- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Customer upgraded from R77.30 to R80. Previously, when they add a Global Exclusion in SmartEvent > Policy > Event Policy > Global Exclusions they get asked if they want to run this exception on all previous events as well. Afterwards or from there after, no events matching that criteria show up in SmartEvent. After upgrade, no asking or notification is done. They confirmed that events show up in SmartEvent but mentioned that a custom script that is supposed to email alerts when traffic is detected instead of prevented, doesn't appear to get engaged by the excluded traffic. Likewise, we're confirming that when reports are generated, they don't include any traffic from the exclusions either.
So my question is, did global exclusion in R80 SmartEvent change? Do we still see exclusion traffic in SmartEvent but not past this? Do alerts/reports/etc not "see" the exclusion traffic?
Little extra, I noticed that when we filter for "todays" events, we see what looks like 24 hours worth of events. Does "today" filter by the date or 24 hours within that day and the wording "today" is a little inaccurate?
Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.
R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.
While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10
Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it
Shahaf
Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.
R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.
While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10
Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it
Shahaf
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY