This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aznaz_Reflectio
Contributor
‎2018-03-21 09:59 PM
Jump to solution

Security Logs without Network Object Name

Hi All great Checkmates,

As per image above, in the log screen, instead of displaying object name that has been declared, it just showing the IP adresses. I cant find any setting to change or enable this.

I am using Checkpoint 1470 with R77.20.

1 Solution

Accepted Solutions
Kaspars_Zibarts
Employee Employee
Employee
‎2018-03-21 10:10 PM
Jump to solution

You have possibly turned off name resolution (ctrl-R). Also in old days (haven't checked in R80) if you had separate log server then you needed to install database to update object names presented in the tracker. But I believe smart log uses normal DNS instead. Check that those names resolve manually from log server CLI.

View solution in original post

17 Replies
Ni_c
Contributor
‎2018-03-21 10:07 PM
Jump to solution

Database might not be installed on management sever and log server once the new object is created. 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-03-21 10:10 PM
Jump to solution

You have possibly turned off name resolution (ctrl-R). Also in old days (haven't checked in R80) if you had separate log server then you needed to install database to update object names presented in the tracker. But I believe smart log uses normal DNS instead. Check that those names resolve manually from log server CLI.

HristoGrigorov
Mentor
Mentor
‎2018-03-22 03:56 AM
Jump to solution

This is a screenshot from locally managed appliance. 

Go to Device -> DNS and enable 'Resolve Network Objects'. See if that makes any difference.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-23 12:36 AM
In response to HristoGrigorov
Jump to solution

The screenshot is from a centrally managed appliance - as it has only Tabs Home / Device / Users / Logs avalable, while locally managed also show Access Policy, Threath Prevention and VPN. Usually, this page shown no logs if there is a SMS/Logserver available. The Network Objects for the IPs have to be defined in Users & Objects and Device > Network > DNS > > Resolve Network Objects enabled.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Aznaz_Reflectio
Contributor
‎2018-03-23 02:44 AM
In response to G_W_Albrecht
Jump to solution

Hi Gunther,

Yes, correct, it is central managed.

Regarding the advised setting, i did try it.. but still log cannot view obj name.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-23 03:01 AM
In response to Aznaz_Reflectio
Jump to solution

And you did define the Network Objects using the correct IP ? I can not see that setting yet... Maybe you should do a reboot after changing the settings ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Aznaz_Reflectio
Contributor
‎2018-03-24 06:04 AM
In response to G_W_Albrecht
Jump to solution

I already define the network Obj..but right now im out of office and unable to give the proof.

Unfortunately, reboot also has been done few times but its still the same Smiley Sad Smiley Sad

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-03-23 03:15 PM
In response to Aznaz_Reflectio
Jump to solution

If it is centrally managed why are you looking at the logs on the device itself then? To my knowledge the object resolution is not done on the local device logs, only on the logserver.

Regards, Maarten
0 Kudos
Aznaz_Reflectio
Contributor
‎2018-03-24 06:08 AM
In response to Maarten_Sjouw
Jump to solution

What you are saying is correct. Actually, I got a few 1400 appliances, some running local, some running central, and the point is, all unable to show obj name. The firmware itself also has been upgraded to the latest version.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-03-24 06:28 AM
In response to Aznaz_Reflectio
Jump to solution

So what are you actually saying? I do not think you will see resolution of objects locally on the boxes untill you define these objects locally on those boxes as well. 

Main question is though: why are you looking at the logs on the local devices instead of the central logs?

Why do you need to see this resolution on the local logs?

Regards, Maarten
0 Kudos
Aznaz_Reflectio
Contributor
‎2018-03-24 11:50 AM
In response to Maarten_Sjouw
Jump to solution

I do not think you will see resolution of objects locally on the boxes untill you define these objects locally on those boxes as well.

= I did define it locally on the boxes already.

Main question is though: why are you looking at the logs on the local devices instead of the central logs?

= What do you mean by this? what i can say is because this firewall is not manage by other management server, its locally managed, there is no other place to see its log right..? this firewall not using any SmartEvent server or any syslog server.

Why do you need to see this resolution on the local logs?

= It is seperate firewall. not connecting with other smart-1 or smartEvent.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-25 11:55 PM
In response to Aznaz_Reflectio
Jump to solution

Sounds like a real issue to me - network objects defined locally should show in logs 😞

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2018-03-26 07:16 AM
Jump to solution

I've been working with the locally managed SMBs' for a while, but from my experience,
I have never seen the source column in security logs show other than the actual IP address locally on the box.

Have you consult with TAC about it? Maybe its not included as a feature yet. (possible RFE...)

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2018-03-26 08:00 PM
In response to Tom_Hinoue
Jump to solution

I share similar thoughts. The Resolve Network Objects option works only for direct DNS queries and only if Allow DNS server to resolve object name option is enabled for object to be resolved. That is, if you configure appliance as DNS on a host, you will be able to resolve these objects by name.

I guess this is not enabled for local logging because of performance reasons. 

I know some syslog servers can resolve IP addresses (syslog-ng for example) but never tried it. And it will require to maintain a copy of the hosts database in one more place.

0 Kudos
Pedro_Espindola
Advisor
‎2018-04-02 09:20 AM
In response to Tom_Hinoue
Jump to solution

Correct, logs do not show the object name in either locally or centrally managed SMB appliances.

I don't know if they should, but I have worked with more than 20 appliances since R77.20.10 and have never seen the names resolved.

G_W_Albrecht
Legend Legend
Legend
‎2018-03-27 01:44 AM
Jump to solution

I find that strange - you define network objects and servers, use them in FW rules but do not see the defined names in logs. Maybe i just remember Edge / Safe@ logs 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-30 01:22 AM
In response to G_W_Albrecht
Jump to solution

Just a final statement: i am very glad that my SMS always shows logs of managed SMB appliances and logs from standAlone SMB appliances with all names displayed.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events