Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Kanaszka
Advisor

How to see block source automatic reactions in SmartEvent

Hey gang.

 

Is there a way to see when a source NET gets blocked via the SmartEvent automatic action rule "Block source"?

We have it set for a 10 minute block and I'd like to see the logs that show this.

Thank you!

 

-Joe

 

0 Kudos
11 Replies
the_rock
Legend
Legend

Hey brother,

I would call TAC and see if they can provide quick answer via remote. I think in smart console, not certain what filter can be used for that, as its not technically "searchable" by blade itself.

Best,

Andy

Amir_Senn
Employee
Employee

This adds a SAM rule. You can watch SAM rules in SmartView Monitor and there's also syntax for GWs to show SAM policy (found this: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_Adm...).

Kind regards, Amir Senn
the_rock
Legend
Legend

@Amir_Senn I can never remember, will try it later in the lab...adding sam rules does not need policy install, right?

Best,

Andy

0 Kudos
Amir_Senn
Employee
Employee

Correct

Kind regards, Amir Senn
the_rock
Legend
Legend

Thats what I thought...thanks!

0 Kudos
Joe_Kanaszka
Advisor

Good morning Amir and thank you.

 

I've set two rules under "Scans" as you can see using SmartEvent.  The automatic actions are email and block source.  See Pic:

Screenshot 2024-01-31 080701.jpg

 

When I go into SmartView Monitor there are no rules active:

Screenshot 2024-01-31 081025.jpg

Any ideas about what may be wrong?

 

Thanks again!

 

 

 

 

0 Kudos
the_rock
Legend
Legend

Hey brother,

I could be mistaken when I say this, but Im fairly positive blocking those settings in smart event does NOT add any entries in  SAM rules portion.

Also, question for @Amir_Senn ...sorry to hit you with so many ?s, apologies, but just curious, is there a way to say add bulk of IPs in sv monitor for sam rules, ie import csv file rather than keep adding entries manually? I checked all the settings, but does not appear that might be possible...

Best,

Andy

 

0 Kudos
Joe_Kanaszka
Advisor

Thanks Andy.  So the rules I added are not SAM rules or...they are but not shown in SmartView Monitor (if that's the case that's confusing no?)  

0 Kudos
Amir_Senn
Employee
Employee

From the link I published before, the syntax for adding a rule is this:

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

I think that even a bash script can be easily implemented here.

Every IP has it's own row, with a loop according to the number of rows in the file. If you want all settings to be the same you can just insert IP in appropriate place in the command. Additional fields will require additional columns in the file.

Kind regards, Amir Senn
0 Kudos
Amir_Senn
Employee
Employee

Definitely adds SAM rule. Here's an example I just did in my lab:

1.PNG

If you don't see a rule there I would say the thing to check is that the event you selected was matched. Best way to see is if a correlated event log was created:

2.PNG

 

Kind regards, Amir Senn
0 Kudos
Tal_Paz-Fridman
Employee
Employee

I would also suggest using Infinity Playblocks which is a much more advanced and modern solution.

You will be able to view the relevant logs because they are associated with an Ordered Layer associated with Playblocks.

https://www.checkpoint.com/infinity/playblocks/

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events