We all should have generalize at least once a query in order to understand if a specific comportment/situation could be found in other firewalls.
And if you do not remember what were your perfect queries, see your complete history (from you SmartLog enabled server):
$SMARTLOGDIR/data/users_settings/<your login name>/history.xml
Regarding Endpoint Security Remote Access solutions:
- seeing tunnels activities :
tunnel_test or action:"Key Install" or action:"Failed Log In" OR action:"Log In" OR action:"Log Out" OR action:reject OR action:Update
- connections errors
blade:vpn AND action:Reject ( "endpoint" OR "user" OR "Office Mode" )
- errors authenticating users
"Could not obtain user object" "IKE failure"
type:alert (certificate or CRL)
Security Management Log Server : when logs were not able to be sent to it:
"were not sent to log server"
tcp (fin OR syn) NOT "both fin" NOT "established"
Every logs of a specific rule (Hit count detail could be useful as well):
First of all, did you know that we can generalize our best columns profiles for every or selected users (seesk109512 )?
My default columns profile (for general logs) is:
with which I can see immediately src/dst IPs, src/dst ports and Xlate src/dst and basics.
So : what are your perfect and efficient queries ?