- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: How to see block source automatic reactions in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to see block source automatic reactions in SmartEvent
Hey gang.
Is there a way to see when a source NET gets blocked via the SmartEvent automatic action rule "Block source"?
We have it set for a 10 minute block and I'd like to see the logs that show this.
Thank you!
-Joe
- Labels:
-
SmartEvent
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey brother,
I would call TAC and see if they can provide quick answer via remote. I think in smart console, not certain what filter can be used for that, as its not technically "searchable" by blade itself.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This adds a SAM rule. You can watch SAM rules in SmartView Monitor and there's also syntax for GWs to show SAM policy (found this: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_Adm...).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Amir_Senn I can never remember, will try it later in the lab...adding sam rules does not need policy install, right?
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats what I thought...thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning Amir and thank you.
I've set two rules under "Scans" as you can see using SmartEvent. The automatic actions are email and block source. See Pic:
When I go into SmartView Monitor there are no rules active:
Any ideas about what may be wrong?
Thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey brother,
I could be mistaken when I say this, but Im fairly positive blocking those settings in smart event does NOT add any entries in SAM rules portion.
Also, question for @Amir_Senn ...sorry to hit you with so many ?s, apologies, but just curious, is there a way to say add bulk of IPs in sv monitor for sam rules, ie import csv file rather than keep adding entries manually? I checked all the settings, but does not appear that might be possible...
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Andy. So the rules I added are not SAM rules or...they are but not shown in SmartView Monitor (if that's the case that's confusing no?)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the link I published before, the syntax for adding a rule is this:
fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>
I think that even a bash script can be easily implemented here.
Every IP has it's own row, with a loop according to the number of rows in the file. If you want all settings to be the same you can just insert IP in appropriate place in the command. Additional fields will require additional columns in the file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Definitely adds SAM rule. Here's an example I just did in my lab:
If you don't see a rule there I would say the thing to check is that the event you selected was matched. Best way to see is if a correlated event log was created:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also suggest using Infinity Playblocks which is a much more advanced and modern solution.
You will be able to view the relevant logs because they are associated with an Ordered Layer associated with Playblocks.
https://www.checkpoint.com/infinity/playblocks/