How to see block source automatic reactions in Sma...

Joe_Kanaszka · ‎2024-01-30

Hey gang.

Is there a way to see when a source NET gets blocked via the SmartEvent automatic action rule "Block source"?

We have it set for a 10 minute block and I'd like to see the logs that show this.

Thank you!

-Joe

the_rock · ‎2024-01-30

Hey brother,

I would call TAC and see if they can provide quick answer via remote. I think in smart console, not certain what filter can be used for that, as its not technically "searchable" by blade itself.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

Amir_Senn · ‎2024-01-31

This adds a SAM rule. You can watch SAM rules in SmartView Monitor and there's also syntax for GWs to show SAM policy (found this: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_Adm...).

Kind regards, Amir Senn

the_rock · ‎2024-01-31

@Amir_Senn I can never remember, will try it later in the lab...adding sam rules does not need policy install, right?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

Amir_Senn · ‎2024-01-31

Correct

Kind regards, Amir Senn

the_rock · ‎2024-01-31

Thats what I thought...thanks!

Best,
Andy
"Have a great day and if its not, change it"

Joe_Kanaszka · ‎2024-01-31

Good morning Amir and thank you.

I've set two rules under "Scans" as you can see using SmartEvent. The automatic actions are email and block source. See Pic:

When I go into SmartView Monitor there are no rules active:

Any ideas about what may be wrong?

Thanks again!

the_rock · ‎2024-01-31

Hey brother,

I could be mistaken when I say this, but Im fairly positive blocking those settings in smart event does NOT add any entries in SAM rules portion.

Also, question for @Amir_Senn ...sorry to hit you with so many ?s, apologies, but just curious, is there a way to say add bulk of IPs in sv monitor for sam rules, ie import csv file rather than keep adding entries manually? I checked all the settings, but does not appear that might be possible...

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

Joe_Kanaszka · ‎2024-01-31

Thanks Andy. So the rules I added are not SAM rules or...they are but not shown in SmartView Monitor (if that's the case that's confusing no?)

Amir_Senn · ‎2024-01-31

From the link I published before, the syntax for adding a rule is this:

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

I think that even a bash script can be easily implemented here.

Every IP has it's own row, with a loop according to the number of rows in the file. If you want all settings to be the same you can just insert IP in appropriate place in the command. Additional fields will require additional columns in the file.

Kind regards, Amir Senn

Amir_Senn · ‎2024-01-31

Definitely adds SAM rule. Here's an example I just did in my lab:

If you don't see a rule there I would say the thing to check is that the event you selected was matched. Best way to see is if a correlated event log was created:

Kind regards, Amir Senn

Tal_Paz-Fridman · ‎2024-01-31

I would also suggest using Infinity Playblocks which is a much more advanced and modern solution.

You will be able to view the relevant logs because they are associated with an Ordered Layer associated with Playblocks.

https://www.checkpoint.com/infinity/playblocks/

Are you a member of CheckMates?

How to see block source automatic reactions in SmartEvent