- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Customer upgraded from R77.30 to R80. Previously, when they add a Global Exclusion in SmartEvent > Policy > Event Policy > Global Exclusions they get asked if they want to run this exception on all previous events as well. Afterwards or from there after, no events matching that criteria show up in SmartEvent. After upgrade, no asking or notification is done. They confirmed that events show up in SmartEvent but mentioned that a custom script that is supposed to email alerts when traffic is detected instead of prevented, doesn't appear to get engaged by the excluded traffic. Likewise, we're confirming that when reports are generated, they don't include any traffic from the exclusions either.
So my question is, did global exclusion in R80 SmartEvent change? Do we still see exclusion traffic in SmartEvent but not past this? Do alerts/reports/etc not "see" the exclusion traffic?
Little extra, I noticed that when we filter for "todays" events, we see what looks like 24 hours worth of events. Does "today" filter by the date or 24 hours within that day and the wording "today" is a little inaccurate?
Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.
R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.
While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10
Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it
Shahaf
Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.
R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.
While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10
Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it
Shahaf
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY