contributor
‎2021-04-13 01:43 AM

SmartEvent does not capture IPS events

Hello All...

I'm trying to set up an email alert for every IPS log with action prevent and/or severity critical.

After proper capturing I whish to block the source for, say, 8 hrs. BUT, as hard as I tried, I cannot capture severity field!

When I try to use Severity Equal to Critical it never captures the event... Tried other fields, such as attack ID or attack name and I alway got no reaction as well...

Versions I have are R80.30 for SmartConsole and SmartEvent.

So, Detailing...

Read somewhere around here I should have "Generic IPS Event" active. I set it, and I set a email reaction.

In fact, only after this ticked I started capturing events but never received an email for this "Generic IPS Event".

Geeneric.png

User defined event, "IPSActionEvent" is defined as follows and seems to work 🙂

Product I use from list is IPS Software Blade...

event1.PNG

I got emails for this "User defined Event | IPSActionEvent" BUT only when I place action equal to prevent.

Here snaphots from logs...

correlates.PNG

Seemed ok until now BUT 😞 When I try to use Severity Equal to Critical it never captures the event...

Tried other field, as attack ID or attack name and I alway got no reaction.

Event2.PNG

I wonder why?

 

Any help is welcomed

 

Best Regards,

Paulo Balau

 

 

 

0 Kudos
2 Replies
the_rock
Legend
Legend
‎2021-04-13 03:49 AM

I know this is a long shot, but I fixed similar issue before with evstop/evstart...

0 Kudos
Paulo_Balau
Contributor
‎2021-04-14 08:02 AM
In response to the_rock

Hi! Nope! We've updated 80.30 to latest buils & rebooted everything... Unfortonately I got same results.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    CheckMates Events