This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2025-09-23 03:54 PM

Auditing changes in FW

Hello, Mates

Is it possible to “observe” all the changes made by an administrator from the CLI of a FW?

For example, if an administrator changes a route, edits an interface, adds a new interface, configures SNMPv2, configures OSPF... all this from the CLI of a FW...

Is it possible to review this activity performed by an administrator in the logs? Or is it stored somewhere else on the device?

Thanks for your comments.

0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 03:56 PM

Hey bro,

Smart console changes would be via audit logs, but something like what you described probably either smart event, or /var/log/audit dir.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 04:15 PM

On a second thought bro, I know our company uses syslog server for these things, when say someone logs into the firewall, we do get an alert about it.

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-09-23 04:16 PM

1 (5).png

Otherwise you would check /var/log/messages

CCSM R77/R80/ELITE
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-09-23 04:38 PM
In response to Chris_Atkinson

Hi, @Chris_Atkinson 

Does this configuration shown in your image also apply when changes are made via CLI on a firewall?

If a change is successful, for example when you “delete” several VLANs, should we be able to see these changes in the SmartConsole Audit Logs?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 04:44 PM
In response to Matlu

Hey brother...keep in mind, those changes will NOT show up in smart console audit logs, because thats ONLY for changes made in smart console by default. However, you can make it work the way @Chris_Atkinson posted, you just need to add mgmt server in remote system logging tab. Im sure you know that by default, fw logs will be sent to the management, but not ones you are referring to, unless you set this up first.

I had done that before in the lab and was fine.

Andy

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-09-23 07:08 PM
In response to Matlu

The audit logs are explicitly for any changed made by CLI on the system. So yes. We recommend you send them to syslog and then configure central syslog server to store them all in one place, so save you having to trawl the messages files on the systems and hope the entries you want haven't rotated away.

0 Kudos
Henrik_Noerr1
Advisor
‎2025-09-23 11:18 PM

You need to implement sk99134 or you will not know what your privileged users are doing

/Henrik

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events