Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steven_Lucas
Participant
Jump to solution

Searching For Access Logs With Updatable Objects as the source or destination

Been using a lot of updatable objects, and they work great, but how does one identify these objects in SmartLog queries?

I've been trying a few "Other Fields" like src_uo_name and trying Geo-Location Objects like "Netherlands". These objects have been added and utilized in rules with hits, so I know they are working and imported. I can typically get what I need out of tracking the rule uids, but for ease of use, it'd be nice to know if these can be explicitly queried. 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Geographies are resolved on the management, albeit using a different mechanism than the Updatable Objects mechanism.
This can create some issues when you're looking at your logs and you see things that look like they should have been blocked.
Refer to: https://community.checkpoint.com/t5/General-Topics/Updatable-objects-with-geo-policy/m-p/97434#M191...
On the management, you need to periodically update the mappings using something like: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/One-liner-to-update-IpToCountry-... 

 

View solution in original post

3 Replies
PhoneBoy
Admin
Admin

Given these are resolved on the gateway, not on the management, I don’t believe you can query based on it.
Further, a given IP could easily be associated with a number of Updatable Objects.

Steven_Lucas
Participant

This makes sense. It does seem as though that the gateway is sending some of that information over in the log. I noticed that when querying "Netherlands" for example, it did return log entries for traffic to IPs belonging to the updateable Geo-Location object. The log entry did reference it as an updatable object, so it is somewhat part of the log.

I can definitely see how the logging server wouldn't know what the gateway is currently using for that object at the present moment, given its nature. 

 

PhoneBoy
Admin
Admin

Geographies are resolved on the management, albeit using a different mechanism than the Updatable Objects mechanism.
This can create some issues when you're looking at your logs and you see things that look like they should have been blocked.
Refer to: https://community.checkpoint.com/t5/General-Topics/Updatable-objects-with-geo-policy/m-p/97434#M191...
On the management, you need to periodically update the mappings using something like: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/One-liner-to-update-IpToCountry-... 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events