Create a Post
Showing results for 
Search instead for 
Did you mean: 

Identifying Activity on Checkpoint Firewall Logs

I have a question regarding the detection of activity on a Checkpoint firewall through its logs. Specifically, I'm interested in understanding how we can identify ongoing activities or anomalies through these logs.

Could anyone please share insights on the recommended search commands or techniques to effectively monitor and detect suspicious activities on a Checkpoint firewall? Additionally, what are the common indicators or patterns to look out for in these logs that might signal potential security threats?

0 Kudos
2 Replies

There's no universal answer. It all depends on your environment.

In my environment, a high-signal search would be drops from private sources to public destinations. Most of my stuff shouldn't talk out to the Internet directly. Updates are cached locally, and we use internal DNS, NTP, and so on, and we drop those services from most private sources to public. If some random source inside my environment tries to get out to the Internet via services we run internally, that's unusual. It's generally misconfiguration rather than malice, though.

In contrast, drops from random public sources to your systems are generally very low-signal. Tens of thousands of systems scan my environment every day. I want to record that a scan happened, but I don't care that much about the scan traffic which was dropped.

Similarly, geolocation drops are generally very low-signal. I couldn't possibly care less that somebody with a DPRK address tried to connect to my stuff. They wouldn't be allowed. I drop traffic from them (and about 20 other countries) without even logging it, just to reduce the log noise.

Note that traffic out to blocked countries becomes extremely high-signal. If they can't connect in, there should never be any reason for my stuff to connect out.

Champion Champion

Logs are great when you know what you are looking for (i.e. System A can't get to System B on port X), but it sounds like you are looking for an overall feel for what is going on and whether everything is "normal", or status quo.

SmartEvent (if you have it) does a very good job of this with its various views showing activity levels in your network.  As an example the "General Overview" screen shown below is pretty informative, not 100% sure if you must have SmartEvent to access this screen. 

Another one I know you don't need SmartEvent for is the "Tops" tab when looking at logs, which gives you interactive "top 10" lists of various data you can drill down into, and will visually highlight excessive amounts of any data.




Gateway Performance Optimization R81.20 Course
now available at
Upcoming Events

    CheckMates Events