Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Travis_Krings
Participant

SmartEvent report on access rule drop when using Updatable Objects for Geo Protection

Jump to solution

I just moved my Geo Protection from the separate Geo Protect policy over to the main access policy using updatable object (SK126172).  In SmartEvent I have always had a daily report that included a chart showing the top countries we were blocking traffic from using Geo Protect.  I filtered on the protection type of Geo Protect.  Now that I am using a standard access rule with an action of drop I can't get a report filter to show this same data in SmartEvent.  We are running R80.40 and normally if I want to see network activity for the firewall blade in SmartEvent I just turn on accounting for those rules, but since this is drop it doesn't work.  Am I missing something, or will I just not be able to get this data in my SmartEvent report now that I am doing Geo Protection in my access rules with Updatable Objects?

Thanks,

Travis Krings

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

Firewall logs are, by default, not indexed by SmartEvent.
This needs to be enabled to run any reports on it.
See: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve... 

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin

You may still need to enable consolidation of firewall sessions as shown in the R77.x screenshot (it also applies to R80.x from what I understand).
I'd also set the track field to be "Per Connection" in addition to "Per Session."

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Firewall logs are, by default, not indexed by SmartEvent.
This needs to be enabled to run any reports on it.
See: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve... 

View solution in original post

0 Kudos
Travis_Krings
Participant

Thanks for the SK, I hadn't seen that one before. Currently when I want to see firewall logs for certain rules in SmartEvent I just turn on Accounting in the log column as shown in that SK, but when I tried that for the drop rule it said there is no accounting for drops which makes sense. I might be missing something in that SK, but is there a way to get the logs from a firewall drop rule to show up in smart event for each connection or is this just not possible with SmartEvent?

0 Kudos
PhoneBoy
Admin
Admin

You may still need to enable consolidation of firewall sessions as shown in the R77.x screenshot (it also applies to R80.x from what I understand).
I'd also set the track field to be "Per Connection" in addition to "Per Session."

View solution in original post

0 Kudos
Travis_Krings
Participant

Turns out all I needed to do was check the box on the rules to add "per session". I had thought for some reason it was the accounting check box that sent the logs to SmartEvent for firewall rules, but this appears to be working just fine and I'm getting my Geo Protection data again in the report. Thanks for the help!

0 Kudos