This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jraph
Explorer
‎2020-04-27 06:02 AM

SmartView report unable to filter by rule or rule name

Hi,

I am discovering SmartViews on a SmartEvent server in version R80.30.

I have made a Dashboard with some interesting graphs and it works well. I filter the last 7 days of log, coming from 2 members of a cluster (Origin), with action are Drop. Perfect.

I want to add another filter using a rule to get only matching traffic from a rule.

If I add the filter Rule equals 30 I have no data found. And it is the same if I add rule:30 in the top search bar.

If I search the exact same query in SmartConsole I can use rule:30 to filter, but I cannot graph or export the results.

Would hyou have an idea if I am missing something or if there is a bug ?

Thanks

Raphaël

Preview file
87 KB
Preview file
47 KB
0 Kudos
7 Replies
Amir_Senn
Employee
Employee
‎2020-04-27 07:40 AM

We had issues with the rule field in SmartView. If this is the same issue the latest JHF should fix that for you.

Tell me if this solves it.

Amir

Kind regards, Amir Senn
0 Kudos
Jraph
Explorer
‎2020-04-27 08:19 AM
In response to Amir_Senn

Hi,

On the event server we have installed latest JHF available for r80.30. Management is on the same versions.

Check_Point_R80_30_JUMBO_HF_Bundle_T155_sk153152_Security_Management_3_10_FULL.tgz released on February 20th

I have no other hotfix installable nor minor version.

Only package is the latest SmartConsole jumbo HF B76 available.

Thanks

Raphaël

0 Kudos
Amir_Senn
Employee
Employee
‎2020-04-27 08:40 AM
In response to Jraph

I tried it, it works for me.

Maybe try a different rule number to see if it returns data from other rules.

Some rules only create connection logs and those aren't indexed to SME so you won't see them even if you have data for them (you can filter on connections log in the logs view, try to see if you have matches for "rule:30 AND type:"Session" ").

You can also try and filter with rule name, maybe you'll have more luck with that. I also recommend the "custom" filter.

Amir

Kind regards, Amir Senn
0 Kudos
Jraph
Explorer
‎2020-04-28 02:55 AM
In response to Amir_Senn

Hi,

Still no luck with rule and session, another rule does not produce any result, the problem is still present.

I already tried with rule name with same result.

Thanks, I'll wait for the next Jumbo hotfix.

Raphaël

0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2020-05-10 02:32 PM
In response to Jraph

Hi,

 

as Amir said, it should work without installing any other HF.

I suggest you to open the general overview and drill down to firewall logs, it will be opened in a new logs window.

add the "access rule number" to the columns and see what rule numbers exists in those logs.

take one of them and try to apply it on the filter and see the results.

0 Kudos
Jraph
Explorer
‎2020-05-11 05:20 AM
In response to Yaakov_Ohayon

Hi,

Thanks for reply.

SO I followed your steps and in SmartView, in the logs I see the logs that interest me with the filter :

(origin:FW1 OR origin:FW2) and rule:15 and action:Drop

When I make a View with the same infos I have no result as soon as I add the rule filter.

Raphaël

0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2020-05-11 10:30 PM
In response to Jraph

Thank you Raphael,

According to your description, I think your case might fall into a known issue (that is currently under investigation).

The issue is that logs that matched on inline layer are indexed without the rule number.

Either way I suggest you open a support case to Check Point.

 

Thanks.

0 Kudos