This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
MVP Gold
MVP Gold
‎2021-05-28 06:17 AM
Jump to solution

search in log for "PenaltyBox" not possible

Hello CheckMates,

it's not possible to search in logs for entries blocked by PenaltyBox-feature  (fwaccel dos pbox...)

Search for "Penalty" or "DOS" brings no results. Looks like these fields are not indexed ?

Why not? Every shown field should be searchable.

Any way to find these logs without to know the source IP ?

2021-05-28 09_38_38_penaltyBox_drop.png

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2021-06-01 11:33 AM
In response to Wolfgang
Jump to solution

small update….

With R81 the comment field is searchable. Now you can search „penalty box“ and there are results shown 😀

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2021-05-28 08:30 AM
Jump to solution

Not every log field is indexed is for performance reasons.
That does make certain logs…harder to find.

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2021-05-28 08:49 AM
Jump to solution

Hi @Wolfgang,

Not all fields in SmartLog are displayed in the console. In sk144192  there are more log fields described that you can use.

Maybe the following fields can help:
- securexl_message

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2021-05-28 12:30 PM
In response to HeikoAnkenbrand
Jump to solution

@HeikoAnkenbrand  and @PhoneBoy 

No chance at all. None of the shown fields "SecureXL Message", "comment" or "Feature Name" is available to a filter.

Same in old Logviewer.

I'm not happy that you had no chance to find an information if the PenaltyBox is detecting something 😞

Wolfgang
MVP Gold
MVP Gold
‎2021-06-01 11:33 AM
In response to Wolfgang
Jump to solution

small update….

With R81 the comment field is searchable. Now you can search „penalty box“ and there are results shown 😀

PhoneBoy
Admin
Admin
‎2021-06-01 09:22 PM
In response to Wolfgang
Jump to solution

I suspect there were some "under the hood" changes in R81 given you have to reindex all the logs when you upgrade.
Also, an interesting tidbit in the R81.10 EA release notes: The Solr functionality is replaced with a PostgreSQL database to improve the stability and performance of the Security Management Server.
Which means: more under the hood changes are coming 🙂

olliM
Explorer
‎2021-06-08 03:26 AM
Jump to solution

Hi Wolfgang,

we had the same issue with R80.x. Because there was no solution for that, i tested some filter combinations and found a workaround.

Using the following filter to display the needed infos in logs:

(type:"Alert") and not (src:"ips of your internal network" or dst:"your ips from external networks")

It may be necessery to select or edit the correct profile for displaying the field "Firewall Message" in the logging table.

Preview file
31 KB
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2022-06-06 07:15 AM
In response to olliM
Jump to solution

you can try with "penalty box"

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events