This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SubZer0
Explorer
‎2024-03-29 09:45 AM

Identifying Activity on Checkpoint Firewall Logs

I have a question regarding the detection of activity on a Checkpoint firewall through its logs. Specifically, I'm interested in understanding how we can identify ongoing activities or anomalies through these logs.

Could anyone please share insights on the recommended search commands or techniques to effectively monitor and detect suspicious activities on a Checkpoint firewall? Additionally, what are the common indicators or patterns to look out for in these logs that might signal potential security threats?

0 Kudos
2 Replies
Bob_Zimmerman
Authority
Authority
‎2024-03-29 10:46 AM

There's no universal answer. It all depends on your environment.

In my environment, a high-signal search would be drops from private sources to public destinations. Most of my stuff shouldn't talk out to the Internet directly. Updates are cached locally, and we use internal DNS, NTP, and so on, and we drop those services from most private sources to public. If some random source inside my environment tries to get out to the Internet via services we run internally, that's unusual. It's generally misconfiguration rather than malice, though.

In contrast, drops from random public sources to your systems are generally very low-signal. Tens of thousands of systems scan my environment every day. I want to record that a scan happened, but I don't care that much about the scan traffic which was dropped.

Similarly, geolocation drops are generally very low-signal. I couldn't possibly care less that somebody with a DPRK address tried to connect to my stuff. They wouldn't be allowed. I drop traffic from them (and about 20 other countries) without even logging it, just to reduce the log noise.

Note that traffic out to blocked countries becomes extremely high-signal. If they can't connect in, there should never be any reason for my stuff to connect out.

Timothy_Hall
Champion Champion
Champion
a month ago

Logs are great when you know what you are looking for (i.e. System A can't get to System B on port X), but it sounds like you are looking for an overall feel for what is going on and whether everything is "normal", or status quo.

SmartEvent (if you have it) does a very good job of this with its various views showing activity levels in your network.  As an example the "General Overview" screen shown below is pretty informative, not 100% sure if you must have SmartEvent to access this screen. 

Another one I know you don't need SmartEvent for is the "Tops" tab when looking at logs, which gives you interactive "top 10" lists of various data you can drill down into, and will visually highlight excessive amounts of any data.

general_overview.png

 

tops.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events