Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aznaz_Reflectio
Contributor
Jump to solution

Security Logs without Network Object Name

Hi All great Checkmates,

As per image above, in the log screen, instead of displaying object name that has been declared, it just showing the IP adresses. I cant find any setting to change or enable this.

I am using Checkpoint 1470 with R77.20.

1 Solution

Accepted Solutions
Kaspars_Zibarts
Employee Employee
Employee

You have possibly turned off name resolution (ctrl-R). Also in old days (haven't checked in R80) if you had separate log server then you needed to install database to update object names presented in the tracker. But I believe smart log uses normal DNS instead. Check that those names resolve manually from log server CLI.

View solution in original post

17 Replies
Ni_c
Contributor

Database might not be installed on management sever and log server once the new object is created. 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

You have possibly turned off name resolution (ctrl-R). Also in old days (haven't checked in R80) if you had separate log server then you needed to install database to update object names presented in the tracker. But I believe smart log uses normal DNS instead. Check that those names resolve manually from log server CLI.

HristoGrigorov

This is a screenshot from locally managed appliance. 

Go to Device -> DNS and enable 'Resolve Network Objects'. See if that makes any difference.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

The screenshot is from a centrally managed appliance - as it has only Tabs Home / Device / Users / Logs avalable, while locally managed also show Access Policy, Threath Prevention and VPN. Usually, this page shown no logs if there is a SMS/Logserver available. The Network Objects for the IPs have to be defined in Users & Objects and Device > Network > DNS > > Resolve Network Objects enabled.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Aznaz_Reflectio
Contributor

Hi Gunther,

Yes, correct, it is central managed.

Regarding the advised setting, i did try it.. but still log cannot view obj name.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

And you did define the Network Objects using the correct IP ? I can not see that setting yet... Maybe you should do a reboot after changing the settings ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Aznaz_Reflectio
Contributor

I already define the network Obj..but right now im out of office and unable to give the proof.

Unfortunately, reboot also has been done few times but its still the same Smiley Sad Smiley Sad

0 Kudos
Maarten_Sjouw
Champion
Champion

If it is centrally managed why are you looking at the logs on the device itself then? To my knowledge the object resolution is not done on the local device logs, only on the logserver.

Regards, Maarten
0 Kudos
Aznaz_Reflectio
Contributor

What you are saying is correct. Actually, I got a few 1400 appliances, some running local, some running central, and the point is, all unable to show obj name. The firmware itself also has been upgraded to the latest version.

0 Kudos
Maarten_Sjouw
Champion
Champion

So what are you actually saying? I do not think you will see resolution of objects locally on the boxes untill you define these objects locally on those boxes as well. 

Main question is though: why are you looking at the logs on the local devices instead of the central logs?

Why do you need to see this resolution on the local logs?

Regards, Maarten
0 Kudos
Aznaz_Reflectio
Contributor

I do not think you will see resolution of objects locally on the boxes untill you define these objects locally on those boxes as well.

= I did define it locally on the boxes already.

Main question is though: why are you looking at the logs on the local devices instead of the central logs?

= What do you mean by this? what i can say is because this firewall is not manage by other management server, its locally managed, there is no other place to see its log right..? this firewall not using any SmartEvent server or any syslog server.

Why do you need to see this resolution on the local logs?

= It is seperate firewall. not connecting with other smart-1 or smartEvent.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Sounds like a real issue to me - network objects defined locally should show in logs 😞

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tom_Hinoue
Advisor
Advisor

I've been working with the locally managed SMBs' for a while, but from my experience,
I have never seen the source column in security logs show other than the actual IP address locally on the box.

Have you consult with TAC about it? Maybe its not included as a feature yet. (possible RFE...)

0 Kudos
HristoGrigorov

I share similar thoughts. The Resolve Network Objects option works only for direct DNS queries and only if Allow DNS server to resolve object name option is enabled for object to be resolved. That is, if you configure appliance as DNS on a host, you will be able to resolve these objects by name.

I guess this is not enabled for local logging because of performance reasons. 

I know some syslog servers can resolve IP addresses (syslog-ng for example) but never tried it. And it will require to maintain a copy of the hosts database in one more place.

0 Kudos
Pedro_Espindola
Advisor

Correct, logs do not show the object name in either locally or centrally managed SMB appliances.

I don't know if they should, but I have worked with more than 20 appliances since R77.20.10 and have never seen the names resolved.

G_W_Albrecht
Legend Legend
Legend

I find that strange - you define network objects and servers, use them in FW rules but do not see the defined names in logs. Maybe i just remember Edge / Safe@ logs 😉

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Just a final statement: i am very glad that my SMS always shows logs of managed SMB appliances and logs from standAlone SMB appliances with all names displayed.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events