This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FirewallGyaan
Contributor
‎2022-08-31 12:26 PM

How to Find Who have created SAM rules.

Basically I like to see where details on SAM rule for user/admin who created SAM rules are stored (Not the IPs which are blocked)

I have tried to see Audit Logs, Log, Messaged Files from GW and SMS but no luck. And SAM.DAT fire is Binary file .

 

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-08-31 12:29 PM

I think audit log should show you that if you search for time frame and rule name.

Best,
Andy
0 Kudos
FirewallGyaan
Contributor
‎2022-08-31 12:45 PM
In response to the_rock

I did tried to add multiple Selection on Audit logs as you mentioned but no details found . I just tried to reproduce issue in my lab and same no details present anywhere. Please see attachment for Selection criteria.

 

Preview file
83 KB
0 Kudos
FirewallGyaan
Contributor
‎2022-08-31 01:06 PM
In response to FirewallGyaan

Incase to see issue in detail Please see video : 

https://youtu.be/H4fzfgwFFDQ

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-09-01 02:22 AM
In response to FirewallGyaan

According to sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules, this is only possible if:

- SAM CLI is used

- fw sam is used with option

-e <key=val>+

Specifies rule information based on the keys and the provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:

  • name - security rule name (limited to 100 characters)
  • comment - security rule comment (limited to 100 characters)
  • originator - security rule originator's username (limited to 100 characters)

so the originator is included

---> So what you want can be achieved if SAM rules are only created by CLI scripts embedding the originator

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
FirewallGyaan
Contributor
‎2022-09-01 01:36 AM
In response to FirewallGyaan

@PhoneBoy any suggestions here ?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-01 08:56 AM
In response to FirewallGyaan

If the commands were set using fw sam on the CLI within the standard clish shell, you'll see evidence of this in /var/log/messages like so:

Sep  1 13:26:13 2022 R8120EA clish[30380]: cmd by admin: Start executing : fw sam ... (cmd md5: 70c66e959afe845950934f11615fff55)
Sep  1 13:26:13 2022 R8120EA clish[30380]: cmd by admin: Processing : fw sam -D (cmd md5: 70c66e959afe845950934f11615fff55)

If it was done in SmartConsole, you might find evidence in the Audit logs in SmartConsole (haven't checked).
If it was done via expert mode, unless you've taken steps to explicitly log commands entered there, or you did something like @G_W_Albrecht pointed you to, that information is not logged anywhere, at least as far as I know.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events