This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2024-01-30 01:15 PM

How to see block source automatic reactions in SmartEvent

Hey gang.

 

Is there a way to see when a source NET gets blocked via the SmartEvent automatic action rule "Block source"?

We have it set for a 10 minute block and I'd like to see the logs that show this.

Thank you!

 

-Joe

 

Labels
0 Kudos
11 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-01-30 01:48 PM

Hey brother,

I would call TAC and see if they can provide quick answer via remote. I think in smart console, not certain what filter can be used for that, as its not technically "searchable" by blade itself.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-31 03:07 AM

This adds a SAM rule. You can watch SAM rules in SmartView Monitor and there's also syntax for GWs to show SAM policy (found this: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_Adm...).

Kind regards, Amir Senn
the_rock
MVP Diamond
MVP Diamond
‎2024-01-31 04:38 AM
In response to Amir_Senn

@Amir_Senn I can never remember, will try it later in the lab...adding sam rules does not need policy install, right?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-31 04:46 AM
In response to the_rock

Correct

Kind regards, Amir Senn
the_rock
MVP Diamond
MVP Diamond
‎2024-01-31 04:48 AM
In response to Amir_Senn

Thats what I thought...thanks!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Joe_Kanaszka
Advisor
‎2024-01-31 05:12 AM
In response to Amir_Senn

Good morning Amir and thank you.

 

I've set two rules under "Scans" as you can see using SmartEvent.  The automatic actions are email and block source.  See Pic:

Screenshot 2024-01-31 080701.jpg

 

When I go into SmartView Monitor there are no rules active:

Screenshot 2024-01-31 081025.jpg

Any ideas about what may be wrong?

 

Thanks again!

 

 

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-01-31 05:50 AM
In response to Joe_Kanaszka

Hey brother,

I could be mistaken when I say this, but Im fairly positive blocking those settings in smart event does NOT add any entries in  SAM rules portion.

Also, question for @Amir_Senn ...sorry to hit you with so many ?s, apologies, but just curious, is there a way to say add bulk of IPs in sv monitor for sam rules, ie import csv file rather than keep adding entries manually? I checked all the settings, but does not appear that might be possible...

Best,

Andy

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Joe_Kanaszka
Advisor
‎2024-01-31 06:08 AM
In response to the_rock

Thanks Andy.  So the rules I added are not SAM rules or...they are but not shown in SmartView Monitor (if that's the case that's confusing no?)  

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-31 08:55 AM
In response to the_rock

From the link I published before, the syntax for adding a rule is this:

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

I think that even a bash script can be easily implemented here.

Every IP has it's own row, with a loop according to the number of rows in the file. If you want all settings to be the same you can just insert IP in appropriate place in the command. Additional fields will require additional columns in the file.

Kind regards, Amir Senn
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-31 08:47 AM
In response to Joe_Kanaszka

Definitely adds SAM rule. Here's an example I just did in my lab:

1.PNG

If you don't see a rule there I would say the thing to check is that the event you selected was matched. Best way to see is if a correlated event log was created:

2.PNG

 

Kind regards, Amir Senn
0 Kudos
Tal_Paz-Fridman
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-01-31 05:57 AM

I would also suggest using Infinity Playblocks which is a much more advanced and modern solution.

You will be able to view the relevant logs because they are associated with an Ordered Layer associated with Playblocks.

https://www.checkpoint.com/infinity/playblocks/

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events