Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Security Logs without Network Object Name

Jump to solution

Hi All great Checkmates,

As per image above, in the log screen, instead of displaying object name that has been declared, it just showing the IP adresses. I cant find any setting to change or enable this.

I am using Checkpoint 1470 with R77.20.

1 Solution

Accepted Solutions
Highlighted

You have possibly turned off name resolution (ctrl-R). Also in old days (haven't checked in R80) if you had separate log server then you needed to install database to update object names presented in the tracker. But I believe smart log uses normal DNS instead. Check that those names resolve manually from log server CLI.

View solution in original post

17 Replies
Highlighted
Nickel

Database might not be installed on management sever and log server once the new object is created. 

0 Kudos
Highlighted

You have possibly turned off name resolution (ctrl-R). Also in old days (haven't checked in R80) if you had separate log server then you needed to install database to update object names presented in the tracker. But I believe smart log uses normal DNS instead. Check that those names resolve manually from log server CLI.

View solution in original post

Highlighted
Platinum

This is a screenshot from locally managed appliance. 

Go to Device -> DNS and enable 'Resolve Network Objects'. See if that makes any difference.

0 Kudos
Highlighted
Sapphire

The screenshot is from a centrally managed appliance - as it has only Tabs Home / Device / Users / Logs avalable, while locally managed also show Access Policy, Threath Prevention and VPN. Usually, this page shown no logs if there is a SMS/Logserver available. The Network Objects for the IPs have to be defined in Users & Objects and Device > Network > DNS > > Resolve Network Objects enabled.

Hi Gunther,

Yes, correct, it is central managed.

Regarding the advised setting, i did try it.. but still log cannot view obj name.

0 Kudos
Highlighted
Sapphire

And you did define the Network Objects using the correct IP ? I can not see that setting yet... Maybe you should do a reboot after changing the settings ?

0 Kudos
Highlighted

I already define the network Obj..but right now im out of office and unable to give the proof.

Unfortunately, reboot also has been done few times but its still the same Smiley Sad Smiley Sad

0 Kudos
Highlighted

If it is centrally managed why are you looking at the logs on the device itself then? To my knowledge the object resolution is not done on the local device logs, only on the logserver.

Regards, Maarten
0 Kudos
Highlighted

What you are saying is correct. Actually, I got a few 1400 appliances, some running local, some running central, and the point is, all unable to show obj name. The firmware itself also has been upgraded to the latest version.

0 Kudos
Highlighted

So what are you actually saying? I do not think you will see resolution of objects locally on the boxes untill you define these objects locally on those boxes as well. 

Main question is though: why are you looking at the logs on the local devices instead of the central logs?

Why do you need to see this resolution on the local logs?

Regards, Maarten
0 Kudos
Highlighted

I do not think you will see resolution of objects locally on the boxes untill you define these objects locally on those boxes as well.

= I did define it locally on the boxes already.

Main question is though: why are you looking at the logs on the local devices instead of the central logs?

= What do you mean by this? what i can say is because this firewall is not manage by other management server, its locally managed, there is no other place to see its log right..? this firewall not using any SmartEvent server or any syslog server.

Why do you need to see this resolution on the local logs?

= It is seperate firewall. not connecting with other smart-1 or smartEvent.

0 Kudos
Highlighted
Sapphire

Sounds like a real issue to me - network objects defined locally should show in logs 😞

0 Kudos
Highlighted
Copper

I've been working with the locally managed SMBs' for a while, but from my experience,
I have never seen the source column in security logs show other than the actual IP address locally on the box.

Have you consult with TAC about it? Maybe its not included as a feature yet. (possible RFE...)

0 Kudos
Highlighted
Platinum

I share similar thoughts. The Resolve Network Objects option works only for direct DNS queries and only if Allow DNS server to resolve object name option is enabled for object to be resolved. That is, if you configure appliance as DNS on a host, you will be able to resolve these objects by name.

I guess this is not enabled for local logging because of performance reasons. 

I know some syslog servers can resolve IP addresses (syslog-ng for example) but never tried it. And it will require to maintain a copy of the hosts database in one more place.

0 Kudos
Highlighted

Correct, logs do not show the object name in either locally or centrally managed SMB appliances.

I don't know if they should, but I have worked with more than 20 appliances since R77.20.10 and have never seen the names resolved.

Highlighted
Sapphire

I find that strange - you define network objects and servers, use them in FW rules but do not see the defined names in logs. Maybe i just remember Edge / Safe@ logs 😉

0 Kudos
Highlighted
Sapphire

Just a final statement: i am very glad that my SMS always shows logs of managed SMB appliances and logs from standAlone SMB appliances with all names displayed.