This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
israelsc
Contributor
Contributor
‎2021-10-08 04:45 PM
Jump to solution

SmartView Web - IPS Report for a SMB Gateway

Hello Check Point Community!

I am working on a project with a customer that has a SMB firewall model 1570, we recently activated the IPS blade on the Gateway in detect mode.
We created a specific profile for this new Gateway where the idea of the profile is to be registering the most used IPS signatures to activate Prevent mode in IPS.

We want to make weekly reports to find some pattern and on these results, activate a customized IPS profile for the firewall.
I found that IPS reports can be made from SmartView Web, however, this report shows information of all the managed computers in the console.

Do you have any idea how to filter this report and only show me the IPS information of a single Gateway?
Do you have any template or steps you can share with me?

I hope I have explained, if you have any questions, please let me know.

Greetings to all!

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2021-10-12 06:47 AM
In response to PhoneBoy
Jump to solution

Can confirm this report filtering also works on R80.40, here is an excerpt from my new IPS/AV/ABOT Immersion video class that shows how to filter out any Threat Prevention blades not currently in use on the firewall to reduce unnecessary clutter in SmartEvent reports; not precisely the same as setting the origin but the procedure is exactly the same:

IPS/AV/ABOT ImmersionIPS/AV/ABOT ImmersionIPS/AV/ABOT ImmersionIPS/AV/ABOT Immersion

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-10-08 05:48 PM
Jump to solution

You have to clone the report, then you can set a filter where it shows only the events from the specific gateway (specifically the origin field).

0 Kudos
israelsc
Contributor
Contributor
‎2021-10-11 08:05 AM
In response to PhoneBoy
Jump to solution

Hello, 

I was clone IPS report, but when I put the filter "origin:<Gateway>", the report doesn't show results.

Is this query placed in the top search bar or do I have to modify any section of the reports?

Greetings

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-11 11:36 AM
In response to israelsc
Jump to solution

Seems to be working for me (Options > Report Filter).
I think the order of the filter matters since it didn't seem to work when the first item in the list was "Origin".
When I made it the last filter, the report returned the expected results.
This was on R81.

Screen Shot 2021-10-11 at 11.33.40 AM.png

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-10-12 06:47 AM
In response to PhoneBoy
Jump to solution

Can confirm this report filtering also works on R80.40, here is an excerpt from my new IPS/AV/ABOT Immersion video class that shows how to filter out any Threat Prevention blades not currently in use on the firewall to reduce unnecessary clutter in SmartEvent reports; not precisely the same as setting the origin but the procedure is exactly the same:

IPS/AV/ABOT ImmersionIPS/AV/ABOT ImmersionIPS/AV/ABOT ImmersionIPS/AV/ABOT Immersion

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
israelsc
Contributor
Contributor
‎2021-10-15 08:18 AM
In response to Timothy_Hall
Jump to solution

Hello, thank you for your comments.
I worked a case with TAC because I could not see firewall logs.
Currently, I can see firewall logs and other blades logs, but I cannot see any IPS logs. (I have the blade enabled and configured a profile for that SMB Firewall).

Does the SMB model 1570 have any limitations that prevent it from generating IPS logs?

Greetings!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events