Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
israelsc
Participant

SmartView Web - IPS Report for a SMB Gateway

Hello Check Point Community!

I am working on a project with a customer that has a SMB firewall model 1570, we recently activated the IPS blade on the Gateway in detect mode.
We created a specific profile for this new Gateway where the idea of the profile is to be registering the most used IPS signatures to activate Prevent mode in IPS.

We want to make weekly reports to find some pattern and on these results, activate a customized IPS profile for the firewall.
I found that IPS reports can be made from SmartView Web, however, this report shows information of all the managed computers in the console.

Do you have any idea how to filter this report and only show me the IPS information of a single Gateway?
Do you have any template or steps you can share with me?

I hope I have explained, if you have any questions, please let me know.

Greetings to all!

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You have to clone the report, then you can set a filter where it shows only the events from the specific gateway (specifically the origin field).

0 Kudos
israelsc
Participant

Hello, 

I was clone IPS report, but when I put the filter "origin:<Gateway>", the report doesn't show results.

Is this query placed in the top search bar or do I have to modify any section of the reports?

Greetings

0 Kudos
PhoneBoy
Admin
Admin

Seems to be working for me (Options > Report Filter).
I think the order of the filter matters since it didn't seem to work when the first item in the list was "Origin".
When I made it the last filter, the report returned the expected results.
This was on R81.

Screen Shot 2021-10-11 at 11.33.40 AM.png

0 Kudos
Timothy_Hall
Champion
Champion

Can confirm this report filtering also works on R80.40, here is an excerpt from my new IPS/AV/ABOT Immersion video class that shows how to filter out any Threat Prevention blades not currently in use on the firewall to reduce unnecessary clutter in SmartEvent reports; not precisely the same as setting the origin but the procedure is exactly the same:

IPS/AV/ABOT ImmersionIPS/AV/ABOT ImmersionIPS/AV/ABOT ImmersionIPS/AV/ABOT Immersion

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
israelsc
Participant

Hello, thank you for your comments.
I worked a case with TAC because I could not see firewall logs.
Currently, I can see firewall logs and other blades logs, but I cannot see any IPS logs. (I have the blade enabled and configured a profile for that SMB Firewall).

Does the SMB model 1570 have any limitations that prevent it from generating IPS logs?

Greetings!

0 Kudos