If you use SK25941 to configure your SMTP email notification from Check Point, you may run into some issues. The internal_sendmail command is a slimmed down version of sendmail and it has one major flaw; it doesn't allow you to configure the --domain setting. This results in the management server telling the SMTP relay that its name is 'unknown.org'. If you are using a relay service, that is unacceptable.
If you can't use the internal_sendmail command, how do you get your emails delivered? You use a User Defined script. As you know from the SK mentioned above, you configure the internal_sendmail in Global Properties/Log and Alert/Alerts page by checking the 'Run mail alert script' and provide the command line. You configure a user defined script on the same page (in fact, you can configure 3 different user defined scripts). But how do you configure it to get it to send all of your emails?
First, you need a script. This can be a simple bash script (more on this later) that will parse the log lines and send the message. To configure it, you will need to check the box for 'Run UserDefined script' and then provide a path to the script on your Management server (/Scripts/sendCPMail.sh). Next, you will need to change the dropdown under System Alerts. The 'Set the default track option fro this type of alert' dropdown needs to be changed to 'User Defined Alert no. 1'. And finally, the most critical step (as it wouldn't work for me until I did this) is to uncheck the box for 'Run mail alert script'
Back to that script, I did some searching and I found a few things here on CheckMate and I found a basic script, but the specific instructions above were not spelled out very well and calling support, they kept pushing me to using internal_sendmail. We are moving to a SMTP relay service in the very near future, so internal_sendmail was not going to work for me much longer. I needed the ability to tell the SMTP relay a valid DNS name for my management server so that it would accept emails from me. As I mentioned, I did find a sample script (Thank you Eli_Faskha) that I was initially using. But as it was originally configured, it only resulted in a decent subject line for some of the notifications. I have learned a little sed and extended the base script to provide a more useful subject line. Here is my modified version of the script:
#!/bin/bash
read input
echo $input | sed 's/;/\n/g' >mail.txt
origin="$(sed -n '/Origin:/p' mail.txt)"
product="$(sed -n '/ProductName:/p' mail.txt)"
subject="$(sed -n -e '/cluster_info/p' -e '/System Alert/p' mail.txt)"
echo "TO: Security<security@yourdomain.com>" >mail.txt
echo "Subject: CheckPoint - $origin - $product - $subject" >>mail.txtecho "" >>mail.txt
echo $input| sed 's/;/\n/g' >>mail.txt
/usr/sbin/sendmail --host=smarthost.yourdomain.com --domain=cpmgmt.yourdomain.com -f cpmgmt@yourdomain.com <mail.txt
I hope somebody finds this helpful having all of these pieces together in one place. If I have missed an existing article or post that already does this, I wish I had found it because this has been bothering me for way to long.
As to the additional two UserDefined Scripts, you could probably do more specific scripts and select to use them for specific thresholds in SmartView Monitor.
Thanks,
Charles