This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Terri_Hawkins
Collaborator
2 weeks ago
Jump to solution

SmartEvent Global Exclusion

We have Checkpoint R81.10. I use the SmartEvent but most of what is in there is default settings.  Today I needed to make an exclusion for our outside PCI scanner and I saw the "Global Exclusions" options. I have 2 questions about this option,

First, and most important, is there is a rule in there for Log Id 2000 (any source, product, or destination). I did not make this rule and am wondering if it is a default one and what it does. I have not yet been able to find anything on it and it is kind of worrying me as I may be exluding something and not meaning to.  
global exception.jpg

And second, I can't tell by the documentation if using the glabal exclusion just prevents the traffic from showing in logs or does it actually stop it from going thru all these threat preventions? I need it to do the latter. I have a rule in my IPS settings to prevent them from being stopped but it is still being stopped by a SAM rule and I want to add it here.

Any help is appreciated. I am still looking but that first question has me concerned.

0 Kudos
1 Solution

Accepted Solutions
Amir_Senn
Employee
Employee
2 weeks ago
In response to the_rock
Jump to solution

1. LogID 2000 is correlated events. This exclude the event logs from being considered as event candidate itself.

2. SmartEvent doesn't do enforcement of any kind unless you attach an automatic reactions to an event. Exclusion is preventing the matched resources from being considered event candidate. This is in use for example in an environment in which you get false positive from a server due to large quantity of requests.

Kind regards, Amir Senn

View solution in original post

(1)
6 Replies
the_rock
Legend
Legend
2 weeks ago
Jump to solution

You got me really curious about it, as I have dedicated smart event in the lab and upon checking, I dont even see the explanation of that field in help section, plus, if you see what I pointed out, says it was updated last time in 2006, so has not changed "forever" lol

Anyway, it says you canNOT delete the rule, only disable it. It would be nice to know what it really means when it refers to log id 2000.

Maybe @Amir_Senn can help? 🙂

Best,

Andy

 

 

Screenshot_1.png

0 Kudos
Amir_Senn
Employee
Employee
2 weeks ago
In response to the_rock
Jump to solution

1. LogID 2000 is correlated events. This exclude the event logs from being considered as event candidate itself.

2. SmartEvent doesn't do enforcement of any kind unless you attach an automatic reactions to an event. Exclusion is preventing the matched resources from being considered event candidate. This is in use for example in an environment in which you get false positive from a server due to large quantity of requests.

Kind regards, Amir Senn
(1)
the_rock
Legend
Legend
2 weeks ago
In response to Amir_Senn
Jump to solution

Thanks brother, I had all the confidence you would know the answer 🙂

Best,

Andy

majkel
Explorer
Sunday
Jump to solution

Hi,

Just curious if this settings is excluding logs setup with this SK: How to configure email notifications for Expert Mode login using SmartEvent Automatic Reactions (che... ?

Also asking if you have to create automatic reaction in order for it to be picked up as event ?

best rgs, mike
0 Kudos
majkel
Explorer
Sunday
In response to majkel
Jump to solution

Once we have configured automatic reaction its creating the event. However we are authenticating with radius and expert as default its not generating any logs and its per design. Is there anyway to create an event for our case?

best rgs, mike
0 Kudos
PhoneBoy
Admin
Admin
Monday
In response to majkel
Jump to solution

Actually, you don't need SmartEvent for that, but you do need to be connected to Infinity Portal to leverage Playblocks: https://community.checkpoint.com/t5/Playblocks/Horizon-Playblocks-Expert-Mode-Login-Notification/m-p... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events