Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

SmartEvent Best Practices Techtalk April 2023: Video, Slides, and Q&A

Q&A is listed below.
Slides are attached below the video.

Will SmartEvent in the Smart-1 cloud be covered as opposed to on prem?

This session generally applies to both.

Can SmartEvent work with syslog (e.g. system) logs from various devices?

A Check Point log server can be configured to ingest syslog, which means that SmartEvent can potentially process these logs as well. However, this will likely require parsers, which will have to be developed separately.

It is recommended to have the correlation unit on the log server if distributed. If we have to separate, what is the best process to do so?

In some high-volume environments, this may be required. Best to consult with your Check Point SE to fully understand the environment and requirements.

Customer wants to keep SE stopped for troubleshooting purpose. they run evstop but after some time this SE get started again. How can they keep SE disabled and not restarted till evstart command ran?

If you want SmartEvent disabled for longer periods of time, uncheck the relevant options in the management blade and Install Database. This shouldn’t remove any related settings. 

Can we setup multiple automatic reactions per event?

Yes

Does "block source" use the fwaccel?

The legacy SAM mechanism is used, which in current versions is SecureXL friendly.

What is the directory path of the SmartEvent database and the index files?

$INDEXERDIR (environment variable in expert mode) points to the correct locations. The method for changing the directory for these items is documented in sk66003.

I found SmartEvent - C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\PROGRAM\AnalyzerClient.exe. Is there an easier way to get to it from the SmartConsole?

When you click on Logs and Monitor in SmartConsole, you will see in the bottom left “External Apps” one of which is SmartEvent Settings and Policy.

Can Check Point supply a template of sorts for the various event policy settings that are considered "best practice" to give us a starting point to customize our configuration?

There is a “Best Practices” Compliance blade report, and you have Compliance Blade free of charge for the first year with your management server license. More reports, both for SmartEvent and Compliance blades can be found in the CheckMates Toolbox.

If I have a good SIEM solution, then do I need SmartEvent?

It depends on your precise requirements.

How to send parameters to the external script?

use custom reactions

In the SmartEvent, I can see into the logs the information of the size package, like sent and received? If yes, where could I enable this option?

That’s a function of the Access Policy configuration for the relevant rules. Rules involving App Control/URL Filtering will log send/received bytes automatically, for other rules, you may need to enable Accounting in the Track field of the relevant rules.

If I only need to have reports without SmartEvent, is it possible for licensing?

Reporting functionality requires a SmartEvent license. Without SmartEvent license, you can still create dashboards in SmartView.

What is the duration of the SAM rule that is created along with the "block" reaction?

It has some pre-defined options and also could be customized

Are automatic reactions supported on all types of gateways?

Not currently supported on VSX and Maestro due to the fact SAM rules are not supported on these gateway types.

How do I find the event/log not from the detection (correlated), but from the automatic reaction "Block Source..."? How do I filter out those in Logs?

Try to query SAM or SAM Rule.

Do we have a list of the log fields we can use for user defined events? Or all fields are supported?

The UI specifies the log fields that can be used, which are all indexed by SmartEvent. Some identity fields are obfuscated by default though but there's also a way to cancel the obfuscation. It is not possible to run reports on unindexed log fields. 

How is it possible to mute/disable certain SmartEvent alerts?

You can remove automatic reaction to disable it. If you mean the entire event, you can uncheck the checkbox in SmartEvent GUI

Is there an easy way to filter out events that are NOT local source. This seems to be a common problem where clients see critical events, but they are do to an external scan that are blocked by Check Point.

You can exclude hosts or network for each event or for all of them in global exclusions.

What can cause high CPU on SE server if not highly used?

Indexing incoming (or historical) logs is the primary CPU usage. Note that this CPU usage is scheduled with lower priority so if the CPU is needed for other purposes, it will be allocated accordingly. Best to engage with the TAC to assist in troubleshooting.

How i can backup the complete system including self created report template and scheduling of them?

This data should be exported as part of the standard migration tools (e.g. migrate_server)

What is the impact on the results of the reports if the logs track are by connection or session?

Connection logs are not processed by default as they require heavier processing (correlation).

Does SmartEvent have a large-scale unified view across an MDM environment?

Not at this time. Please discuss such requirements with your local Check Point office.

Is there specific Check Point training or Professional Services for setting up logging/monitoring/reporting?

There is a logging/reporting section available in the Quantum Training material. Please check with your local team to inquire about training offerings. Professional Services assistance is also available.

What is the recommendation to create a Threat Prevention view or report that can be shared with Execs within the organization?

A good starting point is using the built in Threat Prevention view, which can be modified and extended as needed.

Why do the views through SmartConsole don't have the auto refresh option like the log view does?

Auto-refreshing views are currently only available in SmartView.

How many CPU's are recommended for SmartEvent if using a VM?

As a starting point, use the specifications for the Smart-1 appliance that most closely matches your requirements. Make sure you also follow our best practices for installing Security Management in a virtual machine. For further assistance, engage with your Check Point SE.

(1)
Who rated this post