13 January 2022
LOGGING AND
                               MONITORING
                                   R81.10
                              Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2021 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
                                                                                          Important Information
Important Information
            Latest Software
            We recommend that you install the most recent software release to stay up-to-date with the
            latest functional improvements, stability fixes, security enhancements and protection against
            new and evolving attacks.
            Certifications
            For third party independent certification of Check Point products, see the Check Point
            Certifications page.
            Check Point R81.10
            For more about this release, see the R81.10 home page.
            Latest Version of this Document in English
            Open the latest version of this document in a Web browser.
            Download the latest version of this document in PDF format.
            Feedback
            Check Point is engaged in a continuous effort to improve its documentation.
            Please help us by sending your comments.
Revision History
 Date                      Description
 13 January 2022           Updated "Understanding Logging" on page 28
 09 January 2022           Updated "Deploying SmartEvent" on page 37
 05 January 2022           Added limitations to:
                               n   "Understanding Logging" on page 28
                               n   "Monitoring Traffic or System Counters" on page 181
                               n   "The Logs View" on page 91
                               n   "Transition from LEA to Log Exporter" on page 222
                                               Logging and Monitoring R81.10 Administration Guide      |      3
                                                                                  Important Information
Date                Description
29 December 2022    Added a limitation in "SmartView Web Application" on page 104
                    Updated "SmartView Web Application" on page 104
27 September 2021   Updated "Log Exporter" on page 194 (the entire chapter)
22 September 2021   Updated "SmartView Web Application" on page 104
06 July 2021        First release of this document
                                       Logging and Monitoring R81.10 Administration Guide      |      4
                                                                                               Table of Contents
Table of Contents
 Glossary                                                                                                    14
 Introduction                                                                                                25
 Getting Started                                                                                             26
   Logging and Monitoring Clients                                                                            26
   Understanding Logging                                                                                     28
     Dynamic Log Distribution                                                                                28
     Log Storage                                                                                             29
     Dedicated Domain Log Servers                                                                            31
     Daily Logs Retention                                                                                    31
   Deploying Logging                                                                                         34
     Enabling Logging on the Security Management Server                                                      34
     Deploying a Dedicated Log Server                                                                        34
     Configuring the Security Gateways for Logging                                                           34
     Enabling Log Indexing                                                                                   35
     Disabling Log Indexing                                                                                  35
   Deploying SmartEvent                                                                                      37
     SmartEvent Licensing                                                                                    37
     Enabling SmartEvent on the Security Management Server                                                   37
     System Requirements                                                                                     38
     Installing a Dedicated SmartEvent Server                                                                38
     Configuring the SmartEvent Components in the First Time Configuration Wizard                            38
     Connecting R81.10 SmartEvent to R81.10 Security Management Server                                       39
         Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit            39
     Connecting R81.10 SmartEvent to R81.10 Multi-Domain Server                                              40
     Configuring SmartEvent to use a Non-Standard LEA Port                                                   41
     Configuring SmartEvent to read External Logs                                                            42
   Deploying a Domain Dedicated Log Server                                                                   43
     Introduction                                                                                            43
     Procedure for an R81.10 Multi-Domain Environment                                                        43
     Procedure for an R77.x Multi-Domain Environment                                                         44
   Administrator Permission Profiles                                                                         48
       Configuring Permissions for Monitoring, Logging, Events, and Reports                                  48
       Multi-Domain Security Management                                                                      48
                                                Logging and Monitoring R81.10 Administration Guide      |      5
                                                                                               Table of Contents
     SmartEvent Reports-Only Permission Profile                                                              49
 Importing Offline Log Files                                                                                 50
     Importing Log Files from SmartEvent Servers                                                             50
     Offline Work For Correlated Events                                                                      50
 Importing Syslog Messages                                                                                   52
     Generating a Syslog Parser and Importing syslog Messages                                                52
     Configuring SmartEvent to Read Imported Syslog Messages                                                 52
 Connecting an R81.10 SmartEvent to an R81.10 Security Management Server                                     53
          Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit           53
Views and Reports                                                                                            55
 Enabling Views and Reports                                                                                  56
 Catalog of Views and Reports                                                                                57
 Views                                                                                                       59
 Reports                                                                                                     60
 Automatic View and Report Updates                                                                           61
 Opening a View or Report                                                                                    62
 MITRE ATT&CK in SmartView                                                                                   63
 Exporting Views and Reports                                                                                 65
   Generating a Network Activity Report                                                                      65
   Sharing Reports                                                                                           66
 Exporting and Importing Templates                                                                           68
 Scheduling a View or Report                                                                                 69
 Customizing a View or Report                                                                                70
   View Settings                                                                                             70
   Report Settings                                                                                           72
   Configuring Email Settings for Views and Reports                                                          72
            Configuring Email Server Settings                                                                72
            Configuring Email Recipients                                                                     73
   Adding a Logo to Reports                                                                                  73
 Widgets                                                                                                     74
     Adding and Customizing Widgets                                                                          74
     Copying Widgets and Views to other Locations                                                            84
     Filters                                                                                                 87
     Filtering for Active Directory User Groups                                                              88
Logging                                                                                                      89
                                                Logging and Monitoring R81.10 Administration Guide      |      6
                                                                                             Table of Contents
 Sample Log Analysis                                                                                       90
 The Logs View                                                                                             91
 Working with Logs                                                                                         92
   Choosing Rules to Track                                                                                 92
   Configuring Tracking in a Policy Rule                                                                   92
   Tracking Options                                                                                        92
   Log Sessions                                                                                            93
   Viewing Rule Logs                                                                                       94
   Packet Capture                                                                                          95
   Searching the Logs                                                                                      95
     Running Queries                                                                                       95
     Showing Query Results                                                                                 96
     Customizing the Results Pane                                                                          96
     Creating Custom Queries                                                                               97
       Selecting Query Fields                                                                              97
       Selecting Criteria from Grid Columns                                                                97
       Manually Entering Query Criteria                                                                    98
   Query Language Overview                                                                                 98
       Criteria Values                                                                                     98
         IP Addresses                                                                                      99
         NOT Values                                                                                        99
       Wildcards                                                                                           99
       Field Keywords                                                                                    100
       Boolean Operators                                                                                 101
   Log Sessions                                                                                          102
 Tracking Options                                                                                        103
 SmartView Web Application                                                                               104
 Log Server High Availability                                                                            107
 Working with Syslog Servers                                                                             108
   Introduction                                                                                          108
   Configuring Security Gateways                                                                         108
   Log Count for CoreXL Firewall Instances                                                               111
Event Analysis                                                                                           113
 Event Analysis with SmartEvent                                                                          113
 What is an Event?                                                                                       113
                                              Logging and Monitoring R81.10 Administration Guide      |      7
                                                                                           Table of Contents
  How Are Logs Converted to Events?                                                                    113
The SmartEvent Architecture                                                                            113
SmartEvent Correlation Unit                                                                            114
SmartEvent Correlation Unit High Availability                                                          115
The SmartView Web Application                                                                          115
Configuring SmartEvent Policy and Settings                                                             116
  Opening the SmartEvent GUI Client                                                                    116
  Policy Tab                                                                                           116
      Save Event Policy                                                                                116
      Revert Changes                                                                                   116
  Event Definitions and General Settings                                                               117
  Event Definition Parameters                                                                          117
  Modifying Event Definitions                                                                          117
  Event Threshold                                                                                      117
  Severity                                                                                             117
  Automatic Reactions                                                                                  119
    Creating a Mail Reaction                                                                           120
    Creating an SNMP Trap Reaction                                                                     120
    Creating a Block Source Reaction                                                                   121
    Creating a Block Event Activity Reaction                                                           121
    Creating an External Script Automatic Reaction                                                     121
    Assigning an Automatic Reaction to an Event                                                        122
  Working Hours                                                                                        124
  Exceptions                                                                                           125
  High Level Overview of Event Identification                                                          126
    Matching a Log Against Global Exclusions                                                           126
    Matching a Log Against Each Event Definition                                                       126
    Creating an Event Candidate                                                                        127
    Matching a Log Against Event Exclusion                                                             129
    Event Generation                                                                                   130
  Modifying Event Definitions                                                                          130
  Creating a User-Defined Event                                                                        131
    Creating a New Event Definition                                                                    131
    Customizing a User-Defined Event                                                                   132
  Creating a Mail Reaction                                                                             135
                                            Logging and Monitoring R81.10 Administration Guide      |      8
                                                                                              Table of Contents
    Creating a Block Source Reaction                                                                      136
    Creating a Block Event Activity Reaction                                                              137
    Creating an SNMP Trap Reaction                                                                        138
    Eliminating False Positives                                                                           139
      Services that Generate Events                                                                       139
      Common Events by Service                                                                            139
    System Administration                                                                                 147
          Adding Network and Host Objects                                                                 147
    Creating an External Script Automatic Reaction                                                        149
Monitoring Traffic and Connections                                                                        151
 How SmartView Monitor Works                                                                              151
    AMON Protocol Support                                                                                 152
    Defining Status Fetch Frequency                                                                       152
 To Start Monitoring                                                                                      153
 SmartView Monitor Features                                                                               154
    SmartView Monitor Use Cases                                                                           154
 Immediate Actions                                                                                        155
 Monitoring and Handling Alerts                                                                           156
    Viewing Alerts                                                                                        156
    System Alert Monitoring Mechanism                                                                     156
 Monitoring Suspicious Activity Rules                                                                     157
    The Need for Suspicious Activity Rules                                                                157
    Creating a Suspicious Activity Rule                                                                   157
    Creating a Suspicious Activity Rule from Results                                                      158
    Managing Suspicious Activity Rules                                                                    159
    sam_alert                                                                                             159
 Configuring Alerts and Thresholds in SmartView Monitor                                                   160
    System Alerts and Thresholds                                                                          160
    Working with SNMP Monitoring Thresholds                                                               161
      Types of Alerts                                                                                     162
      Configuring SNMP Monitoring Thresholds                                                              162
      Configuration Procedures                                                                            163
        Configure Global Alert Settings                                                                   163
        Configure Alert Destinations                                                                      163
        Configure Thresholds                                                                              164
                                               Logging and Monitoring R81.10 Administration Guide      |      9
                                                                                          Table of Contents
      Completing the Configuration                                                                    165
    Monitoring SNMP Thresholds                                                                        165
  Customizing Results                                                                                 166
    Editing a Custom View                                                                             166
      Creating a Custom Gateway Status View                                                           166
      Creating a Custom Traffic View                                                                  167
      Creating a Custom Counters View                                                                 168
      Creating a Custom Tunnel View                                                                   168
      Creating a Custom Users View                                                                    169
    Custom View Example                                                                               169
    Exporting a Custom View                                                                           170
  Setting Your Default View                                                                           170
    Refreshing Views                                                                                  170
Monitoring Security Gateway Status                                                                    172
  Gateway Status                                                                                      172
  Displaying Gateway Data                                                                             172
  System Data                                                                                         172
  Firewall                                                                                            173
  Virtual Private Networks                                                                            173
  QoS                                                                                                 174
  ClusterXL                                                                                           174
  OPSEC                                                                                               175
  Check Point Security Management                                                                     175
  SmartEvent Correlation Unit and the SmartEvent Server                                               175
  Anti-Virus and URL Filtering                                                                        176
  Multi-Domain Security Management                                                                    176
  The 'cpstat' Command                                                                                176
  Starting and Stopping Cluster Members                                                               177
Monitoring VPN Tunnels                                                                                178
  VPN Tunnels Solution                                                                                178
  VPN Tunnel View Updates                                                                             179
  Running VPN Tunnel Views                                                                            179
    Run a Down Tunnel View                                                                            179
    Run a Permanent Tunnel View                                                                       179
    Run a Tunnels on Community View                                                                   180
                                          Logging and Monitoring R81.10 Administration Guide      |      10
                                                                                            Table of Contents
     Run Tunnels on Gateway View                                                                        180
 Monitoring Traffic or System Counters                                                                  181
   Traffic or System Counters Solution                                                                  181
     Traffic                                                                                            181
     Traffic Legend Output                                                                              182
     System Counters                                                                                    182
   Select and Run a Traffic or System Counters View                                                     182
   Recording a Traffic or Counter View                                                                  183
       Play the Results of a Recorded Traffic or Counter View                                           183
       Pause or Stop the Results of a Recorded View that is Playing                                     183
 Monitoring Users                                                                                       185
   Users Solution                                                                                       185
   Run a Users View                                                                                     185
     Run a User View for a Specified User                                                               185
     Run a User View for all Users or Mobile Access Users                                               186
     Run a User View for a Specified Security Gateway                                                   186
 Cooperative Enforcement Solution                                                                       187
   NAT Environments                                                                                     187
   Configuring Cooperative Enforcement                                                                  188
   Non-Compliant Hosts by Gateway View                                                                  188
Third-Party Log Formats                                                                                 189
 Importing Syslog Messages                                                                              189
   Generating a Syslog Parser and Importing syslog Messages                                             189
   Configuring SmartEvent to Read Imported Syslog Messages                                              189
Importing Windows Events                                                                                190
 How Windows Event Service Works                                                                        190
 Administrator Support for WinEventToCPLog                                                              190
 Sending Windows Events to the Log Server                                                               190
   Creating an OPSEC Object for Windows Event Service                                                   191
   Configuring the Windows service                                                                      191
   Establishing Trust                                                                                   192
   Configuring the Windows Audit Policy                                                                 192
 Working with SNMP                                                                                      193
Log Exporter                                                                                            194
 Overview                                                                                               194
                                            Logging and Monitoring R81.10 Administration Guide      |      11
                                                                                              Table of Contents
  How Log Exporter Works                                                                                  195
  Configuring Log Exporter in SmartConsole                                                                196
  Configuring Log Exporter in CLI                                                                         198
    Log Exporter Basic Configuration in CLI                                                               198
    Log Exporter Advanced Configuration in CLI                                                            200
  Log Exporter TLS Configuration                                                                          207
  Log Exporter Advanced Configuration Parameters                                                          210
  Log Exporter Instructions for Specific SIEM                                                             218
    Rsyslog                                                                                               218
    ArcSight                                                                                              218
    Splunk                                                                                                219
    QRadar                                                                                                220
  Transition from LEA to Log Exporter                                                                     222
  Transition from CPLogToSyslog to Log Exporter                                                           223
  Log Exporter - Appendix                                                                                 224
    Special Log Fields                                                                                    224
    Syslog-NG Listener Configuration                                                                      224
    Splunk Listener Configuration                                                                         224
    ArcSight Listener Configuration                                                                       225
    QRadar Log Event Extended Format (LEEF) Mapping                                                       226
Logs in Milliseconds                                                                                      227
API for Logs                                                                                              228
  Configuration                                                                                           229
Log Attachments API                                                                                       231
Appendix: Manual Syslog Parsing                                                                           233
  Planning and Considerations                                                                             233
The Parsing Procedure                                                                                     234
  Manual Syslog Parsing                                                                                   235
  The Free Text Parsing Language                                                                          237
    The Commands                                                                                          237
    Try                                                                                                   237
    Group_try                                                                                             238
    Switch                                                                                                239
    Unconditional_try                                                                                     240
    Include                                                                                               240
                                              Logging and Monitoring R81.10 Administration Guide      |      12
                                                                        Table of Contents
  Add_field                                                                         240
Dictionary                                                                          246
The Parsing Procedure                                                               247
                        Logging and Monitoring R81.10 Administration Guide      |      13
                                                                                                 Glossary
Glossary
A
Administrator
    A user with permissions to manage Check Point security products and the network
    environment.
API
    In computer programming, an application programming interface (API) is a set of
    subroutine definitions, protocols, and tools for building application software. In general
    terms, it is a set of clearly defined methods of communication between various software
    components.
Appliance
    A physical computer manufactured and distributed by Check Point.
Audit Log
    A record of an action that is done by an Administrator.
Bond
    A virtual interface that contains (enslaves) two or more physical interfaces for
    redundancy and load sharing. The physical interfaces share one IP address and one
    MAC address. See "Link Aggregation".
Bonding
    See "Link Aggregation".
Bridge Mode
    A Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
    deployment in an existing topology.
                                         Logging and Monitoring R81.10 Administration Guide      |      14
                                                                                                  Glossary
CA
    Certificate Authority. Issues certificates to gateways, users, or computers, to identify
    itself to connecting entities with Distinguished Name, public key, and sometimes IP
    address. After certificate validation, entities can send encrypted data using the public
    keys in the certificates.
Certificate
    An electronic document that uses a digital signature to bind a cryptographic public key to
    a specific identity. The identity can be an individual, organization, or software entity. The
    certificate is used to authenticate one identity to another.
CGNAT
    Carrier Grade NAT. Extending the traditional Hide NAT solution, CGNAT uses improved
    port allocation techniques and a more efficient method for logging. A CGNAT rule
    defines a range of original source IP addresses and a range of translated IP addresses.
    Each IP address in the original range is automatically allocated a range of translated
    source ports, based on the number of original IP addresses and the size of the translated
    range. CGNAT port allocation is Stateless and is performed during policy installation.
    See sk120296.
Cluster
    Two or more Security Gateways that work together in a redundant configuration - High
    Availability, or Load Sharing.
Cluster Member
    A Security Gateway that is part of a cluster.
Cooperative Enforcement
    Integration of Endpoint Security server compliance to verify internal network
    connections.
CoreXL
    A performance-enhancing technology for Security Gateways on multi-core processing
    platforms. Multiple Check Point Firewall instances are running in parallel on multiple
    CPU cores.
                                          Logging and Monitoring R81.10 Administration Guide      |      15
                                                                                                 Glossary
CoreXL Firewall Instance
    Also CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewall
    kernel is copied multiple times. Each replicated copy, or firewall instance, runs on one
    processing CPU core. These firewall instances handle traffic at the same time, and each
    firewall instance is a complete and independent firewall inspection kernel.
CoreXL SND
    Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
    traffic from the network interfaces; Securely accelerating authorized packets (if
    SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
    instances (SND maintains global dispatching table, which maps connections that were
    assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
    instances is statically based on Source IP addresses, Destination IP addresses, and the
    IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to stick
    to a particular FWK daemon is done at the first packet of connection on a very high level,
    before anything else. Depending on the SecureXL settings, and in most of the cases, the
    SecureXL can be offloading decryption calculations. However, in some other cases,
    such as with Route-Based VPN, it is done by FWK daemon.
Correlation Unit
    A SmartEvent software component that analyzes logs and detects events.
CPUSE
    Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can
    automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For
    details, see sk92449.
Custom Report
    A user defined report for a Check Point product, typically based on a predefined report.
DAIP Gateway
    A Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where the IP
    address of the external interface is assigned dynamically by the ISP.
Data Type
    A classification of data. The Firewall classifies incoming and outgoing traffic according to
    Data Types, and enforces the Policy accordingly.
                                         Logging and Monitoring R81.10 Administration Guide      |      16
                                                                                                 Glossary
Database
    The Check Point database includes all objects, including network objects, users,
    services, servers, and protection profiles.
Distributed Deployment
    The Check Point Security Gateway and Security Management Server products are
    deployed on different computers.
Domain
    A network or a collection of networks related to an entity, such as a company, business
    unit or geographical location.
Domain Log Server
    A Log Server for a specified Domain, as part of a Multi-Domain Log Server. It stores and
    processes logs from Security Gateways that are managed by the corresponding Domain
    Management Server. Acronym: DLS.
Event
    A record of a security or network incident that is based on one or more logs, and on a
    customizable set of rules that are defined in the Event Policy.
Event Correlation
    A procedure that extracts, aggregates, correlates and analyzes events from the logs.
Event Policy
    A set of rules that define the behavior of SmartEvent.
Expert Mode
    The name of the full command line shell that gives full system root permissions in the
    Check Point Gaia operating system.
External Network
    Computers and networks that are outside of the protected network.
                                         Logging and Monitoring R81.10 Administration Guide      |      17
                                                                                                 Glossary
External Users
    Users defined on external servers. External users are not defined in the Security
    Management Server database or on an LDAP server. External user profiles tell the
    system how to identify and authenticate externally defined users.
Firewall
    The software and hardware that protects a computer network by analyzing the incoming
    and outgoing network traffic (packets).
Gaia
    Check Point security operating system that combines the strengths of both
    SecurePlatform and IPSO operating systems.
Gaia Clish
    The name of the default command line shell in Check Point Gaia operating system. This
    is a restrictive shell (role-based administration controls the number of commands
    available in the shell).
Gaia gClish
    The name of the global command line shell in Check Point Gaia operating system for
    Security Appliances connected to Check Point Quantum Maestro Orchestrators and for
    Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply
    to all Security Gateway Module / Security Appliances in the Security Group.
Gaia Portal
    Web interface for Check Point Gaia operating system.
Hotfix
    A piece of software installed on top of the current software in order to fix some wrong or
    undesired behavior.
                                         Logging and Monitoring R81.10 Administration Guide      |      18
                                                                                                Glossary
ICA
    Internal Certificate Authority. A component on Check Point Management Server that
    issues certificates for authentication.
Internal Network
    Computers and resources protected by the Firewall and accessed by authenticated
    users.
IPv4
    Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, each set
    can be from 0 - 255. For example, 192.168.2.1.
IPv6
    Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets of
    hexadecimal numbers, each set can be from 0 - ffff. For example,
    FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.
Jumbo Hotfix Accumulator
    Collection of hotfixes combined into a single package. Acronyms: JHA, JHF.
Link Aggregation
    Technology that joins (aggregates) multiple physical interfaces together into one virtual
    interface, known as a bond interface. Also known as Interface Bonding, or Interface
    Teaming. This increases throughput beyond what a single connection could sustain, and
    to provides redundancy in case one of the links should fail.
Log
    A record of an action that is done by a Software Blade.
                                        Logging and Monitoring R81.10 Administration Guide      |      19
                                                                                                Glossary
Log Server
    A dedicated Check Point computer that runs Check Point software to store and process
    logs in Security Management Server or Multi-Domain Security Management
    environment.
Management High Availability
    Deployment and configuration mode of two Check Point Management Servers, in which
    they automatically synchronize the management databases with each other. In this
    mode, one Management Server is Active, and the other is Standby. Acronyms:
    Management HA, MGMT HA.
Management Interface
    Interface on Gaia computer, through which users connect to Portal or CLI. Interface on a
    Gaia Security Gateway or Cluster member, through which Management Server connects
    to the Security Gateway or Cluster member.
Management Server
    A Check Point Security Management Server or a Multi-Domain Server.
Multi-Domain Log Server
    A computer that runs Check Point software to store and process logs in Multi-Domain
    Security Management environment. The Multi-Domain Log Server consists of Domain
    Log Servers that store and process logs from Security Gateways that are managed by
    the corresponding Domain Management Servers. Acronym: MDLS.
Multi-Domain Security Management
    A centralized management solution for large-scale, distributed environments with many
    different Domain networks.
Multi-Domain Server
    A computer that runs Check Point software to host virtual Security Management Servers
    called Domain Management Servers. Acronym: MDS.
                                        Logging and Monitoring R81.10 Administration Guide      |      20
                                                                                                 Glossary
Network Object
    Logical representation of every part of corporate topology (physical machine, software
    component, IP Address range, service, and so on).
Open Server
    A physical computer manufactured and distributed by a company, other than Check
    Point.
Predefined Report
    A default report included in a Check Point product that you can run right out of the box.
Report
    A summary of network activity and Security Policy enforcement that is generated by
    Check Point products such as SmartEvent.
Rule
    A set of traffic parameters and other conditions in a Rule Base that cause specified
    actions to be taken for a communication session.
Rule Base
    Also Rulebase. All rules configured in a given Security Policy.
SecureXL
    Check Point product that accelerates IPv4 and IPv6 traffic. Installed on Security
    Gateways for significant performance improvements.
                                         Logging and Monitoring R81.10 Administration Guide      |      21
                                                                                                Glossary
Security Gateway
  A computer that runs Check Point software to inspect traffic and enforces Security
  Policies for connected network resources.
Security Management Server
  A computer that runs Check Point software to manage the objects and policies in Check
  Point environment.
Security Policy
  A collection of rules that control network traffic and enforce organization guidelines for
  data protection and access to resources with packet inspection.
SIC
  Secure Internal Communication. The Check Point proprietary mechanism with which
  Check Point computers that run Check Point software authenticate each other over SSL,
  for secure communication. This authentication is based on the certificates issued by the
  ICA on a Check Point Management Server.
Single Sign-On
  A property of access control of multiple related, yet independent, software systems. With
  this property, a user logs in with a single ID and password to gain access to a connected
  system or systems without using different usernames or passwords, or in some
  configurations seamlessly sign on at each system. This is typically accomplished using
  the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on
  (directory) servers. Acronym: SSO.
SmartConsole
  A Check Point GUI application used to manage Security Policies, monitor products and
  events, install updates, provision new devices and appliances, and manage a multi-
  domain environment and each domain.
SmartDashboard
  A legacy Check Point GUI client used to create and manage the security settings in
  R77.30 and lower versions.
SmartEvent Server
  Server with enabled SmartEvent Software Blade that hosts the events database.
SmartUpdate
  A legacy Check Point GUI client used to manage licenses and contracts.
                                        Logging and Monitoring R81.10 Administration Guide      |      22
                                                                                                Glossary
Software Blade
    A software blade is a security solution based on specific business needs. Each blade is
    independent, modular and centrally managed. To extend security, additional blades can
    be quickly added.
SSO
    See "Single Sign-On".
Standalone
    A Check Point computer, on which both the Security Gateway and Security Management
    Server products are installed and configured.
System Counter
    SmartView Monitor data or report on status, activity, and resource usage of Check Point
    products.
Traffic
    Flow of data between network devices.
Users
    Personnel authorized to use network resources and applications.
VLAN
    Virtual Local Area Network. Open servers or appliances connected to a virtual network,
    which are not physically connected to the same network.
VLAN Trunk
    A connection between two switches that contains multiple VLANs.
                                        Logging and Monitoring R81.10 Administration Guide      |      23
                                                                                               Glossary
VSX
  Virtual System Extension. Check Point virtual networking solution, hosted on a computer
  or cluster with virtual abstractions of Check Point Security Gateways and other network
  devices. These Virtual Devices provide the same functionality as their physical
  counterparts.
VSX Gateway
  Physical server that hosts VSX virtual networks, including all Virtual Devices that provide
  the functionality of physical network devices. It holds at least one Virtual System, which
  is called VS0.
                                       Logging and Monitoring R81.10 Administration Guide      |      24
                                                                                                          Glossary
Introduction
From R80, logging, event management, reporting, and monitoring are more tightly integrated than ever
before. Security data and trends easy to understand at a glance, with Widgets and chart templates that
optimize visual display. Logs are now tightly integrated with the policy rules. To access logs associated with
a specific rule, click that rule. Free-text search lets you enter specific search terms to retrieve results from
millions of logs in seconds.
One-click exploration makes it easy to move from high-level overview to specific event details such as type
of attack, timeline, application type and source. After you investigate an event, it is easy to act on it.
Depends on the severity of the event, you can ignore it, act on it later, block it immediately, or toggle over to
the rules associated with the event to refine your policy. Send reports to your manager or auditors that show
only the content that is related to each stakeholder.
In this release, SmartReporter and SmartEvent functionality is integrated into SmartConsole.
With rich and customizable views and reports, R80 introduced a new experience for log and event
monitoring.
The new views are available from two locations:
   n   SmartConsole > Logs & Monitor
   n   SmartView Web Application. Browse to: https://<Server IP Address>/smartview/
       Where Server IP Address is IP address of the Security Management Server or SmartEvent Server.
                                                  Logging and Monitoring R81.10 Administration Guide      |      25
                                                                                                   Getting Started
Getting Started
This section introduces the logging and monitoring clients, and explains how to install and configure logging
and monitoring products.
Logging and Monitoring Clients
Monitor logs and events using customizable views and reports. Use these GUI clients:
 SmartConsole >        Analyze events that occur in your environment with customizable views and reports.
 Logs & Monitor        The Logs view replaces the SmartView Tracker and SmartLog GUI clients.
 SmartView Web         It has the same real-time event monitoring and analysis views as SmartConsole,
 Application           with the convenience of not having to install a client.
                       Browse to: https://<Server IP>/smartview/, where <Server IP> is IP
                       address of the Security Management Server or SmartEvent Server.
These GUI clients are still supported:
 SmartEvent             n   For initial settings - configure the SmartEvent Correlation Unit, Log Server,
                            Domains and Internal Network.
                        n   For the correlation policy (event definitions)
                        n   For Automatic Reactions
 SmartView              n   To monitor tunnels
 Monitor                n   To monitor users
                        n   For suspicious activity rules
                        n   To monitor alerts - Thresholds configuration
                    For more about monitoring, see "Monitoring Traffic and Connections" on page 151.
SmartView GUI Clients
Administrator access permissions can be limited by the GUI Clients list based on IP address, IP range, a
network or a host name.This list is based on the GUI clients' access configuration as defined on the relevant
Security Management Server or a Multi-Domain Server.
See the R81.10 Security Management Administration Guide > Chapter Managing Administrator Accounts >
Section Defining Trusted Clients.
To open the SmartEvent GUI:
   1. Open SmartConsole > Logs & Monitor.
   2. Click (+) for a Catalog (new tab).
   3. In the External Apps section, click SmartEvent Settings & Policy.
                                                 Logging and Monitoring R81.10 Administration Guide      |      26
                                                                                                Getting Started
To open the SmartView Monitor GUI:
  1. Open SmartConsole > Logs & Monitor.
  2. Click (+) for a Catalog (new tab).
  3. In the External Apps section, click Tunnel & User Monitoring.
                                              Logging and Monitoring R81.10 Administration Guide      |      27
                                                                                            Understanding Logging
Understanding Logging
Security Gateways generate logs, and the Security Management Servers generates audit logs, which are a
record of actions taken by administrators. The Security Policy that is installed on each Security Gateway
determines which rules generate logs.
Logs can be stored on a:
   n   Security Management Server that collects logs from the Security Gateways. This is the default.
   n   Log Server on a dedicated machine. This is recommended for organizations that generate a lot of
       logs.
   n   Security Gateway. This is called local logging.
Note - Logs can be automatically forwarded to the Security Management Server or Log Server, according to
a schedule, or manually imported with the Remote File Management operation via CLI (fw fetchlogs). The
management servers and log servers can also forward logs to other servers.
To find out how much storage is necessary for logging, see the new appliance datasheet.
A Log Server handles log management activities:
   n   Automatically starts a new log file when the existing log file gets to the defined maximum size.
   n   Stores log files for export and import.
   n   Makes an index of the logs to enable faster responses to log queries.
       Notes:
           l   SmartLog Indexing mode is not enabled by default after upgrade or new installation, on Smart-
               1 205, Smart-1 210, or Open Servers with less than 4 cores.
           l   To change SmartLog mode from Indexing to Non-Indexing on a Domain Management Server
               or Domain Log Server, edit the Domain Server object on the Domain level. There is no option
               to change the entire Multi-Domain Server or Multi-Domain Log Server to Non-Indexing mode.
An Administrator can configure Backup Log Servers. If all Primary Log Servers are disconnected, the
Security Gateway starts to send logs only to the first configured Backup Log Server. If the first Backup Log
Server is also disconnected, the Security Gateway sends logs to the second configured Backup Log Server,
and so on.
Dynamic Log Distribution
With Dynamic Log Distribution, you can configure the gateway to distribute logs between the active Log
Servers. Previously, each Log Server received a copy of every log. If one Log Server was disconnected, the
gateway connected to the backup server and sent it a copy of every log. Now you can configure that each
log is sent to only one Log Server and distribute the logs between the primary Log Servers. If all the primary
servers are disconnected, logs are distributed between backup Log Servers. If no Log Servers are
connected, the gateway writes the logs locally.
Use Case – Log distribution reduces the need for high resources on the Log Servers and the load on a
specific gateway connection, and reduces the need for high CPU and disk resources:
   n   The gateway writes logs locally due to a high log rate.
   n   The load on a specific Log Server is very high.
                                                 Logging and Monitoring R81.10 Administration Guide      |      28
                                                                                             Understanding Logging
To configure log distribution between multiple Log Servers in SmartConsole:
   1. From the left navigation panel, click Gateways & Servers.
   2. Open the Security Gateway object.
   3. From the left tree, click Logs > Log Distribution.
   4. For Logs Distribution, select Distribute logs between log servers for improved performance
      (applies to primary and backup log servers).
   5. Select the primary and backup Log Servers.
   6. Click OK.
   7. Install database on the configured Log Servers (click Menu > Install database > select the primary
      and backup Log Server objects > click Install).
   8. Install the policy on the Security Gateway.
Log Storage
SmartEvent and Log Server use an optimization algorithm to manage disk space and other system
resources. When the Logs and Events database becomes too large, the oldest logs and events are
automatically deleted according to the configured thresholds.
In SmartConsole, open the Security Gateway or Check Point host for editing, and open Logs > Storage.
Configure these fields:
   n   Measure free disk space in - Choose MBytes or Percentage.
   n   When disk space is below <number> Mbytes, issue alert - Get an alert when the available disk
       space for logs and log index files is below this threshold. This value must be at least 5 MB greater
       than the value of ...stop logging in the Additional logging options page.
   n   When disk space is below <number> Mbytes, start deleting old files - Delete the oldest logs and
       log index files when the available disk space is below this threshold. This value must be at least 5 MB
       greater than the ...issue alert value.
   n   Run the following script before deleting old files - Enter a path to the script.
This option is for Gateways only
   n   Reserve ... for packet capturing - Some types of logs can also capture the packets that created the
       log event. Set the amount, in MBytes or Percent, that you want to use for captured packets.
These options and examples are for a Security Management Server, SmartEvent Server, or Log
Server:
   n   When disk space is below <number> Mbytes, start deleting old files -The available space in the
       logs partition is checked every 1 minute. Once the threshold is reached, the log disk maintenance
       occurs: deleting the oldest day of log and index data and repeating until reaching above configured
       threshold.
Daily logs retention
   n   Keep indexed logs for no longer than <number> days - Occurs daily at midnight. Deleting oldest
       index files by days, keeping today + the configured number of index days (14 = 14 days + today).
                                                  Logging and Monitoring R81.10 Administration Guide      |      29
                                                                                              Understanding Logging
   n   Keep log files for an extra <number> days - Occurs daily at midnight. Deleting oldest log files by
       days, keeping today + the configured number of index days + extra log days (3664 = 14 [from index
       settings] + 3650 days + today). As 3664 is more than 10 years, effectively keeping all log files.
       Note - The max summary value of both indexed logs and log files is 3664.
For these examples, the administrator enables these thresholds:
   n   When disk space is below [5000] Mbytes, start deleting old files
   n   Daily logs retention
           n   Keep indexed logs for 14 days
           n   Keep log files for an extra 6 days (6 + 14 = 20 days of log files)
Example 1:
The server has 3000 MBytes of free disk space, and 5 days of logs and index files.
The server deletes logs and index files, one day at a time, until there is 5000 Mbytes of free disk space.
Example 2:
The server has 10 GBytes of free disk space and 30 days of logs and index files.
The server deletes all log files older than 20 days ago (6 + 14), each day at midnight.
The server deletes all index files older than 14 days ago, each day at midnight.
Example 3:
A server produces 1GB of logs and 1GB of index files each day. The server now has 35 days of logs and 30
days of index files and only 2.5GB of free disk space left. The configured disk space threshold is 5GB, which
means the server is now 2.5GB below the threshold.
The index files threshold is 14 days.
The log file threshold is 20 days.
When the disk space threshold (5GB) is reached, disk space maintenance deletes logs and index data until
there is again more than 5GB of free space. In this example:
   1. Logs from day one are deleted first, as they are older. Three days of the oldest logs are deleted to
      clear 3GB of logs and leave 6GB of free space on the drive, 1GB above the threshold, leaving the
      server with 32 log days and 30 index days.
   2. The server still has more than 14 days of index files - an extra 16 days (30 days of index files now)
       And more than 20 days of logs – an extra 12 days (32 days of log files now).
       At midnight, the extra log & index files are deleted until only the current day’s log files plus the last 20
       days remain.
       Index days are deleted until only the current day’s index plus the last 14 days remain.
       The deletion of three days of logs left 5.5GB of free space.
       The deletion of 12 log file days + 16 index file days frees up a total of 28GB (12 + 16) of space.
       33.5GB of space is now free.
                                                   Logging and Monitoring R81.10 Administration Guide      |      30
                                                                                             Understanding Logging
       The daily logs retention occurs every day at midnight keeping the chosen number of days of log +
       index data.
       Most likely, this means it will never reach the log disk space threshold. But if the log disk space
       threshold is again reached, the log disk maintenance process repeats to make sure space never runs
       out.
Dedicated Domain Log Servers
See Deploying a Domain Dedicated Log Server.
To learn how to monitor the Log Receive Rate on the Security Management Server / Log Server in R80 and
higher, see sk120341.
To decrease the load on the Security Management Server, you can install a dedicated Log Server and
configure the Security Gateways to send their logs to this Log Server. To see the logs from all Log Servers,
connect to the Security Management Server with SmartConsole, and go to the Logs & Monitor view > Logs
tab.
Daily Logs Retention
Daily logs retention refers to how long logs are stored before they are deleted. Configure this value to help
you manage free disk space.
Audit logs are not deleted, even in a case of emergency disk space maintenance, regardless of the
configured log retention value. You cannot configure the daily retention of audit logs.
Audit indexes are deleted only in a disk space emergency. Audit indexes are not deleted as part of daily
maintenance regardless of the value configured in SmartConsole, unless they are configured otherwise via
log_maintenance_domain_conf.csv files (Global SmartEvent only). For more details, see sk164054.
In R80.40 and higher, you can configure log retention on these servers:
   n   Management/Log Servers: Configure via SmartConsole.
   n   Multi-Domain Server/Multi-Domain Log Server: Configure log and index retention via
       SmartConsole per server and per domain and allow the use of default values for all domains on the
       Multi-Domain Server level (Super User only).
       Note - Multi-Domain Server daily index deletion is enforced according to the highest value defined
       between the domain and the Multi-Domain Server level.
   n   Global SmartEvent: Configured only via manual configuration files for Daily index retention. For more
       details, see sk164054.
       Note – When you configure log retention:
       Keep log files for an extra Y days: When this value is 0, both logs and indexed logs will be saved for
       the same number of days. A value higher than 0 results in saving additional days of logs.
       Example 1:
       Indexed logs: 14 days & log-files extra: 0 days
       Result: 14 index days & 14 days of log-files.
       Example 2:
       Indexed logs: 14 days & log-files extra: 6 days
       Result: 14 index days & 20 days of log-files.
                                                  Logging and Monitoring R81.10 Administration Guide      |      31
                                                                                             Understanding Logging
To configure Daily logs retention (Management/SmartEvent/Log Servers):
   1. In SmartConsole, go to Logs > Storage.
   2. For Daily logs retention , select to apply this log retention policy:
           n   Keep indexed logs for no longer than <X> days.
           n   Keep log files for an extra <Y> days.
   3. Click OK to save settings.
To configure Daily logs retention (Multi-Domain Server):
   1. In SmartConsole, go to Multi-Domain Server > Log Settings > General.
   2. For Daily logs retention , select to apply this log retention policy:
           n   Keep indexed logs for no longer than <X> days.
           n   Keep log files for an extra <Y> days.
   3. Click OK to save settings.
      Note – This configuration applies to all domains that are not manually configured.
To configure Daily logs retention (Domain Management Server):
   1. In the Domain Management Server, go to Logs > Storage.
   2. Select to configure log retention according to Multi-Domain settings or to override.
      Note – Only Super Users have permissions to override Multi-Domain settings.
   3. If you select to override, select to keep indexed logs and log files for X + Y days.
   4. Click OK to save settings.
To configure Daily logs retention (Global SmartEvent):
Unlike the other cases, there is no GUI in which to configure policy settings. Any change to current GUI
settings is not enforced and default values apply.
However, you can configure the general settings using log_policy_extended.C or you can configure
each domain individually for daily index retention, via log_maintenance_domain_conf.csv file (see
sk164054).
To configure each domain separately:
   1. Copy this file from the Multi-Domain Server: $RTDIR/conf/log_maintenance_domain_
      conf.csv (recommended)
      or
      Download the template from sk164054 and place the file $RTDIR/conf/log_maintenance_
      domain_conf.csv
   2. Edit the file manually or via Excel.
If you edit the file in a non – Linux environment, you must convert the file to Linux format by using dos2unix.
Otherwise, the file may fail to load.
                                                  Logging and Monitoring R81.10 Administration Guide      |      32
                                                                                              Understanding Logging
You do not need to configure each domain individually, as we can use default values for each domain.To do
so, add a domain called default and specify what values you want as the default.
Best Practice - Add default values even if all of the domains are individually configured. This helps if you
added a new domain and forgot to edit this file, or if there is a mistake in a domain name.
If default values are not configured, all domains that are not configured in the file take the largest value
written in the file configured for that specific index type.
 Domain_                                                             other-
                audit      files     firewallandvpn       other                     resources       smartevent
 name                                                                smartlog
  Domain1        3650        20             15              14           14             14               14
  Domain2        3650        20             30              14           14             14               14
   default       3650        30             14              14           14             14               14
In the example, Domain3 uses the default values.
If the default is not configured, it uses the highest values: (3650, 20, 30, 14, 14, 14, 14, 14)
                                                   Logging and Monitoring R81.10 Administration Guide      |      33
                                                                                                 Deploying Logging
Deploying Logging
You can enable logging on the Security Management Server (enabled by default), or deploy a dedicated Log
Server.
After you deploy the Log Server, you must configure the Security Gateways for logging.
You must execute the Install Database function on the remote Log Server when you:
   n   Enable or disable a logging related blade or function, including Log Indexing in a server object.
   n   Add a new Log Server to the system.
   n   Change a Security Gateway's Log Server.
   n   Change a Log Server's log settings or make any other Log Server object change.
   n   Change anything in the Global Properties that might affect the Log Server.
Enabling Logging on the Security Management Server
  1. Open SmartConsole.
  2. Edit the network object of the Security Management Server.
  3. In the General Properties page, on the the Management tab, enable Logging & Status.
  4. Click OK
  5. Publish the SmartConsole session.
Deploying a Dedicated Log Server
To deploy a dedicated Log Server, you must install it, and then connect it to the Security Management
Server.
Note – If you configure the Global SmartEvent Server and the dedicated Log Server to read logs from the
same domain, you receive duplicate logs.
For details, see the R81.10 Installation and Upgrade Guide.
Configuring the Security Gateways for Logging
To configure a Security Gateway for logging:
  1. Open SmartConsole.
  2. In the Gateways & Servers view, double-click the Security Gateway object.
  3. From the navigation tree, click Logs.
  4. Configure where to send logs:
          n   To save logs to the Security Management Server - Select Send gateway logs to server.
          n   To save logs to a dedicated Log Server - Select the Log Server from the list.
          n   To save logs locally - Select Save logs locally, on this server.
  5. Click OK.
                                                  Logging and Monitoring R81.10 Administration Guide      |      34
                                                                                                 Deploying Logging
   6. Publish the SmartConsole session.
   7. Install a policy on the Security Gateway.
Enabling Log Indexing
Log indexing on the Security Management Server or Log Server reduces the time it takes to run a query on
the logs. Log indexing is enabled by default.
In a standalone deployment, log indexing is disabled by default. Enable log indexing only if the standalone
server CPU has 4 or more cores.
To manually enable Log Indexing:
   1. Open SmartConsole.
   2. From the Gateways & Servers view, double-click the Security Management Server or Log Server
      object.
      The General Properties window opens.
   3. In the Management tab, select Logging & Status.
   4. From the navigation tree, click Logs.
   5. Select Enable Log Indexing.
   6. Click OK.
   7. Publish the SmartConsole session.
   8. From Menu, select Install Database > select all objects > click Install.
Disabling Log Indexing
To save disk storage space, a Log Server can be configured to work in non-index mode. If you disable log
indexing, queries will take longer.
When log indexing is disabled, you must connect with SmartConsole to each Log Server separately to query
its logs. When you connect to the Management Server you do not get a unified view of all logs, as in index
mode. On each Log Server, the search is done on one log file at a time.
To disable Log Indexing:
   1. Open SmartConsole.
   2. From the Gateways & Servers view, double-click the Security Management Server or Log Server
      object.
   3. From the navigation tree, click Logs.
   4. Clear the Enable Log Indexing option.
   5. Click OK.
   6. Publish the SmartConsole session.
   7. From Menu, select Install Database > select all objects > click Install.
                                                  Logging and Monitoring R81.10 Administration Guide      |      35
                                                                                               Deploying Logging
To select a log file to search:
   1. Open Logs & Monitor > Logs view.
   2. Click the Options menu button to the right of the search bar.
   3. Select File > Open Log File.
                                                Logging and Monitoring R81.10 Administration Guide      |      36
                                                                                           Deploying SmartEvent
Deploying SmartEvent
SmartEvent Server is integrated with the Security Management Server architecture. It communicates with
Log Servers to read and analyze logs. You can enable SmartEvent on the Security Management Server or
deploy it as a dedicated server.
Only a Security Management Server can also work as a SmartEvent Server. In a Multi-Domain environment,
you must install SmartEvent on a dedicated server.
You must execute the Install Database function on the remote SmartEvent Server when you:
   n   Enable or disable a SmartEvent Server blade, including Log Indexing in a server object.
   n   Add a new SmartEvent Server to the system.
   n   Change a SmartEvent Server log settings or make any other SmartEvent Server object change.
   n   Change anything in the Global Properties that might affect the SmartEvent Server.
SmartEvent Licensing
You can deploy SmartEvent in these ways:
   n   As part of the SmartEvent - A renewable one year license is included with the SmartEvent package.
   n   As a dedicated server - You can purchase a perpetual license for a SmartEvent Server.
Enabling SmartEvent on the Security Management Server
  1. Open SmartConsole.
  2. From the left navigation panel, click Gateways & Servers.
  3. Open the Security Management Server object.
  4. On the Management tab, enable these Software Blades:
          n   Logging & Status
          n   SmartEvent Server
          n   SmartEvent Correlation Unit
  5. Click OK.
  6. Publish the SmartConsole session.
Note - For Security Gateways R77.30 and lower, you must activate the Firewall session for the network
activity report. See "Exporting Views and Reports" on page 65.
                                                Logging and Monitoring R81.10 Administration Guide      |      37
                                                                                             Deploying SmartEvent
System Requirements
For versions earlier than R81, the SmartEvent Server from one version can be managed by multiple
management versions.
Management Server support for SmartEvent Server
                                                  Management Server version
 SmartEvent
                        R77.30          R80         R80.10           R80.20          R80.30           R80.40
 Server version
 R77.30
 R80
 R80.10
 R80.20.M1
 R80.30
 R80.40
Starting from R81, SmartEvent server can only be managed by a Security Management Serverof the same
version. Managing SmartEvent by a lower version of the Security Management Server is no longer
supported.
To use SmartEvent, see the requirements in the R81.10 Release Notes.
Installing a Dedicated SmartEvent Server
For information on how to install a SmartEvent Server, see the R81.10 Installation and Upgrade Guide.
  1. Download the installation ISO file.
  2. Install the ISO on a Smart-1 appliance or an open server.
       Allocate partition size:
           n   Root partition: at least 20 GB
           n   Logs partition: more than allocated for Root and backup (set maximum possible) to let the
               server keep a long history.
  3. When prompted, reboot.
  4. Run the Gaia First Time Configuration Wizard.
Configuring the SmartEvent Components in the First Time
Configuration Wizard
Configure the components of the dedicated server for SmartEvent on a Smart-1 appliance, or on an open
server.
For information on how to install a SmartEvent Server, see the R81.10 Installation and Upgrade Guide.
                                                  Logging and Monitoring R81.10 Administration Guide      |      38
                                                                                            Deploying SmartEvent
Connecting R81.10 SmartEvent to R81.10 Security
Management Server
This procedure explains how to configure a dedicated server for these components:
   n   SmartEvent Server and SmartEvent Correlation Unit
Note - For information on how to install a dedicated SmartEvent Server, see the R81.10 Installation and
Upgrade Guide.
To connect R81.10 SmartEvent Server and SmartEvent Correlation Unit to R81.10 Security
Management Server:
   1. In SmartConsole, create a new Check Point Host object for the dedicated SmartEvent Server.
   2. In the Version field, select R81.10.
   3. Create a SIC trust with the dedicated SmartEvent Server.
   4. On the Management tab, enable these Software Blades:
          n   Logging & Status
          n   SmartEvent Server
          n   SmartEvent Correlation Unit
   5. On a dedicated SmartEvent Server that is not a Log Server (recommended):
       In the Logs page, make sure that Enable Log Indexing is not selected.
       This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.
   6. Click OK.
   7. Publish the SmartConsole session.
   8. Click Menu > Install Database > select all objects > click Install.
Note - For R77.30 Security Gateways and lower: activate the Firewall session for the network activity report.
See "Exporting Views and Reports" on page 65.
Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit
   1. Open the SmartEvent GUI:
          a. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).
          b. Click SmartEvent Settings & Policy.
   2. In Policy tab > Correlation Units, define a Correlation Unit object.
   3. Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.
   4. In Policy tab > Internal Network, define the internal Network.
   5. Click Save.
   6. Install the Event Policy on the Correlation Unit:
       SmartEvent menu > Actions > Install Event Policy.
                                                 Logging and Monitoring R81.10 Administration Guide      |      39
                                                                                            Deploying SmartEvent
Connecting R81.10 SmartEvent to R81.10 Multi-Domain
Server
You can configure a dedicated R81.10 server for SmartEvent components, and connect them to one or
more Domains in an R81.10 Multi-Domain Security Management environment.
This procedure explains how to configure a dedicated server for these SmartEvent components:
   n   SmartEvent Server and SmartEvent Correlation Unit
Notes:
   n   From R81, you can configure the SmartEvent Server and SmartEvent Correlation Unit at the level of
       the Global Domain and at the level of a specific Domain.
   n   Configure SmartEvent to read logs from one Domain or a number of Domains.
Connecting an R81.10 SmartEvent Server and SmartEvent Correlation Unit to a Global Domain
on an R81.10 Multi-Domain Server
       1. Connect with SmartConsole to the Global Domain:
             a. Connect to the Multi-Domain Server.
             b. From the list of Domains, select Global.
       2. Create a Check Point Host object for the Dedicated SmartEvent Server R81.10.
       3. In the Check Point Host object > General Properties page > Management tab, select these
          Software Blades:
              n   Logging & Status
              n   SmartEvent Server
              n   SmartEvent Correlation Unit
       4. Initialize SIC with the dedicated SmartEvent Server R81.10 Server.
       5. Click OK.
       6. Publish the SmartConsole session.
       7. Reassign the Global Policy for the Domains that use SmartEvent.
          For new Domains, create a new global assignment.
       8. For each Domain Management Server that uses SmartEvent:.
             a. Open SmartConsole.
             b. Click Menu > Policy > Install Database > select all objects > click Install.
             c. Wait until the Domain Management Server synchronizes and loads SmartEvent process.
                                                 Logging and Monitoring R81.10 Administration Guide      |      40
                                                                                            Deploying SmartEvent
Connecting an R81.10 SmartEvent Server and SmartEvent Correlation Unit to a specific Domain
on an R81.10 Multi-Domain Server
      1. Connect with SmartConsole to the specific Domain:
             a. Connect to the Multi-Domain Server.
             b. From the list of Domains, select the applicable .specific Domain.
      2. Create a Check Point Host object for the Dedicated SmartEvent Server R81.10.
      3. In the Check Point Host object > General Properties page > Management tab, select these
         Software Blades:
              n   Logging & Status
              n   SmartEvent Server
              n   SmartEvent Correlation Unit
      4. Initialize SIC with the dedicated SmartEvent Server R81.10 Server.
      5. Click OK.
      6. Publish the SmartConsole session.
      7. Click Menu > Policy > Install Database > select all objects > click Install.
      8. Wait until the Domain Management Server synchronizes and loads SmartEvent process.
See also Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit in
"Connecting an R81.10 SmartEvent to an R81.10 Security Management Server" on page 53.
Note - For Security Gateways R77.30 and lower: activate the Firewall session for the network activity report
in "Exporting Views and Reports" on page 65.
Configuring SmartEvent to use a Non-Standard LEA Port
You can get logs from and send logs to a third-party Log Server. The Check Point Log Server and the third
party Log Server use the LEA (Log Export API) protocol to read logs. By default, the Check Point Log Server
uses port 18184 for this connection. If you configure the Log Server to use a different LEA port, you must
manually configure the new port on the SmartEvent Server and on the SmartEvent Correlation Unit.
Note - This procedure is not relevant if you use "Log Exporter" on page 194
To change the default LEA port:
   1. Open $INDEXERDIR/log_indexer_custom_settings.conf in a text editor.
   2. Add this line to the file:
      :lea_port (<new_port_number>)
   3. Save the changes in the file and exit the editor.
   4. In the SmartEvent client, configure the new port on the Correlation Unit.
   5. In Policy tab > Correlation Units, configure the Correlation Unit to read logs from the local Log Server
      (on the SmartEvent Server).
   6. Configure the new port on the SmartEvent Server
                                                 Logging and Monitoring R81.10 Administration Guide      |      41
                                                                                           Deploying SmartEvent
            a. In Policy tab > Network Objects, double-click the SmartEvent Server object.
            b. Change the LEA port No parameter to <new_port_number>.
  7. Install the Event Policy on the Correlation Unit: Actions > Install Event Policy
  8. On the SmartEvent Server
            a. Run: cpstop
            b. Open $FWDIR/conf/fwopsec.conf in a text editor.
            c. Change these parameters:
               lea_server auth_port <new_port_number>
               lea_server port 0
            d. Save the changes in the file and exit the editor.
            e. Run: cpstart
Configuring SmartEvent to read External Logs
To configure SmartEvent to read logs from an externally-managed Log Server or an external Security
Management Server, see sk35288.
An externally managed Log Server is managed by a different Security Management Server than the one that
manages the SmartEvent Server. An external Security Management Server is not the one that manages the
SmartEvent Server.
                                                Logging and Monitoring R81.10 Administration Guide      |      42
                                                                        Deploying a Domain Dedicated Log Server
Deploying a Domain Dedicated Log Server
Introduction
In a Multi-Domain Security Management environment, the Security Gateways send logs to the Domain
Management Server and dedicated Domain Log Servers.
The Multi-Domain Server unifies logs, and they can be stored on the Multi-Domain Server or on a dedicated
Multi-Domain Log Server.
Starting in R81, Multi-Domain Server supports a dedicated Log Server (installed on a separate computer)
for a Domain.
You can configure a Domain Dedicated Log Server to receive logs only from a specified Domain, and no
other Domains can access these logs.
This allows you to locate the dedicated Log Server in a separate network from the Multi-Domain Security
Management environment to comply with special regulatory requirements.
Logs reported to the Domain Dedicated Log Server can be viewed from any SmartConsole that has
permissions for this Domain.
The Domain Dedicated Log Server communicates directly only with the associated Domain Server. No other
Domain can access its log data.
Procedure for an R81.10 Multi-Domain Environment
  1. Install an R81.10 Multi-Domain Server.
      See the R81.10 Installation and Upgrade Guide > Chapter "Installing a Multi-Domain Server".
  2. Install a regular dedicated R81.10 Log Server.
      See the R81.10 Installation and Upgrade Guide > Chapter "Installing a Dedicated Log Server or
      SmartEvent Server".
  3. Connect with SmartConsole to the specific Domain.
      See the R81.10 Multi-Domain Security Management Administration Guide.
  4. Add a regular Log Server object for the dedicated R81.10 Log Server you installed in Step 2.
Requirement post upgrade to R81.10:
For any environment, which uses SmartEvent Server or a Domain Dedicated Log Server, this is a required
step to complete post upgrade to R81.10 from any source version:
After you upgrade the SmartEvent Server or Domain Dedicated Log Server, run this command in the Expert
mode on each Multi-Domain Security Management Server:
 $MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd
                                               Logging and Monitoring R81.10 Administration Guide      |      43
                                                                        Deploying a Domain Dedicated Log Server
Procedure for an R77.x Multi-Domain Environment
Upgrade with CPUSE
    1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).
       This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain Dedicated Log
       Servers, and SmartEvent Servers.
          a. Follow the instructions in the R80.40 Installation and Upgrade Guide.
             Important - Stop after the CPUSE Verifier shows the upgrade / installation is allowed.
                 n   For Multi-Domain Servers:
                     See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" >
                     select the applicable section to upgrade "from R80.10 and lower" > select the
                     applicable section to upgrade "with CPUSE".
                 n   For Log Servers:
                     See the chapter "Upgrade of Security Management Servers and Log Servers" >
                     section "Upgrading a Dedicated Log Server from R80.10 and lower" > select the
                     applicable section to upgrade "with CPUSE".
                 n   For SmartEvent Servers:
                     See the chapter "Upgrade of Security Management Servers and Log Servers" >
                     section "Upgrading a Dedicated SmartEvent Server from R80.10 and lower" > select
                     the applicable section to upgrade "with CPUSE".
          b. Fix all the errors, except the one specified for Log Servers on a Domain Management
             Server:
               Log Servers on the Domain Management Server level are not yet
               supported in R80.x
          c. On each Multi-Domain Security Management Server, modify the Pre-Upgrade Verifier to
             treat the upgrade errors as warnings:
                 i. Connect to the command line on the Multi-Domain Server.
                ii. Log in to the Expert mode.
                iii. Enter these commands as they appear below (after each command, press the Enter
                     key):
                      cp -v $CPDIR/tmp/.CPprofile.sh{,_BKP}
                      cat >> $CPDIR/tmp/.CPprofile.sh << EOF
                      > export PUV_ERRORS_AS_WARNINGS=1
                      > EOF
          d. Restart the CPUSE daemon:
               DAClient stop ; DAClient start
                                               Logging and Monitoring R81.10 Administration Guide      |      44
                                                                      Deploying a Domain Dedicated Log Server
          e. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade all the
             servers "with CPUSE".
    2. Upgrade all Multi-Domain Servers to R81.10.
       See the R81.10 Installation and Upgrade Guide > chapter "Upgrade of Multi-Domain Servers and
       Multi-Domain Log Servers" > select the applicable section to upgrade "from R80.20 and higher" >
       select the applicable section to upgrade "with CPUSE".
    3. On each Multi-Domain Security Management Server, run this script in the Expert mode:
         $MDS_FWDIR/scripts/configureCrlDp.sh
    4. Reboot each Multi-Domain Security Management Server:
         reboot
    5. Upgrade all Log Servers and SmartEvent Servers to R81.10.
       See the R81.10 Installation and Upgrade Guide > chapter "Upgrade of Security Management
       Servers and Log Servers" > section "Upgrading a Security Management Servers or Log Server
       from R80.20 and higher" > section "Upgrading a Security Management Server or Log Server from
       R80.20 and higher with CPUSE".
                 Note - To install an R81.10 Log Server or an R81.10 SmartEvent Server, see
                 the chapter "Installing a Dedicated Log Server or SmartEvent Server".
    6. On each Multi-Domain Security Management Server, run this script in the Expert mode:
         $MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd
    7. Reboot all the Domain Dedicated Log Servers and the SmartEvent Servers:
         reboot
Advanced Upgrade
    1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).
       This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain Dedicated Log
       Servers, and SmartEvent Servers.
                                             Logging and Monitoring R81.10 Administration Guide      |      45
                                                                     Deploying a Domain Dedicated Log Server
      a. Run the Pre-Upgrade Verifier, as detailed in the R80.40 Installation and Upgrade Guide.
              n   For Multi-Domain Servers:
                  See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" >
                  select the applicable section to upgrade "from R80.10 and lower" > select the
                  applicable section to upgrade "with Advanced Upgrade".
              n   For Log Servers:
                  See the chapter "Upgrade of Security Management Servers and Log Servers" >
                  section "Upgrading a Dedicated Log Server from R80.10 and lower" > select the
                  applicable section to upgrade "with Advanced Upgrade".
              n   For SmartEvent Servers:
                  See the chapter "Upgrade of Security Management Servers and Log Servers" >
                  section "Upgrading a Dedicated SmartEvent Server from R80.10 and lower" > select
                  the applicable section to upgrade "with Advanced Upgrade".
      b. Fix all the errors, except the one specified for Log Servers on a Domain Management
         Server:
           Log Servers on Domain Management Server level are not yet
           supported in R80.x
      c. In your active shell window, run this command in the Expert mode:
           export PUV_ERRORS_AS_WARNINGS=1
      d. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade all the
         servers "with Advanced Upgrade".
2. Upgrade all Multi-Domain Servers to R81.10.
   See the R81.10 Installation and Upgrade Guide > chapter "Upgrade of Multi-Domain Servers and
   Multi-Domain Log Servers" > select the applicable section to upgrade "from R80.10 and lower" >
   select the applicable section to upgrade "with Advanced Upgrade".
3. On each Multi-Domain Security Management Server, run this script in the Expert mode:
     $MDS_FWDIR/scripts/configureCrlDp.sh
4. Reboot each Multi-Domain Security Management Server:
     reboot
5. Upgrade all Log Servers and SmartEvent Servers to R81.10.
   See the R81.10 Installation and Upgrade Guide > chapter "Upgrade of Security Management
   Servers and Log Servers" > section "Upgrading a Security Management Servers or Log Server
   from R80.20 and higher" > section "Upgrading a Security Management Server or Log Server from
   R80.20 and higher with Advanced Upgrade".
             Note - To install an R81.10 Log Server or an R81.10 SmartEvent Server, see
             the chapter "Installing a Dedicated Log Server or SmartEvent Server".
6. On each Multi-Domain Security Management Server, run this script in the Expert mode:
                                            Logging and Monitoring R81.10 Administration Guide      |      46
                                                                Deploying a Domain Dedicated Log Server
     $MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all –sd
7. Reboot all the Domain Dedicated Log Servers and SmartEvent Servers:
     reboot
                                       Logging and Monitoring R81.10 Administration Guide      |      47
                                                                                   Administrator Permission Profiles
Administrator Permission Profiles
You can give an administrator permissions for:
   n   Monitoring and Logging
   n   Events and Reports
To define an administrator with these permissions:
   1. Define an administrator or an administrator group.
   2. Define a Permission Profile with the required permissions in SmartConsole (Manage & Settings >
      Permission Profiles).
   3. Assign that profile to the administrator or to the administrator group.
Configuring Permissions for Monitoring, Logging, Events, and Reports
In the Profile object, select the features and the Read or Write administrator permissions for them.
Monitoring and Logging Features
These are some of the available features:
   n   Monitoring
   n   Management Logs
   n   Track Logs
   n   Application and URL Filtering Logs
Events and Reports Features
These are the permissions for SmartEvent:
   n   SmartEvent
          l   Events - views in SmartConsole > Logs & Monitor
          l   Policy -SmartEvent Policy and Settings on SmartEvent GUI.
          l   Reports - in SmartConsole > Logs & Monitor
   n   SmartEvent Application & URL Filtering reports only
Multi-Domain Security Management
In a Multi-Domain Security Management, each Event and Report is related to a Domain. Administrators can
see events for Domains according to their permissions.
A Multi-Domain Security Management Policy administrator can be:
   n   Locally defined administrator on the SmartEvent Server.
   n   Multi-Domain Server Super User defined on the Multi-Domain Server.
                                                  Logging and Monitoring R81.10 Administration Guide      |      48
                                                                                 Administrator Permission Profiles
   n   An administrator with permissions on all Domains. Select the Domains in SmartEvent, in Policy >
       General Settings > Objects > Domains. This type of administrator can install a Policy, and can see
       events from multiple Domains.
SmartEvent Reports-Only Permission Profile
You can define a special permission profile for administrators that only see and generate SmartEvent
reports. With this permission profile, Administrators can open SmartConsole, but in the Logs & Monitor view
can see only Reports. They cannot access other security information in SmartEvent. You can configure this
permissions profile to apply to the Application & URL Filtering blade only, or apply to all blades.
To create a SmartEvent report-only permissions profile:
  1. In SmartConsole, click Manage & Settings > Permissions Profiles.
  2. In the Permission Profiles page, select a permission profile, or click the New button and create a
     permission profile.
  3. Select Customized.
  4. On the Events and Reports page, select SmartEvent Reports.
  5. Clear all other options.
  6. On the Access Control, Threat Prevention, and Others pages, clear all options.
  7. On the Monitoring and Logging page, select all features, with Write permissions.
  8. Click OK.
       The profile shows in the Permission Profiles page.
  9. Assign the SmartEvent Reports Only permissions profile to administrators.
 10. Publish the SmartConsole session.
 11. Install the policy.
                                                Logging and Monitoring R81.10 Administration Guide      |      49
                                                                                         Importing Offline Log Files
Importing Offline Log Files
The administrator can examine logs from a previously generated log file. This makes it possible to review
security threats and pattern anomalies that occurred in the past, before SmartEvent was installed. You can
investigate threats such as unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of
service attacks, network anomalies, and other host-based activity.
The administrator can review logs from a specific timeframe in the past and focus on deploying resources on
threats that have been active but may have been missed (for example, new events which may have been
dynamically updated can now be processed over the previous period).
Importing Log Files from SmartEvent Servers
By default, you can import offline logs from the last 1 day. To import more days of logs, change the log
indexing settings.
To change log indexing settings:
Note - Do this to make it possible to import logs that are older than 1 day before the SmartEvent Server was
installed.
   1. Run: # evstop
   2. Run: $INDEXERDIR/log_indexer -days_to_index <days>
      <days> is the last number of days of logs to be indexed by the SmartEvent Server. For example, to
      import and index logs from the last 30 days of logs, give a value of 30.
      Note - To decrease the performance effect while you index the offline logs, import only the necessary
      number of days of logs.
   3. In the Logs > Storage page of the SmartEvent Server, Make sure that Keep indexed logs for... is not
      selected, or is selected with an equal or larger number of days than configured in days_to_index.
   4. Run: # evstart
To allow the SmartEvent Server to index offline log files:
   1. Copy the log files and related pointer files <log file name>.log* to $FWDIR/log. Copy the files
      to the Log Server that sends logs to the SmartEvent Server.
   2. Optional: Do an Offline Work for Correlated Events procedure for each log file. This procedure is done
      to run the log files through the Correlation Unit for correlation analysis according to the Event Policy
      (defined in SmartEvent GUI client).
      To run SmartEvent offline jobs for multiple log files, see: sk98894.
Offline Work For Correlated Events
To detect suspicious logging activity (suspicious according to the Event Policy on the SmartEvent GUI >
Policy tab), run the offline log file through the Correlation Unit.
The settings to generate of Offline logs are in: SmartEvent GUI client > Policy tab > General Settings >
Initial Settings > Offline Jobs, connected to the Security Management Servers or Multi-Domain Server.
The settings are:
                                                 Logging and Monitoring R81.10 Administration Guide      |      50
                                                                                        Importing Offline Log Files
n   Add - Configure an Offline Log File procedure.
        l   Name - Lets you recognize the specified Offline Line log file for future processing.
        l   Comment - A description of the Offline Job.
        l   Offline Job Parameters:
            SmartEvent Correlation Unit: The machine that reads and processes the Offline Logs.
            Log Server: The machine that contains the Offline Log files. SmartEvent makes a query to this
            Log Server to find out which log files are available.
            Log File - A list of available log files found on the selected Log Server. These log files are
            processed by the SmartEvent Correlation Unit. In this window, select the log file from which to
            retrieve historical information.
n   Edit - Change the parameters of an Offline Log File procedure.
n   Remove - Delete an Offline Log File procedure. After you start an Offline Log File procedure you
    cannot remove it.
n   Start - Run the Offline Log File procedure.
n   Stop - Stop the Offline Log Files procedure. It does not delete the full procedure, but stops the
    procedure at the specified point.
                                                Logging and Monitoring R81.10 Administration Guide      |      51
                                                                                      Importing Syslog Messages
Importing Syslog Messages
Many third-party devices use the syslog format for logging. The Log Server reformats the raw data to the
Check Point log format to process third-party syslog messages.
The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.
To import syslog messages, define your own syslog parser and install it on the Log Server.
SmartEvent can take the reformatted logs and convert them into security events.
Generating a Syslog Parser and Importing syslog Messages
To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020.
This shows you how to:
   1. Import some sample syslog messages to the Log Parsing Editor.
   2. Define the mapping between syslog fields and the Check Point log fields.
   3. Install the syslog parser on the Log Server.
After you imported the syslog messages to the Log Server, you can see them in SmartConsole, in the Logs
& Monitor > Logs tab.
Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log
Server.
Configuring SmartEvent to Read Imported Syslog Messages
After you imported the syslog messages to the Log Server, you can forward them to SmartEvent Server
(and other OPSEC LEA clients), as other Check Point logs. SmartEvent converts the syslog messages into
security events.
To configure the SmartEvent Server to read logs from this Log Server:
   1. Configure SmartEvent to read logs from the Log Server.
   2. In SmartEvent or in the SmartConsole event views, make a query to filter by the Product Name field.
      This field uniquely identifies the events that are created from the syslog messages.
                                                Logging and Monitoring R81.10 Administration Guide      |      52
                                         Connecting an R81.10 SmartEvent to an R81.10 Security Management Server
Connecting an R81.10 SmartEvent to an
R81.10 Security Management Server
This procedure explains how to configure a dedicated server for these components:
   n   SmartEvent Server and SmartEvent Correlation Unit
Note - For information on how to install a dedicated SmartEvent Server, see the R81.10 Installation and
Upgrade Guide.
To connect R81.10 SmartEvent Server and SmartEvent Correlation Unit to R81.10 Security
Management Server:
   1. In SmartConsole, create a new Check Point Host object for the dedicated SmartEvent Server.
   2. In the Version field, select R81.10.
   3. Create a SIC trust with the dedicated SmartEvent Server.
   4. On the Management tab, enable these Software Blades:
          n   Logging & Status
          n   SmartEvent Server
          n   SmartEvent Correlation Unit
   5. On a dedicated SmartEvent Server that is not a Log Server (recommended):
       In the Logs page, make sure that Enable Log Indexing is not selected.
       This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.
   6. Click OK.
   7. Publish the SmartConsole session.
   8. Click Menu > Install Database > select all objects > click Install.
Note - For Security Gateways R77.30 and lower: activate the Firewall session for the network activity report.
See "Exporting Views and Reports" on page 65.
Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit
   1. Open the SmartEvent GUI:
          a. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).
          b. Click SmartEvent Settings & Policy.
   2. In Policy tab > Correlation Units, define a Correlation Unit object.
   3. Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.
   4. In Policy tab > Internal Network, define the internal Network.
   5. Click Save.
                                                 Logging and Monitoring R81.10 Administration Guide      |      53
                                       Connecting an R81.10 SmartEvent to an R81.10 Security Management Server
6. Install the Event Policy on the Correlation Unit:
   SmartEvent menu > Actions > Install Event Policy.
                                              Logging and Monitoring R81.10 Administration Guide      |      54
                                                                                              Views and Reports
Views and Reports
You can create rich and customizable views and reports for log and event monitoring.
The views present queries in a graphical way which can be used for analytical and presentation purposes.
Use these:
   n   SmartConsole > From the left navigation panel, click Logs & Monitor > Logs.Logs & Monitor
   n   SmartView Web Application - for generating and editing views in a browser:
        https://<Server IP Address>/smartview/
       Where <Server IP Address> is the IP address of the Security Management Server or
       SmartEvent Server.
                                               Logging and Monitoring R81.10 Administration Guide      |      55
                                                                                    Enabling Views and Reports
Enabling Views and Reports
To enable SmartEvent views and reports, you must install and configure a SmartEvent Server.See
"Deploying SmartEvent" on page 37.
                                              Logging and Monitoring R81.10 Administration Guide      |      56
                                                                                     Catalog of Views and Reports
Catalog of Views and Reports
In the Logs & Monitor view, click the (+) tab to open a catalog of all views and reports, predefined and
customized. Click a view or report to open it. You can create a new view or report, or export them to PDF. To
see other actions, open the Actions menu.
 Item       Description
 1          Open Log View - See and search through the logs from all Log Servers. In SmartConsole
            only, you can also search the logs from a specific Log Server.
            Open Audit Logs View - See and search records of actions done by SmartConsole
            administrators.
            These views come from the Log Servers. All other Views/Reports (except the Compliance
            View) come from the SmartEvent Server.
 2          Views -The list of predefined and customized views. A view is an interactive dashboard made
            up of widgets. The view tells administrators and other stakeholders about security and network
            events. Each widget is the output of a query. Widgets can show the information as a chart,
            table, or some other format. To find out more about the events, double-click a widget to drill
            down to a more specific view or raw log files.
            Compliance View -Optimize your security settings and ensure compliance with regulatory
            requirements.
 3          Reports -The list of predefined and customized reports. A report consists of multiple views.
            There are several predefined reports, and you can create new reports. A report gives more
            details because it consists of multiple views. Reports can be customized, filtered, generated
            and scheduled. You cannot drill down into a report.
 4          Favorites - Use this view to collect the views and reports you use the most.
            Recent - Shows the most recently opened report or view.
                                                Logging and Monitoring R81.10 Administration Guide      |      57
                                                                                 Catalog of Views and Reports
Item   Description
5      Switch to Table View or Thumbnails View -The Table view is the default for Views and
       Reports. The Thumbnails view is the default for the Favorites , Recent, and Logs.
6      Scheduled Tasks - See and edit scheduled tasks.
7      Archive - Download the exported views and reports.
8      Catalog (New Tab) - Open a Catalog (new tab) and select Log View, Audit View, Views, or
       Reports. In the Logs & Monitor view, click the (+) tab to open a catalog of all views and reports,
       predefined and customized. To open a view, double-click the view or select the applicable
       view and click Open from the action bar.
                                            Logging and Monitoring R81.10 Administration Guide      |      58
                                                                                                          Views
Views
Views shows an interactive dashboard made up of widgets. Each widget is the output of a query. A Widget
pane can show information in different formats, for example, a chart or a table.
SmartView and SmartEvent come with several predefined views. You can create new views that match your
needs, or you can customize an existing view.
 Item      Description
 1         Widget - The output of a query. A Widget can show information in different formats, for
           example, a chart or a table. To find out more about the events, you can double-click most
           widgets to drill down to a more specific view or raw log files.
 2         Options - Customize the view, restore defaults, Hide Identities, copy the view, export the view.
 3         Query search bar - Define custom queries using the GUI tools, or manually entering query
           criteria. Shows the query definition for the most recent query. Click Query Syntax to open the
           online Help for more information.
 4         Time Period - Specify the time periods for the view.
                                               Logging and Monitoring R81.10 Administration Guide      |      59
                                                                                                         Reports
Reports
A report consists of multiple views and a cover page. There are several predefined reports, and you can
create new reports. A report gives more details than a view. Reports can be customized, filtered, generated
and scheduled. You cannot drill down into a report.
Note - For Security Gateways R77.30 and lower, the ability to generate reports on Firewall and VPN activity
is integrated into SmartConsole. To enable this functionality, activate the Firewall session event on the
SmartEvent Policy tab. Select and enable Consolidated Sessions > Firewall Session. For more
information, see "Connecting an R81.10 SmartEvent to an R81.10 Security Management Server" on
page 53.
                                                Logging and Monitoring R81.10 Administration Guide      |      60
                                                                            Automatic View and Report Updates
Automatic View and Report Updates
SmartEvent automatically downloads new predefined views and reports, and downloads updates to existing
predefined ones. To allow this, make sure the management server has internet connectivity to the Check
Point Support Center.
                                             Logging and Monitoring R81.10 Administration Guide      |      61
                                                                                        Opening a View or Report
Opening a View or Report
Use the predefined graphical views and reports for the most frequently seen security issues. You can also
customize the views and reports.
To open a view or report:
  1. In SmartConsole, open the Logs & Monitor view.
  2. Click the + icon to open a new catalog.
  3. Click Views or Reports.
  4. Select a view or a report, and click Open. You can also double click to open it.
  5. Define the required timeframe, and filter in the search bar.
  6. Click Enter.
                                                Logging and Monitoring R81.10 Administration Guide      |      62
                                                                                     MITRE ATT&CK in SmartView
MITRE ATT&CK in SmartView
MITRE ATT&CK is a new methodology to investigate security incidents.To use this feature, you must enable
SmartEvent and one of these blades: Threat Emulation, IPS or Anti-Bot.
In SmartView, you can use the MITRE ATT&CK view to:
   n   Quickly locate the tactics (malicious files) and techniques the attackers use against your network.
   n   Use a heat map to locate the top techniques, drill down to understand where damage occurred from
       malicious files, and follow the MITRE ATT&CK mitigation recommendations.
   n   Extract immediate action items based on the mitigation flow
To access the MITRE ATT&CK view:
  1. Open a new catalog in Views and select the MITRE ATT&CK view.
       A heat map table opens. The darker the color, the higher the number of attack attempts.
  2. Double click on a technique that is the darkest shade of red. You can now drill down further.
  3. Review the different malicious emails/file downloads and click one of the logs.
                                                 Logging and Monitoring R81.10 Administration Guide      |      63
                                                                                MITRE ATT&CK in SmartView
4. Inside the log, you can review the entire list of MITRE ATT&CK tactics and techniques used by the
   attacker for the specific attack.
5. When locating the technique (for example, Service Execution under Execution) go to
   https://attack.mitre.org/
                                            Logging and Monitoring R81.10 Administration Guide      |      64
                                                                                      MITRE ATT&CK in SmartView
Exporting Views and Reports
The Export to PDF and Export to CSV options save the current view or report as a PDF or CSV file, based
on the defined filters and time frame.
Note - When you export a view or report to CSV, only tables are exported. You can download a zip folder
which contains a separate CSV file for each table.
To export a view or report to PDF or CSV:
   1. In SmartConsole, open the Logs & Monitor view.
   2. Click the + tab to open a new tab.
   3. Click Views or Reports.
   4. Select a view or report.
   5. Click Export to PDF.Optionally:
          n   Configure the Period and filter.
          n   To automatically send by email to specified recipients each time the view or report runs,
              configure the Send by email settings.See "Configuring Email Settings for Views and Reports"
              on page 72.
      Alternatively, click Open and from inside the view or report click Options > Export to PDF or Export
      to CSV.
To see your exported views and reports:
   1. Add a new tab. Click +.
   2. Go to Tasks > Archive.
Generating a Network Activity Report
The Network Activity report shows important Firewall connections. For example, top sources, destinations,
and services. To create this report, SmartEvent must first index the Firewall logs. Indexing is on by default in
R80 and higher, in all environments except for Standalone.
                                                  Logging and Monitoring R81.10 Administration Guide      |      65
                                                                                     MITRE ATT&CK in SmartView
To enable the Network Activity Report for Security Gateways R80.10 and higher:
In SmartConsole, in the Access Control Policy rule, add per Session to the Track settings. See "Tracking
Options" on page 103.
To enable the Network Activity Report for Security Gateways R77.30 and lower:
   1. In SmartConsole, open the Logs & Monitor view.
   2. Click the (+) to open a new tab.
   3. In the External Apps section, click SmartEvent Settings & Policy link.
   4. In the SmartEvent GUI client > Policy tab, select and expand Consolidated Sessions.
   5. Select Firewall Session.
      Note - This configuration increases the number of events per day by about five times. To avoid a
      performance impact, make sure the hardware can handle the load.
Sharing Reports
You can share a report you created with your team, without export or import. If a regular admin shares a
view or report, it is shared with all the admins on the domain. A super admin for the Multi-Domain Server can
share with all users under all domains.
To share a report:
   1. In SmartConsole, open Logs & Monitor and click + to open a new tab.
   2. Click Reports and select a report.
   3. Click Actions and select Share.
   4. Click Yes to approve sharing the report.
      The report is now marked as shared.
The report owner can undo the action and unshare the report.
                                                 Logging and Monitoring R81.10 Administration Guide      |      66
                                                                                     MITRE ATT&CK in SmartView
To unshare the report:
Click Actions and select Unshare.
Note - A Super User can take ownership of reports or views created by other administrators via the take
ownership feature.
Permissions when an owner shares a view/report:
                Visible on Catalog    Can Edit     Can clone      Can Delete
 Owner                   +                +             +               +
 Super User              +                -             +               -
                                                 Logging and Monitoring R81.10 Administration Guide      |      67
                                                                                  Exporting and Importing Templates
Exporting and Importing Templates
You can export the view or report layout and widget definitions to a file. This is called a template. You can
import the template from another server or from another administrator.
To export the view or report layout and widget definitions to a file, use the Export Template option
To download exported templates, click the link in the notification message. To view historical reports, views,
and templates, go to Tasks > Archive.
To import the file from another server or from another administrator, use the Import Template option in the
Catalog (new tab).
                                                  Logging and Monitoring R81.10 Administration Guide      |      68
                                                                                      Scheduling a View or Report
Scheduling a View or Report
To schedule a view or report, you need to define and edit it in SmartConsole.
To schedule a report:
   1. In SmartConsole, open the Logs & Monitor view.
   2. Click the + tab to open a new tab.
   3. Click Views or Reports.
   4. Select a view or a report.
   5. Select Actions > Schedule PDF or Schedule CSV.
      The Schedule page of the Export settings window opens.
   6. Define the recurrence pattern.
   7. Define the Period and Filter.
   8. Optional: Configure email settings to get the scheduled view or report automatically. Click Send by
      email.
To edit your scheduled views and reports:
   1. In SmartConsole, open the Logs & Monitor view.
   2. Click the + tab to open a new tab.
   3. Select Tasks > Scheduled.
                                                Logging and Monitoring R81.10 Administration Guide      |      69
                                                                                       Customizing a View or Report
Customizing a View or Report
To customize a view or report:
  1. Select a view or a report and click Open.
  2. Click Options > Edit.
  3. In a report, you can edit the report or the current view in the report.
          n   To add or remove, click the relevant icon in the edit toolbar (becomes available when in edit
              mode):
          n   To add a widget or arrange the "Widgets" on page 74 in the view, use Drag & Drop or expand..
          n   Define filters. (see "Widgets" on page 74).
Note - If you change the timeframe, the data changes according to the start and stop times. The timeframe
and search bar are not saved with the view or report definition. Define them as needed when generating the
view or report. See "Opening a View or Report" on page 62.
View Settings
Views can be configured according to these options:
                                                  Logging and Monitoring R81.10 Administration Guide      |      70
                                                                                      Customizing a View or Report
  1. Enter a title.
  2. To show more results, this option allows a table to spread across multiple pages when saved to PDF.
      The No page limit option shows all the results for the selected table query, spread across as many
      pages as required.
  3. Select what you want to display when this control has no data:
          n   Remove the page
          n   Show a default or custom message.
  4. Select to use the view as a template and add filter and sort criteria.
      Use the view as a basis for generating duplicate views with more granularity.
Use Case:
The Active Users predefined view shows all active users. You want to see a more granular view per user:
  1. Open the Active Users view and click Options > View settings.
      The View Settings window opens.
  2. Select Use View as template.
  3. For Filter each view by, select User.
  4. Select Number of values. For example, 5.
  5. Click OK.
  6. Go to Options > Export > Export to PDF.
  7. The view is exported. Wait until a message shows the view was successfully exported.
                                                 Logging and Monitoring R81.10 Administration Guide      |      71
                                                                                       Customizing a View or Report
   8. Click Download.
      The report shows all widgets in the view filtered according to each user.
Report Settings
Reports can be configured according to these options:
Configuring Email Settings for Views and Reports
You can automatically send views and reports by email to specified recipients each time the view or report
runs.
Configuring Email Server Settings
Mail server settings in SmartConsole and SmartView are shared for all email interactions. For each
SmartConsole administrator, configure them one time.
To configure email server settings:
   1. Select a view or a report in the catalog.
   2. Click Export to PDF, or Actions > Schedule PDF or Actions > Schedule CSV.
   3. Click Send by email.
   4. In the Email Server section, click Edit.
      Note - In SmartView, you can edit the mail server on the user preferences menu.
   5. Configure the email server options:
          n   Sender email address. This shows on all report emails.
          n   Outgoing mail server (SMTP)
          n   Port - The default port is 25.
          n   Use authentication (Optional) - if required by the email server, configure a Username and
              Password.
                                                  Logging and Monitoring R81.10 Administration Guide      |      72
                                                                                         Customizing a View or Report
          n   Connection encryption (Optional) - if required by the email server, choose SSL or TLS.
   6. Click OK.
Configuring Email Recipients
Define the email recipients every time you run the view or report, or one time for scheduled reports.
To configure email recipients:
   1. Select a view or a report from the catalog.
   2. Click Export to PDF, or Actions > Schedule PDF or Actions > Schedule CSV.
   3. Click Send by email.
   4. In the Email recipients section, click + to enter an email address. You can add multiple addresses.
   5. Click OK.
Adding a Logo to Reports
You can configure reports to show your company logo on report cover pages instead of the Check Point
logo.
To add a logo to your reports:
   1. Save your logo image as a PNG file with the name: cover-company-logo.png
   2. Copy the image to the $RTDIR/smartview/conf/ directory on the SmartEvent Server.Note - This
      applies when there is local SmartEvent on the Management Server. Otherwise, you must add the
      logo image to every machine the users connect to or the logo only displays when connected to the
      SmartEvent IP.
Note - The best image dimensions are 152 pixels wide by 94 pixels high.
                                                    Logging and Monitoring R81.10 Administration Guide      |      73
                                                                                                            Widgets
Widgets
You can customize the widgets to optimize the visual display. To customize widgets, switch to edit mode.
Click Options > Edit. You can copy a widget and use it in another view.
   n   To save changes, click Done.
   n   To cancel changes, click Discard.
   n   To restore the predefined view to the default values, click Options > Restore Defaults.
       Note - Restore Defaults option is only available after you modify a predefined view.
Adding and Customizing Widgets
To add a Widget:
  1. Double-click a view or report to open it.
  2. Click Options > Edit.
  3. Click Add Widget and select the widget type.
       Chart Settings:
          a. Enter a title.
          b. Select a chart type: vertical bar, horizontal bar, pie, area or line.
          c. Select a data category for the X axis.
                                                   Logging and Monitoring R81.10 Administration Guide      |      74
                                                                                                 Widgets
d. Define how the Top Values are calculated (by number of logs, or by traffic).
e. Set a limit for how many top values to show.
f. Optional: click Series - Split the results into colored groups with different values for the series.
g. Optional: click Customize and define axis titles and legend position.
                                        Logging and Monitoring R81.10 Administration Guide      |      75
                                                                                                   Widgets
Timeline Settings:
  a. Enter a title.
  b. Select a timeline graphical presentation: vertical bar, doughnut, area or line.
      Note - In R81 GA the last field is called Samples and accepts integer values.
      In R81 + R81 JHA (from sk170114) the field is called Resolution and is a drop-down list with
      predefined values
  c. Select the data to count.
  d. Advanced - split the results into colored groups, with different values for the Series.
  e. Define the time-granularity. Enter the number of bars or doughnuts to show.
                                          Logging and Monitoring R81.10 Administration Guide      |      76
                                                                                                   Widgets
Table Settings:
  a. Enter a title.
  b. Manage columns: add, edit, remove, and change the order.
  c. Select a column on the left and define its settings:
         n   Enter the number of top values to show.
         n   Select how values are sorted.
  d. Select this option to group results with the same value in one row.
                                          Logging and Monitoring R81.10 Administration Guide      |      77
                                                                                                  Widgets
Map Settings:
  a. Enter a title.
  b. Enter the number of Top Countries to mark.
  c. Select to mark Top Source Countries, Top Destination Countries, or both.
  d. Define how to find the Top Countries (for example, by number of logs or by traffic).
The infographic widget shows large meaningful values. For example:
                                         Logging and Monitoring R81.10 Administration Guide      |      78
                                                                                                      Widgets
Infographic Settings:
  a. Enter a title
  b. Select a field to count. Selecting None means all the logs that match the filter criteria are
     counted.
   c. Define filter criteria.
      This critieria is in addition to the inherited filters for the report and view layers.
      For more, see Filters in "Widgets" on page 74.
                                             Logging and Monitoring R81.10 Administration Guide      |      79
                                                                                                   Widgets
   d. Optional: Enter an icon name in the field.
      Select a name from the list below. Pay attention to upper and lower case letters and the use of
      hyphens.
        Icon                Used for
        apps
        attacks
        hosts
        gateway
        traffic
        usercheck
        users
        new                 Audit Logs
        add                 Audit Logs
        remove              Audit logs
        modify              Audit logs
        install-policy
        publish
        ips
        anti-bot
        anti-virus
        threat-emulation
   e. Enter primary text that describes the value counted.
   f. Optional: For secondary text, enter a more detailed description.
Use a container to unify multiple widgets into one frame. Add a container, then add, edit, or remove
the widgets inside it.
Note - The container widget cannot be added to a container.
                                          Logging and Monitoring R81.10 Administration Guide      |      80
                                                                                                      Widgets
Container Settings:
   a. Enter a title.
   b. Optional: filter at the container level. The filter applies to all internal widgets.
   c. Select the widget order inside the container: Horizontal, Vertical, Grid or Tabs.
After the container is added to the view, you can configure it further.
   a. Remove the widget from the container.
   b. Add a new widget.
   c. Edit the settings for the container, or edit one of the widgets in the list.
                                             Logging and Monitoring R81.10 Administration Guide      |      81
                                                                                                         Widgets
   Use this window to add textual explanations to the View text box.
4. Click OK.
5. Select filters for the widget in addition to the inherited filters from the report and view layers. See
   Filters in "Widgets" on page 74.
6. Configure settings for the widget.
                                                Logging and Monitoring R81.10 Administration Guide      |      82
                                                                                                         Widgets
To customize a widget:
  1. In the view where the widget is located, click Options > Edit.
  2. Go to the required widget and click the wheel icon to edit the image properties:.
  3. Edit the required properties.
                                                Logging and Monitoring R81.10 Administration Guide      |      83
                                                                                                          Widgets
   4. Click Done.
Copying Widgets and Views to other Locations
You can copy a widget used in one view or report and paste it in another view or report.
To copy a widget to another location:
   1. Right-click the required widget.
   2. The copy option shows with the name of the widget:
   3. Select Copy: [widget name].
   4. Go to the view or report in which you want to paste the widget.
   5. Go to Options and select Edit:
                                                 Logging and Monitoring R81.10 Administration Guide      |      84
                                                                                                          Widgets
  6. Right-click an empty space in the view or report.
      From the Paste drop-down menu, select the widget you want to paste:
  7. Click Done.
         Note - When you copy a widget to another view or report, the copied widget does not
         include the filter of the original view or report, only the filter defined for the copied
         widget.
To copy a view to another report:
  1. Right-click the required view.
  2. The copy option shows with the name of the view:
                                                 Logging and Monitoring R81.10 Administration Guide      |      85
                                                                                                        Widgets
3. Select Copy: [view name]
4. Go to the report in which you want to past the view.
5. Go to Options and select Edit:
6. Right-click an empty space in the report.
7. From the Paste drop-down menu, select the view you want to paste:
                                               Logging and Monitoring R81.10 Administration Guide      |      86
                                                                                                           Widgets
   8. Click Done.
           Note - When you copy a view to another report, the copied view does not include the
           filter of the original report, only the filter of the copied view.
Filters
The search bar is used to apply on-demand filters, but you can also save filters with the view / report
definition.
There are different layers of filters:
   1. Filters to apply to the full report.
   2. Filters to apply to a view (specified page in a report) and all widgets that this page includes.
   3. Filters to apply to the selected widget.
                                                  Logging and Monitoring R81.10 Administration Guide      |      87
                                                                                                            Widgets
To edit the view filter:
   1. Click the + (plus) button to add a filter.
      To delete a filter, click the X button.
   2. Select a field.
      To enable free text search, select Custom Filter.
   3. Select a comparison method.
   4. Select or enter the value.
      You can define multiple values.
Filtering for Active Directory User Groups
You can filter logs, reports, and views for one or more Active Directory groups.
   1. In your Access Control Policy, create an Access Role that includes all the Active Directory groups you
      want to have in the query.
   2. Install the Access Control Policy on the Security Gateways.
   3. Look at the Identity Awareness login logs, and copy the names of the relevant groups. They usually
      have the prefix "ad_".
   4. Add a filter for the field User Group and type or paste the name of the group that you want to include
      in the filter. For multiple groups, use a comma-separated list.
                                                   Logging and Monitoring R81.10 Administration Guide      |      88
                                                                                                          Logging
Logging
SmartConsole lets you transform log data into security intelligence. Search results are fast and immediately
show the log records you need. The Security Gateways send logs to the Log Servers on the Security
Management Server or on a dedicated server. Logs show on the SmartConsole Logs & Monitor Logs tab.
You can:
   n   Quickly search through logs with simple Google-like searches.
   n   Select from many predefined search queries to find the applicable logs.
   n   Create your own queries using a powerful query language.
   n   Monitor logs from administrator activity and connections in real-time.
                                                 Logging and Monitoring R81.10 Administration Guide      |      89
                                                                                             Sample Log Analysis
Sample Log Analysis
This is a sample procedure that shows how to do an analysis of a log of a dropped connection.
To show a log of a dropped connection:
  1. Log into SmartConsole.
  2. Connect to the IP address of the Security Management Server, not to a Log Server.
  3. In the Security Policies > Access Control > Policy view, select a rule with the Drop action.
  4. In the bottom pane, click Logs.
      This shows the logs for connections that were dropped by the specific rule.
  5. Double-click a log.
      The Log Details window opens.
                                                Logging and Monitoring R81.10 Administration Guide      |      90
                                                                                                  The Logs View
The Logs View
Item      Description
1         Queries - Predefined and favorite search queries.
2         Time Period - Search with predefined custom time periods.
3         Query search bar - Define custom queries in this field. You can use the GUI tools or manually
          enter query criteria. Shows the query definition for the most recent query.
4         Log statistics pane - Shows top results of the most recent query.
5         Results pane - Shows log entries for the most recent query.
Note - On a Security Management Server with the "Enable Log Indexing" option not selected, and a
dedicated Log Server with "Enable Log Indexing" option selected: When you connect with SmartConsole
to the Security Management Server, the Logs view shows the logs of individual log files. It is not possible
to get a unified view of all the logs.
                                               Logging and Monitoring R81.10 Administration Guide      |      91
                                                                                                Working with Logs
Working with Logs
Choosing Rules to Track
Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy tracks
all necessary rules. When you track multiple rules, the log file is large and requires more disk space and
management operations.
To balance these requirements, track rules that can help you improve your cyber security, help you
understand of user behavior, and are useful in reports.
Configuring Tracking in a Policy Rule
To configure tracking in a rule:
   1. Right-click in the Track column.
   2. Select a tracking option.
   3. Install the policy.
Tracking Options
Select these options in the Track column of a rule:
   n   None - Do not generate a log.
   n   Log -This is the default Track option. It shows all the information that the Security Gateway used to
       match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination
       Port. If there is a match on a rule that specifies an application, a session log shows the application
       name (for example, Dropbox). If there is a match on a rule that specifies a Data Type, the session log
       shows information about the files, and the contents of the files.
   n   Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed
       in the connection: Upload bytes, Download bytes, and browse time.
Note - When upgrading from R77.X or from R80 versions to R81.10, there are changes to the behavior of
the options in the Track column. To learn more see sk116580.
Advanced Track options
Detailed Log and Extended Log are only available if one or more of these Blades are enabled on the Layer:
Application & URL Filtering, Content Awareness, or Mobile Access.
   n   Detailed Log -Equivalent to the Log option, but also shows the application that matched the
       connections, even if the rule does not specify an application. Best Practice - Use for a cleanup rule
       (Any/internet/Accept) of an Applications and URL Filtering Policy Layer that was upgraded from an
       R77 Application Control Rule Base.
   n   Extended Log -Equivalent to the Detailed option, but also shows a full list of URLs and files in the
       connection or the session. The URLs and files show in the lower pane of the Logs view.
                                                 Logging and Monitoring R81.10 Administration Guide      |      92
                                                                                                  Working with Logs
Log Generation
   n     per Connection - Select this to show a different log for each connection in the session. This is the
         default for rules in a Layer with only Firewall enabled. These are basic Firewall logs.
   n     per Session - Select this to generate one log for all the connections in the same session (see "Log
         Sessions" on page 102). This is the default for rules in a Layer with Application & URL Filtering or
         Content Awareness enabled. These are basic Application Control logs.
Alert:
For each alert option, you can define a script in Menu > Global properties > Log and Alert > Alerts.
   n     None - Do not generate an alert.
   n     Alert - Generate a log of type Alert and run a command, such as: Show a popup window, send an
         email alert or an SNMP trap alert, or run a user-defined script as defined in the Global Properties.
   n     SNMP - Generate a log of type Alert and send an SNMP alert to the SNMP GUI, as defined in the
         Global Properties.
   n     Mail - Generate a log of type Alert and send an email to the administrator, as defined in the Global
         Properties.
   n     User Defined Alert - Generate a log of type Alert and send one of three possible customized alerts.
         The alerts are defined by the scripts specified in the Global Properties.
Log Sessions
A session is a user's activity at a specified site or with a specified application. The session starts when a
user connects to an application or to a site. The Security Gateway includes all the activity that the user does
in the session in one session log (in contrast to the Security Gateway log, which shows top sources,
destinations, and services).
To search for log sessions:
In the Logs tab of the Logs & Monitor view, enter:
type:Session
To see details of the log session:
In the Logs tab of the Logs & Monitor view, select a session log.
In the bottom pane of the Logs tab, click the tabs to see details of the session log:
   n     Connections - Shows all the connections in the session. These show if Per connection is selected in
         the Track option of the rule.
   n     URLs - Shows all the URLs in the session. These show if Extended Log is selected in the Track
         option of the rule.
   n     Files - Shows all the files uploaded or downloaded in the session. These show if Extended Log is
         selected in the Track option of the rule, or if a Data Type was matched on the connection.
                                                   Logging and Monitoring R81.10 Administration Guide      |      93
                                                                                                  Working with Logs
To see the session log for a connection that is part of a session:
   1. In the Logs tab of the Logs & Monitor view, double-click on the log record of a connection that is part
      of a session.
   2. In the Log Details, click the session icon     (in the top-right corner) to search for the session log in a
      new tab.
To configure the session timeout:
By default, after a session continues for three hours, the Security Gateway starts a new session log. You
can change this in SmartConsole from the Manage & Settings view, in Blades > Application & URL
Filtering > Advanced Settings > General > Connection unification.
Viewing Rule Logs
You can search for the logs that are generated by a specific rule, from the Security Policy or from the Logs &
Monitor > Logs tab.
To see logs generated by a rule (from the Security Policy):
   1. In SmartConsole, go to the Security Policies view.
   2. In the Access Control Policy or Threat Prevention Policy, select a rule.
   3. In the bottom pane, click one of these tabs to see:
          n   Logs - By default, shows the logs for the Current Rule. You can filter them by Source,
              Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default),
              Origin, User, or Other Fields.
          n   History (Access Control Policy only) - List of rule operations (Audit logs) related to the rule in
              chronological order, with the information about the rule type and the administrator that made
              the change.
To see logs generated by a rule (by Searching the Logs):
   1. In SmartConsole, go to the Security Policies view.
   2. In the Access ControlPolicy or Threat PreventionPolicy, select a rule.
   3. Right-click the rule number and select Copy Rule UID.
   4. In the Logs & Monitor > Logs tab, search for the logs in one of these ways:
          n   Paste the Rule UID into the query search bar and click Enter.
          n   For faster results, use this syntax in the query search bar:
              layer_uuid_rule_uuid:*_<UID>
              For example, paste this into the query search bar and click Enter:
              layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10
                                                   Logging and Monitoring R81.10 Administration Guide      |      94
                                                                                                   Working with Logs
Packet Capture
You can capture network traffic. The content of the packet capture provides a greater insight into the traffic
which generated the log. With this feature activated, the Security Gateway sends a packet capture file with
the log to the Log Server. You can open the file, or save it to a file location to retrieve the information a later
time.
For some blades, the packet capture option is activated by default in Threat Policy.
To deactivate packet capture (in Threat Policy only):
   1. In SmartConsole, in the Security Policies view
   2. In the Track column of the rule, right-click and clear Packet Capture.
To see a packet capture:
   1. In SmartConsole, go to the Logs & Monitor view.
   2. Open the log.
   3. Click the link in the Packet Capture field.
       The Packet Capture opens in a program associated with the file type.
   4. Optional: Click Save to save the packet capture data on your computer.
Searching the Logs
SmartConsole lets you quickly and easily search the logs with many predefined log queries.
To see the predefined queries:
   1. Open SmartConsole > Logs & Monitor view.
   2. Click Queries.
To create your own queries, see "Creating Custom Queries" on page 97.
Running Queries
To create and run a query:
   1. In the query search bar, click Enter Search Query (Ctrl+F).
   2. Enter or select query criteria.
To manually refresh your query:
         Click Refresh (F5).
To continuously refresh your query (Auto-Refresh):
         Click Auto - Refresh (F6). The icon is highlighted when Auto-Refresh is enabled.
                                                    Logging and Monitoring R81.10 Administration Guide      |      95
                                                                                                 Working with Logs
The query continues to update every five seconds while Auto-Refresh is enabled. If the number of logs
exceeds 100 in a five-second period, the logs are aggregated, and the summary view shows.
Showing Query Results
Query results can include tens of thousands of log records. To prevent performance degradation,
SmartConsole only shows the first set of results in the Results pane. Typically, this is a set of 50 results.
Scroll down to show more results. As you scroll down, SmartConsole extracts more records from the log
index on the Security Management Server or Log Server, and adds them to the results set. See the number
of results above the Results pane.
For example, on the first run of a query, you can see the first 50 results out of over 150,000 results. When
you scroll down, you can see the first 100 results out of over 150,000.
The Tops pane, on the right side of the Results pane, shows the top statistics such as top sources, top
actions, etc.
Note - Top statistics are estimated according to the partial log results already shown on the screen. They
are not calculated for the entire query timeframe.
Customizing the Results Pane
By default, SmartConsole shows a predefined set of columns and information based on the selected blade
in your query. This is known as the Column Profile. For example:
   n   The DLP column profile includes columns for: Blade, Type, DLP Incident UID, and severity.
   n   The Threat Prevention column profile includes columns for: Origin, Action, Severity, and Source
       User.
A column profile is assigned based on the blade that occurs most frequently in the query results. This is
called Automatic Profile Selection, and is enabled by default.
The Column Profile defines which columns show in the Results Pane and in which sequence. You can
change the Column Profile as necessary for your environment.
To use the default Column Profile assignments:
   n   Right-click a column heading and select Columns Profile > Automatic Profile Selection.
To manually assign Column Profile assignments by default:
   n   Right-click a column heading and select Columns Profile > Manual Profile Selection.
To manually assign a different Column Profile:
   1. Right-click a column heading and select Columns Profile.
   2. Select a Column Profile from the options menu.
To change a Column Profile:
   1. Right-click a column heading and select Columns Profile > Edit Profile.
   2. In the Show Fields window, select a Column Profile to change.
   3. Select fields to add from the Available Fields column.
                                                  Logging and Monitoring R81.10 Administration Guide      |      96
                                                                                                    Working with Logs
   4. Click Add.
   5. Select fields to remove from the Selected Fields column.
   6. Click Remove.
   7. Select a field in the Selected Fields.
   8. Click Move Up or Move Down to change its position in the Results Pane.
   9. Double-click the Width column to change the default column width for the selected field.
To change the column width:
   1. Drag the right column border in the Results Pane.
   2. Right-click and select Save Profile.
       Changes made to the column are saved for future sessions.
Creating Custom Queries
Queries can include one or more criteria. You can modify an existing predefined query or create a new one
in the query box.
To modify a predefined query:
Click inside the query box to add search filters.
To save the new query in the Favorites list:
   1. Click Queries > Add to Favorites.
       The Add to Favorites window opens.
   2. Enter a name for the query.
   3. Select or create a new folder to store the query
   4. Click Add.
Selecting Query Fields
You can enter query criteria directly from the Query search bar.
To select field criteria:
   1. If you start a new query, click Clear         to remove query definitions.
   2. Put the cursor in the Query search bar.
   3. Select a criterion from the drop-down list or enter the criteria in the Query search bar.
Selecting Criteria from Grid Columns
You can use the column headings in the Grid view to select query criteria. This option is not available in the
Table view.
                                                     Logging and Monitoring R81.10 Administration Guide      |      97
                                                                                                Working with Logs
To select query criteria from grid columns:
   1. In the Results pane, right-click on a column heading.
   2. Select Add Filter.
   3. Select or enter the filter criteria.
      The criteria show in the Query search bar and the query runs automatically.
Manually Entering Query Criteria
You can enter query criteria directly in the Query search bar. You can manually create a new query or make
changes to an existing query that shows in the Query search bar.
As you enter text, the Search shows recently used query criteria or full queries. To use these search
suggestions, select them from the drop-down list.
Query Language Overview
A powerful query language lets you show only selected records from the log files, according to your criteria.
To create complex queries, use Boolean operators, wildcards, fields, and ranges. This section refers in
detail to the query language.
When you use SmartConsole to create a query, the applicable criteria show in the Query search bar.
The basic query syntax is [<Field>:] <Filter Criterion>.
To put together many criteria in one query, use Boolean operators:
[<Field>:] <Filter Criterion> {AND|OR|NOT} [<Field>:] <Filter Criterion> ...
Most query keywords and filter criteria are not case sensitive, but there are some exceptions. For example,
"source:<X>" is case sensitive ("Source:<X>" does not match). If your query results do not show the
expected results, change the case of your query criteria, or try upper and lower case.
When you use queries with more than one criteria value, an AND is implied automatically, so there is no
need to add it. Enter OR or other boolean operators if needed.
Criteria Values
Criteria values are written as one or more text strings. You can enter one text string, such as a word, IP
address, or URL, without delimiters. Phrases or text strings that contain more than one word must be
surrounded by quotation marks.
One word string examples:
   n   John
   n   inbound
   n   192.168.2.1
   n   mahler.ts.example.com
   n   dns_udp
                                                 Logging and Monitoring R81.10 Administration Guide      |      98
                                                                                                Working with Logs
Phrase examples
   n   "John Doe"
   n   "Log Out"
   n   "VPN-1 Embedded Connector"
IP Addresses
IPv4 and IPv6 addresses used in log queries are counted as one word. Enter IPv4 address with dotted
decimal notation and IPv6 addresses with colons.
Example:
   n   192.0.2.1
   n   2001:db8::f00:d
You can also use the wildcard '*' character and the standard network suffix to search for logs that match IP
addresses within a range.
Examples:
   n   src:192.168.0.0/16 (shows all records for the source IP 192.168.0.0 to 192.168.255.255 inclusive)
   n   src:192.168.1.0/24 (shows all records for the source IP 192.168.1.0 to 192.168.1.255 inclusive)
   n   src:192.168.2.* shows all records for the source IP 192.168.2.0 to 192.168.2.255 inclusive
   n   192.168.* shows all records for 192.168.0.0 to 192.168.255.255 inclusive
NOT Values
You can use NOT <field> values with Field Keywords in log queries to find logs for which the value of the
field is not the value in the query.
Syntax
NOT <field>: <value>
Example
NOT src:10.0.4.10
Wildcards
You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in
log records. You can use more than the wildcard character.
Wildcard syntax:
   n   The ? (question mark) matches one character.
   n   The * (asterisk) matches a character string.
Examples:
   n   Jo? shows Joe and Jon, but not Joseph.
   n   Jo* shows Jon, Joseph, and John Paul.
                                                 Logging and Monitoring R81.10 Administration Guide      |      99
                                                                                                Working with Logs
If your criteria value contains more than one word, you can use the wildcard in each word. For example, 'Jo*
N*' shows Joe North, John Natt, Joshua Named, and so on.
Note – Using a single ‘*’ creates a search for a non-empty value string. For example assetname:*
Field Keywords
You can use predefined field names as keywords in filter criteria. The query result only shows log records
that match the criteria in the specified field. If you do not use field names, the query result shows records
that match the criteria in all fields.
This table shows the predefined field keywords. Some fields also support keyword aliases that you can type
as alternatives to the primary keyword.
                        Keyword
 Keyword                                Description
                        Alias
 severity                               Severity of the event
 app_risk                               Potential risk from the application, of the event
 protection                             Name of the protection
 protection_                            Type of protection
 type
 confidence_                            Level of confidence that an event is malicious
 level
 action                                 Action taken by a security rule
 blade                  product         Software Blade
 destination            dst             Traffic destination IP address, DNS name or Check Point network
                                        object name
 origin                 orig            Name of originating Security Gateway
 service                                Service that generated the log entry
 source                 src             Traffic source IP address, DNS name or Check Point network
                                        object name
 user                                   User name
Syntax for a field name query:
<field name>:<values>
   n   <field name> - One of the predefined field names
   n   <values> - One or more filters
To search for rule number, use the Rule field name. For example:
rule:7.1
                                                Logging and Monitoring R81.10 Administration Guide      |      100
                                                                                                 Working with Logs
If you use the rule number as a filter, rules in all the Layers with that number are matched.
To search for a rule name, you must not use the Rule field. Use free text. For example:
"Block Credit Cards"
Best Practice - Do a free text search for the rule name. Make sure rule names are unique and not reused in
different Layers.
Examples:
   n   source:192.168.2.1
   n   action:(Reject OR Block)
       You can use the OR Boolean operator in parentheses to include multiple criteria values.
Important - When you use fields with multiple values, you must:
   n   Write the Boolean operator, for example AND.
   n   Use parentheses.
Boolean Operators
You can use the Boolean operators AND , OR , and NOT to create filters with many different criteria. You
can put multiple Boolean expressions in parentheses.
If you enter more than one criteria without a Boolean operator, the AND operator is implied. When you use
multiple criteria without parentheses, the OR operator is applied before the AND operator.
Examples:
   n   blade:"application control" AND action:block
       Shows log records from the Application and URL FilteringSoftware Blade where traffic was blocked.
   n   192.168.2.133 10.19.136.101
       Shows log entries that match the two IP addresses. The AND operator is presumed.
   n   192.168.2.133 OR 10.19.136.101
       Shows log entries that match one of the IP addresses.
   n   (blade: Firewall OR blade: IPS OR blade:VPN) AND NOT action:drop
       Shows all log entries from the Firewall, IPS or VPN blades that are not dropped. The criteria in the
       parentheses are applied before the AND NOT criterion.
   n   source:(192.168.2.1 OR 192.168.2.2) AND destination:17.168.8.2
       Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2.
       This example also shows how you can use Boolean operators with field criteria.
                                                 Logging and Monitoring R81.10 Administration Guide      |      101
                                                                                                        Log Sessions
Log Sessions
A session is a user's activity at a specified site or with a specified application. The session starts when a
user connects to an application or to a site. The Security Gateway includes all the activity that the user does
in the session in one session log (in contrast to the Security Gateway log, which shows top sources,
destinations, and services).
To search for log sessions:
In the Logs tab of the Logs & Monitor view, enter:
type:Session
To see details of the log session:
In the Logs tab of the Logs & Monitor view, select a session log.
In the bottom pane of the Logs tab, click the tabs to see details of the session log:
   n   Connections - Shows all the connections in the session. These show if Per connection is selected in
       the Track option of the rule.
   n   URLs - Shows all the URLs in the session. These show if Extended Log is selected in the Track
       option of the rule.
   n   Files - Shows all the files uploaded or downloaded in the session. These show if Extended Log is
       selected in the Track option of the rule, or if a Data Type was matched on the connection.
To see the session log for a connection that is part of a session:
   1. In the Logs tab of the Logs & Monitor view, double-click on the log record of a connection that is part
      of a session.
   2. In the Log Details, click the session icon      (in the top-right corner) to search for the session log in a
      new tab.
To configure the session timeout:
By default, after a session continues for three hours, the Security Gateway starts a new session log. You
can change this in SmartConsole from the Manage & Settings view, in Blades > Application & URL
Filtering > Advanced Settings > General > Connection unification.
                                                   Logging and Monitoring R81.10 Administration Guide      |      102
                                                                                                    Tracking Options
Tracking Options
Select these options in the Track column of a rule:
   n     None - Do not generate a log.
   n     Log -This is the default Track option. It shows all the information that the Security Gateway used to
         match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination
         Port. If there is a match on a rule that specifies an application, a session log shows the application
         name (for example, Dropbox). If there is a match on a rule that specifies a Data Type, the session log
         shows information about the files, and the contents of the files.
   n     Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed
         in the connection: Upload bytes, Download bytes, and browse time.
Note - When upgrading from R77.X or from R80 versions to R81.10, there are changes to the behavior of
the options in the Track column. To learn more see sk116580.
Advanced Track options
Detailed Log and Extended Log are only available if one or more of these Blades are enabled on the Layer:
Application & URL Filtering, Content Awareness, or Mobile Access.
   n     Detailed Log -Equivalent to the Log option, but also shows the application that matched the
         connections, even if the rule does not specify an application. Best Practice - Use for a cleanup rule
         (Any/internet/Accept) of an Applications and URL Filtering Policy Layer that was upgraded from an
         R77 Application Control Rule Base.
   n     Extended Log -Equivalent to the Detailed option, but also shows a full list of URLs and files in the
         connection or the session. The URLs and files show in the lower pane of the Logs view.
Log Generation
   n     per Connection - Select this to show a different log for each connection in the session. This is the
         default for rules in a Layer with only Firewall enabled. These are basic Firewall logs.
   n     per Session - Select this to generate one log for all the connections in the same session (see "Log
         Sessions" on page 102). This is the default for rules in a Layer with Application & URL Filtering or
         Content Awareness enabled. These are basic Application Control logs.
Alert:
For each alert option, you can define a script in Menu > Global properties > Log and Alert > Alerts.
   n     None - Do not generate an alert.
   n     Alert - Generate a log of type Alert and run a command, such as: Show a popup window, send an
         email alert or an SNMP trap alert, or run a user-defined script as defined in the Global Properties.
   n     SNMP - Generate a log of type Alert and send an SNMP alert to the SNMP GUI, as defined in the
         Global Properties.
   n     Mail - Generate a log of type Alert and send an email to the administrator, as defined in the Global
         Properties.
   n     User Defined Alert - Generate a log of type Alert and send one of three possible customized alerts.
         The alerts are defined by the scripts specified in the Global Properties.
                                                  Logging and Monitoring R81.10 Administration Guide      |      103
                                                                                        SmartView Web Application
SmartView Web Application
Use Case - You are the system administrator at a small company and are concerned that some employees
spend too much time looking at Facebook. You want a way to monitor the employee application use.
The SmartView Web Application is one of the SmartEvent clients that you can use to analyze events that
occur in your environment. Use the SmartView Web Application to see an overview of the security
information for your environment. It has the same real-time event monitoring and analysis views as
SmartConsole. The convenience is that you do not have to install a client.
 Note - SmartView graphics do not display properly in Internet Explorer. Accessing SmartEvent Server
 from the web (SmartView) is supported only from Google Chrome and Mozilla Firefox.
To log in to SmartEvent using SmartView Web Application:
Browse to:
 https://<IP Address of Management Server>/smartview/
or
 https://<Host Name of Management Server>/smartview/
            Notes:
                n   The /smartview/ part of the URL is case sensitive.
                n   When you open the SmartView Web Application on a Standalone server (a server
                    which runs both a Security Management Server and a Security Gateway), these
                    web portals stop working:
                        l The Gaia Portal (https://<Server IP Address> and
                          https://<Server IP Address>:4434)
                        l The API documentation portal (https://<Server IP
                          Address>/api_docs)
                        l Web SmartConsole (https://<Server IP
                          Address>/smartconsole)
SmartView advantages:
     n   Available for non-admin users
     n   Export up to 1,000,000 logs
     n   Integrated top statistics and docked card
     n   Support for High Contrast theme
In SmartView:
SmartView opens by default in the General Overview tab. This shows the statistics, Software Blades,
timelines, and more. Any open tabs from the previous session are retained.
            Note - SmartView Web Application is available even without SmartEvent Software
            Blade, but the default page is different.
To open a new tab, click +.
                                                 Logging and Monitoring R81.10 Administration Guide      |      104
                                                                                         SmartView Web Application
The Audit Logs tab shows audit logs which are changes done in the management.
The Logs > Logs View tab shows blade activities.
In SmartView, you first filter for the application and then by user.
   1. Click the + icon to open a new tab.
   2. Click Views > Access Control.
   3. Right-click the User column and drill down to see the user activity or create a filter for this user in your
      current view.
You can schedule for all activities for a user, but cannot set the system to trigger an alert at a certain
threshold.
To select which columns are shown:
   1. Right-click on a column heading and select Profile editor.
      The Profile editor window opens.
   2. Select fields to add to or remove from the selected profile.
   3. Click OK.
To set user display preferences:
   1. Click the drop-down arrow next to your user name and select User Preferences.
   2. For Locale, select the display language.
   3. For First day of the week, select the day of the week for the weekly logs to start.
   4. For Theme, select Default or High Contrast.
      In High Contrast, the view display is white text on a black background.
   5. In Default time frame, set the default timeframe for all the SmartView Web Application functionalities.
      The default value is Last 24 hours.
                  Note - The default time frames on the SmartView Web Application and
                  SmartConsole are not synchronized.
   6. For Email server settings, select Edit to enter the email server details.
   7. Click OK.
Exporting Logs
Apply a filter to select the logs you want to export. Currently, you can only export logs to CSV.
To export logs:
   1. In the Logs tab, click Options and select Export > Export to CSV.
      The CSV Export window opens.
   2. Select the Logs Amount.
   3. Select the Exported Columns - All columns or Visible columns.
                                                  Logging and Monitoring R81.10 Administration Guide      |      105
                                                                                   SmartView Web Application
4. Click OK.
5. A popup window appears when the export process starts.
   When you see a message that the exported completed successfully, click Download.
   All exported logs also appear in the archive tab.
                                            Logging and Monitoring R81.10 Administration Guide      |      106
                                                                                       Log Server High Availability
Log Server High Availability
In SmartConsole, you can configure a Security Gateway, that when it fails to send its logs to one Log Server,
it will send its logs to a secondary Log Server. To support this configuration, you can add Log Servers to a
single SmartEvent Correlation Unit. In this way, the SmartEvent Correlation Unit gets an uninterrupted
stream of logs from both servers and continues to correlate all logs.
                                               Logging and Monitoring R81.10 Administration Guide      |      107
                                                                                        Working with Syslog Servers
Working with Syslog Servers
Introduction
Syslog (System Logging Protocol) is a standard protocol used to send system log or event messages to a
specific server, the syslog server.
The syslog protocol is enabled on most network devices, such as routers and switches.
Syslog is used by many log analysis tools. If you want to use these tools, make sure Check Point logs are
sent to from the Security Gateway to the syslog server in syslog format.
Check Point supports these syslog protocols: RFC 3164 (old) and RFC 5424 (new).
These features are not supported: IPv6 logs and Software Blade logs.
Configuring Security Gateways
By default, Security Gateway logs are sent to the Security Management Server.
You can configure Security Gateways to send logs directly to syslog servers.
Important - Syslog is not an encrypted protocol. Make sure the Security Gateway and the Log Proxy are
located close to each other and that they communicate over a secure network.
Procedure
   1. Define syslog server objects in SmartConsole.
      Instructions
            a. Connect with SmartConsole to the Management Server.
            b. From the left navigation panel, click Gateways & Servers.
            c. Create the Host object that represents the Syslog server host.
                     i. In the Object Explorer, click New > Host.
                   ii. Configure these fields:
                           n   Name - Enter a unique name.
                           n   IPv4 address - Enter the correct IPv4 address of the syslog server.
                           n   IPv6 address - Optional: Enter the correct IPv6 address of the syslog server.
                               This requires the IPv6 Support be enabled on the Security Gateway / each
                               Cluster Member.
                  iii. Click OK.
                                                 Logging and Monitoring R81.10 Administration Guide      |      108
                                                                                         Working with Syslog Servers
           d. Create the Syslog Server object that represents the Syslog server:
                  i. In the Object Explorer, click New > Server > More > Syslog.
                  ii. Configure these fields:
                          n     Name - Enter a unique name.
                          n     Host - Select an existing host or click New to define a new computer or
                                appliance.
                          n     Port - Enter the correct port number on the syslog server (default = 514).
                          n     Version - Select BSD Protocol or Syslog Protocol.
                 iii. Click OK.
           e. Close the Object Explorer.
2. Select the configured syslog server objects in the Security Gateway / Cluster object.
   Instructions
           a. Double-click the Security Gateway object.
           b. From the left tree, click Logs.
           c. In the Send logs and alerts to these log servers table, click the green (+) button to select
              the Syslog Server object(s) you configured earlier.
              Notes:
                  n   You can configure a Security Gateway / Cluster Member to send logs to multiple
                      syslog servers.
                      All syslog servers selected in the Security Gateway / Cluster object must use the
                      same protocol version: BSD Protocol or Syslog Protocol.
                  n   You cannot configure a Syslog server as a backup server.
           d. Click OK.
           e. Install policy.
3. Configure the logging properties of the Security Gateways / each Cluster Member.
   Note - In Cluster, you must configure each Cluster Member in the same way.
   The fwsyslog_enable kernel parameter enables or disables the Syslog in Kernel feature on Security
   Gateways:
       n   Value 0 = Disabled (default)
       n   Value 1 = Enabled
   You can enable or disable the Syslog in Kernel feature temporarily (until the Security Gateway
   reboots), or permanently (survives reboot).
   To see the current state of the Syslog in Kernel feature
           a. Connect to the command line on the Security Gateway / each Cluster Member.
           b. Log in to the Expert mode.
                                                  Logging and Monitoring R81.10 Administration Guide      |      109
                                                                               Working with Syslog Servers
     c. Run:
          fw ctl get int fwsyslog_enable
        Output:
            n   "fwsyslog_enable = 0" means the feature is disabled (default)
            n   "fwsyslog_enable = 1" means the feature is enabled
To enable the Syslog in Kernel feature temporarily (does not survive reboot)
     a. Connect to the command line on the Security Gateway / each Cluster Member.
     b. Log in to the Expert mode.
     c. Run:
          fw ctl set int fwsyslog_enable 1
     d. In SmartConsole, install policy on this Security Gateway / Cluster object.
To enable the Syslog in Kernel feature permanently (survives reboot)
     a. Connect to the command line on the Security Gateway / each Cluster Member.
     b. Log in to the Expert mode.
     c. Edit the $FWDIR/boot/modules/fwkern.conf file:
          vi $FWDIR/boot/modules/fwkern.conf
     d. Add this line:
        fwsyslog_enable=1
     e. Save the changes in the file and exit the editor.
     f. Reboot the Security Gateway / each Cluster Member.
To disable the Syslog in Kernel feature temporarily (does not survive reboot)
     a. Connect to the command line on the Security Gateway / each Cluster Member.
     b. Log in to the Expert mode.
     c. Run:
          fw ctl set int fwsyslog_enable 0
To disable the Syslog in Kernel feature permanently (survives reboot)
     a. Connect to the command line on the Security Gateway / each Cluster Member.
     b. Log in to the Expert mode.
     c. Edit the $FWDIR/boot/modules/fwkern.conf file:
          vi $FWDIR/boot/modules/fwkern.conf
                                        Logging and Monitoring R81.10 Administration Guide      |      110
                                                                                         Working with Syslog Servers
            d. Do one of these actions:
                    n   Set the value of the kernel parameter to 0:
                        fwsyslog_enable=0
                    n   Delete the entire line:
                        fwsyslog_enable=1
            e. Save the changes in the file and exit the editor.
            f. Reboot the Security Gateway / each Cluster Member.
Log Count for CoreXL Firewall Instances
You can see the current number of syslog logs sent by CoreXL Firewall Instances on the Security Gateway /
each Cluster Member.
To see log count for a CoreXL Firewall instance
     1. Connect to the command line on the Security Gateway / each Cluster Member.
     2. Log in to the Expert mode.
     3. Run:
           fw -i <CoreXL Firewall Instance Number> ctl get fwsyslog_nlogs_
           counter
         Sample output:
           fwsyslog_nlogs_counter = 21
To see log count for all CoreXL Firewall instances
     1. Make two command line connections to the Security Gateway / each Cluster Member.
     2. In each command line connection, log in to the Expert mode.
     3. In the first shell, run:
           fw ctl zdebug | grep logs
     4. In the second shell, run:
           fw ctl set int fwsyslog_print_counter 1
     5. In the first shell, see the counter for each CoreXL Firewall instance and the sum of all CoreXL
        Firewall instances.
         Sample output:
           ;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;
           ;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;
           ;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;
           ;[cpu_2];[fw4_0];Total logs sent from kernel (all instances) = 132;
     6. In the first shell, press CTRL+C to stop the debug.
                                                  Logging and Monitoring R81.10 Administration Guide      |      111
                                                                                   Working with Syslog Servers
For more on syslog, see: "Appendix: Manual Syslog Parsing" on page 233.
                                            Logging and Monitoring R81.10 Administration Guide      |      112
                                                                                                     Event Analysis
Event Analysis
Event Analysis with SmartEvent
The SmartEventSoftware Blade is a unified security event management and analysis solution that delivers
real-time, graphical threat management information. SmartConsole, SmartView Web Application, and the
SmartEvent GUI client consolidate billions of logs and show them as prioritized security events so you can
immediately respond to security incidents, and do the necessary actions to prevent more attacks. You can
customize the views to monitor the events that are most important to you. You can move from a high level
view to detailed forensic analysis in a few clicks. With the free-text search and suggestions, you can quickly
run data analysis and identify critical security events.
What is an Event?
An event is a record of a security incident. It is based on one or more logs, and on rules that are defined in
the Event Policy.
An example of an event that is based on one log: A High Severity Anti-Bot event. One Anti-Bot log with a
Severity of High causes the event to be recorded.
An example of an event that is based on more than one log: A Certificate Sharing event. Two login logs with
the same certificate and a different user cause the event to be recorded.
How Are Logs Converted to Events?
SmartEvent automatically defines logs that are not Firewall, VPN, or HTTPS Inspection logs, as events.
Events that are based on a suspicious pattern of one or more logs, are created by the SmartEvent
Correlation Unit. These correlated events are defined in the SmartEvent client GUI, in the Policy tab.
Most logs are Firewall, VPN and HTTPS inspection logs. Therefore, SmartEvent does not define them as
events by default to avoid a performance impact on the SmartEvent Server.
For logs from Security GatewaysR77.X and lower: To create events for Firewall, in the SmartEvent Policy
tab, enable Consolidated Sessions > Firewall Session.
The SmartEvent Architecture
SmartEvent has some components that work together to help track down security threats and make your
network more secure.
This is how they work together. The numbers refer to the diagram:
   n   SmartEvent Correlation Unit (3) analyzes log entries on Log Servers (2) and stores the event in the
       same way the log server stores logs.
   n   SmartEvent Server (4) contains the Events Database (5).
   n   The SmartEvent and SmartConsole clients (6) manage the SmartEvent Server.
                                                 Logging and Monitoring R81.10 Administration Guide      |      113
                                                                                                    Event Analysis
 Item       Description       Purpose
                              Log data flow
                              Event data flow
 1          Check             Sends logs to the Log Server.
            PointSecurity
            Gateway
 2          Log Server        Stores logs.
 3          SmartEvent        Identifies events: Analyzes each log entry from a Log Server, and looks for
            Correlation       patterns according to the installed Event Policy. The logs contain data from
            Unit              Check Point products and certain third-party devices. When a threat pattern
                              is identified, the SmartEvent Correlation Unit forwards the event to the
                              SmartEvent Server.
 4          SmartEvent        The SmartEvent Server:
            Server
                                 n   Indexes logs for SmartView
                                 n   Defines the event policy
                                 n   Manages correlation units
 5          Events            Stores events. Located on the SmartEvent Server.
            database
 6          SmartEvent        Shows the received events. Uses the clients to manage events (for
            client            example: to filter and close events), fine-tunes, and installs the Event Policy.
                              The clients are:
                                 n   SmartConsole
                                 n   SmartView Web Application
The SmartEvent components can be installed on one computer (that is, a standalone deployment) or
multiple computers and sites (a distributed deployment). To handle higher volumes of logging activity, we
recommend a distributed deployment. Each SmartEvent Correlation Unit can analyze logs from more than
one Log Server or Domain Log Server.
SmartEvent Correlation Unit
The SmartEvent Correlation Unit analyzes the log entries and identifies events from them. During analysis,
the SmartEvent Correlation Unit:
                                                Logging and Monitoring R81.10 Administration Guide      |      114
                                                                                                       Event Analysis
     n   Marks log entries that are not stand-alone events, but can be part of a larger pattern to be identified
         later.
     n   Takes a log entry that meets one of the criteria set in the Events Policy, and generates an event.
     n   Takes a new log entry that is part of a group of items. Together, all these items make up a security
         event. The SmartEvent Correlation Unit adds it to an ongoing event.
     n   Discards log entries that do not meet event criteria.
SmartEvent Correlation Unit High Availability
Multiple correlation units can read logs from the same Log Servers. That way, the units provide redundancy
if one of them fails. The events that the Correlation Units detect are duplicated in the SmartEvent database.
But these events can be disambiguated if you filter them with the Detected By field in the Event Query
definition. The Detected By field specifies which SmartEvent Correlation Unit detected the event.
The SmartView Web Application
The SmartView Web Application is one of the SmartEvent clients that you can use to analyze events that
occur in your environment. Use the SmartView Web Application to see an overview of the security
information for your environment. It has the same event monitoring and analysis views as SmartConsole.
The convenience is that you do not have to install a client.
To log in to SmartEvent using SmartView Web Application:
Browse to:
https://<IP Address of Security Management Server>/smartview/
or
https://<Host Name of Security Management Server>/smartview/
Note - The URL is case sensitive.
                                                   Logging and Monitoring R81.10 Administration Guide      |      115
                                                                         Configuring SmartEvent Policy and Settings
Configuring SmartEvent Policy and Settings
Opening the SmartEvent GUI Client
Use the Policy tab of the SmartEvent GUI client to configure and customize the events that define the
SmartEvent Policy.
To open the SmartEvent GUI client:
   1. Open SmartConsole > Logs & Monitor.
   2. Click (+) to open a Catalog ( new tab).
   3. Click SmartEvent Settings & Policy.
Policy Tab
Define the Event Policy in the Event Policy tab. Most configuration steps occur in the Policy tab. You define
system components, such as SmartEvent Correlation Unit, lists of blocked IP addresses and other general
settings.
The types of events that SmartEvent can detect are listed here, and sorted into a number of categories. To
change each event, change the default thresholds and set Automated Responses. You can also disable
events.
The Policy tab has these sections:
   n   Selector Tree - The navigation pane.
   n   Detail pane - The settings of each item in the Selector Tree.
   n   Description pane - A description of the selected item.
You can edit the event policy in one of these ways:
   n   Fine-tune the Event Policy.
   n   Change the existing Event Definition to see the events that interest you in "Modifying Event
       Definitions" on page 130.
   n   Create new Event Definitions to see the events that are not included in the existing definitions.
Save Event Policy
Modifications to the Event Policy do not take effect until saved on the SmartEvent Server and installed to the
SmartEvent Correlation Unit.
To enable changes made to the Event Policy:
   1. Click File > Save.
   2. Click Actions > Install Event Policy.
Revert Changes
You can undo changes to the Event Policy, if they were not saved.
To undo changes: click File > Revert Changes.
                                                Logging and Monitoring R81.10 Administration Guide      |      116
                                                                          Configuring SmartEvent Policy and Settings
Event Definitions and General Settings
The Selector tree is divided into two branches: Event Policy and General Settings. The events detectable
by SmartEvent are organized by category in the Event Policy branch. Select an event definition to show its
configurable properties in the Detail pane, and a description of the event in the Description pane. Clear the
property to remove this event type from the Event Policy the next time the Event Policy is installed.
The General Settings branch contains Initial Settings. For example: To define SmartEvent Correlation
Unit, which is typically used for the initial configuration. Click a General Settings item to show its
configurable properties in the Detail pane.
For details on specified attacks or events, refer to the Event Definition Detail pane.
Event Definition Parameters
When an event definition is selected, its configurable elements appear in the Detail pane, and a description
of the event is displayed in the Description pane. These are the usual types of configurable elements:
   n   Thresholds, such as Detect the event when more than x connections were detected over y
       seconds
   n   Severity, such as Critical, Medium, Informational, etc.
   n   "Automatic Reactions" on page 119 such as Block Source or run External Script
   n   "Exceptions" on page 125
   n   Time Object, such as to issue an event if the following occurs outside the following Working Hours
Not all of these elements appear for every Event Definition. After you install and run SmartEvent for a short
time, you will discover which of these elements need to be fine-tuned per Event Definition.
For configuration information regarding most objects in General Settings, see "System Administration" on
page 147.
Modifying Event Definitions
SmartEvent constantly takes data from your Log Servers, and searches for patterns in all the network
chatter that enters your system.
Depending on the levels set in each Event Definition, the number of events detected can be high. But only a
portion of those events can be meaningful. You can change the thresholds and other criteria of an event, to
reduce the number of false alarms.
Event Threshold
The Event Threshold allows you to modify the limits that, when exceeded, indicate that an event occurred.
Limits include the number of logs, and the timeframe in which they occurred:
Detect the event when more than X logs were detected over a period of Y seconds.
To decrease the number of false alarms based on a particular event, increase the number of logs and/or the
timeframe for them to occur.
Severity
To modify the severity of an event, select a severity level from the drop-down list.
                                                 Logging and Monitoring R81.10 Administration Guide      |      117
                                                                         Configuring SmartEvent Policy and Settings
If the event is based on Threat Prevention logs, the event gets the severity from the protection type, not from
the severity configured here.
To overwrite the severity:
   1. Go to SmartEvent > Policy.
   2. Select an event and right-click > Select Properties.
      The Edit Event Definition window opens.
   3. In the Event Format tab, select Determine event's display name and severity from event logs.
                                                Logging and Monitoring R81.10 Administration Guide      |      118
                                                                                              Automatic Reactions
Automatic Reactions
When detected, an event can activate an Automatic Reaction. The SmartEvent administrator can create and
configure one Automatic Reaction, or many, according to the needs of the system.
For example: A Mail Reaction can be defined to tell the administrator of events to which it is applied. Multiple
Automatic Mail Reactions can be created to tell a different responsible party for each type of event.
To create an automatic reaction:
   1. Create an automatic reaction object in the Event definition, or from General Settings > Objects >
      Automatic Reactions.
   2. Assign the Automatic Reaction to an event (or to an exception to the event).
   3. To save the Event Policy, click File > Save
   4. To install the Event Policy on the SmartEvent Correlation Unit, click Actions > Install Event Policy.
These are the types of Automatic Reactions:
   n   Mail - Tell an administrator by email that the event occurred. See "Creating a Mail Reaction" on
       page 135.
   n   Block Source - Instruct the Security Gateway to block the source IP address from which this event
       was detected for a configurable timeframe . Select a timeframe from one minute to more than three
       weeks. See "Creating a Block Source Reaction" on page 136.
   n   Block Event activity - Instruct the Security Gateway to block a distributed attack that emanates from
       multiple sources, or attacks multiple destinations for a configurable timeframe. Select a timeframe
       from one minute to more than three weeks). See "Creating a Block Event Activity Reaction" on
       page 137.
   n   External Script - Run a script that you provide. See "Creating an External Script Automatic Reaction"
       on page 149 to write a script that can exploit SmartEvent data.
   n   SNMP Trap - Generate an SNMP Trap. See "Creating an SNMP Trap Reaction" on page 138.
       You can send event fields in the SNMP Trap message.
       The format for such an event field is [seam_event_table_field].
       This list represents the possible seam_event table fields:
       AdditionalInfo varchar(1024)
       AutoReactionStatus varchar(1024)
       Category varchar(1024)
       DetectedBy integer
       DetectionTime integer
       Direction integer
       DueDate integer
       EndTime integer
       EventNumber integer
       FollowUp integer
                                                Logging and Monitoring R81.10 Administration Guide      |      119
                                                                                           Automatic Reactions
    IsLast integer
    LastUpdateTime integer
    MaxNumOfConnections integer
    Name varchar(1024), NumOfAcceptedConnections integer
    NumOfRejectedConnections integer
    NumOfUpdates integer
    ProductCategory varchar(1024)
    ProductName varchar(1024)
    Remarks varchar(1024)
    RuleID varchar(48)
    Severity integer
    StartTime integer
    State integer
    TimeInterval integer
    TotalNumOfConnections varchar(20)
    User varchar(1024)
    Uuid varchar(48)
    aba_customer varchar(1024)
    jobID varchar(48)
    policyRuleID varchar(48)
Creating a Mail Reaction
 1. Select Add > Mail.
 2. Give the automatic reaction a significant name.
 3. Fill out the Mail Parameters of From, To and cc.
 4. To add multiple recipients, separate each email address with a semi-colon.
    Note - The Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These
    variables automatically adds to the mail subject the event number, severity and name of the event
    that triggered this reaction. These variables can be removed at your discretion.
 5. Optional: Include your own standard text for each mail reaction.
 6. Enter the domain name of the SMTP server.
 7. Select Save.
Creating an SNMP Trap Reaction
 1. Select Add > SNMP Trap.
 2. Give the automatic reaction a significant name.
                                             Logging and Monitoring R81.10 Administration Guide      |      120
                                                                                             Automatic Reactions
  3. Fill out the SNMP Trap parameters of Host, Message, OID and Community name.
      The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory
      $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in
      chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from
      iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent =
      1.3.6.1.4.1.2620.1.1.11.
      When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text.
      But, if the OID type is not text, the message is not sent.
  4. Select Save.
Creating a Block Source Reaction
  1. Select Add > Block Source.
  2. Give the automatic reaction a significant name.
  3. From the drop-down list, select the number of minutes to block this source.
  4. Select Save.
Creating a Block Event Activity Reaction
  1. Select Add > Block Event Activity.
  2. Give the automatic reaction a significant name.
  3. From the drop-down list, select the number of minutes to block this source.
  4. Select Save.
Creating an External Script Automatic Reaction
To add an External Script:
  1. Create the script.
  2. Put the script on the SmartEvent Server
         a. In $RTDIR/bin, create the folder ext_commands:
            mkdir $RTDIR/bin/ext_commands
         b. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location.
            The path and script name must not contain any spaces.
         c. Give the script executable permissions:
            chmod +x <script_filename>
  3. In the SmartEvent GUI client Policy tab, in Automatic Reactions, Select Add > External Script.
  4. In the Add Automatic Reaction window
                                               Logging and Monitoring R81.10 Administration Guide      |      121
                                                                                               Automatic Reactions
          a. Give the automatic reaction object a significant Name.
          b. In Command line, enter the name of the script to run. Specify the name of the script that is in
             $RTDIR/bin/ext_commands/ directory. Use the relative path if needed. Do not specify the
             full path of $RTDIR/bin/ext_commands/.
          c. Select Save.
Guidelines for creating the script
   n   Run the script manually and make sure it works as expected
   n   Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the
       SmartEvent Server.
   n   Use the event fields in the script:
       To refer to the event in the script, define this environment variable:
       EVENT=$(cat)
       and use $EVENT
       Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print
       the $EVENT one time to see its format.
       The format of the event content is a name-value set - a structured set of fields that have the form:
       (name: value ;* );
       where name is a string and value is either free text until a semicolon, or a nested name-value set.
       This is a sample event:
         (Name: Check Pointadministrator credential guessing; RuleID:
         {F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
         <42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
         StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
         16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
         MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy:
         2886735150;
         Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
         hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
         (hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
         States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
         NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;
If you need to add more fields to the event:
   1. In the SmartEvent GUI client, in the Policy tab, right-click the event, and select Properties > Event
      Format tab
   2. In the Display column, select the Event fields to have in the Event.
   3. Install the Event Policy on the SmartEvent Correlation Unit.
Assigning an Automatic Reaction to an Event
You can add an Automatic Reaction for SmartEvent to run when this type of event is detected.
                                                 Logging and Monitoring R81.10 Administration Guide      |      122
                                                                                          Automatic Reactions
1. Select the icon [...].
2. Select an Automatic Reaction that you created from the list, or select Add new?. For details on how to
   create each type of Automatic Reaction, see above section.
3. Configure the Automatic Reaction.
4. Select Save.
5. Click OK.
                                            Logging and Monitoring R81.10 Administration Guide      |      123
                                                                                                  Working Hours
Working Hours
Working Hours are used to detect unauthorized attempts to access protected systems and other forbidden
operations after-hours. To set the Regular Working Hours for an event, select a Time Object that you have
configured from the drop-down list.
To create a Time Object:
  1. From the Policy tab, select General Settings Objects > Time Objects.
  2. Click Add.
  3. Enter a Name and Description.
  4. Select the days and times that are considered Regular Working Hours.
  5. Click OK.
To assign a Time Object to an event:
  1. From the Policy tab, select an event that requires a Time Object (for example, User Login at
     irregular hours in the Unauthorized Entry event category).
  2. Select the Time Object you created from the drop-down list.
  3. Select File > Save.
                                              Logging and Monitoring R81.10 Administration Guide      |      124
                                                                                                       Exceptions
Exceptions
Exceptions allow an event to be independently configured for the sources, destination, service and other
parameters depending on the event type. For example, if the event Port Scan from Internal Network is set
to detect an event when 30 port scans occur within 60 seconds, you can also define that two port scans
detected from host A within 10 seconds of each other is also an event.
To add an exception:
   1. Under Apply the following exceptions, click Add.
   2. Select the Source and/or Destination of the object to apply different criteria for this event.
Note - If you do not see the host object listed, you may need to create it in SmartEvent.(see "System
Administration" on page 147).
                                                Logging and Monitoring R81.10 Administration Guide      |      125
                                                                           High Level Overview of Event Identification
High Level Overview of Event Identification
Events are detected by the SmartEvent Correlation Unit. The SmartEvent Correlation Unit scans logs for
criteria that match an Event Definition.
SmartEvent uses these procedures to identify these events:
Matching a Log Against Global Exclusions
When the SmartEvent Correlation Unit reads a log, it first checks if the log matches all defined Global
Exclusions. Global Exclusions (defined on the Policy tab > EventPolicy > Global Exclusions) direct
SmartEvent to ignore logs that are not expected to contribute to an event.
If the log matches a Global Exclusion, it is discarded by the system. If not, the SmartEvent Correlation Unit
starts to match it against each Event Definition.
Matching a Log Against Each Event Definition
Each Event Definition contains a filter which is comprised of a number of criteria that must be found in all
matching logs. The criteria are divided by product: The Event Definition can include a number of different
products, but each product has its own criterion.
To match the Event Definition "A", a log from Endpoint Security must match the Action, Event Type, Port,
and Protocol values listed in the Endpoint Security column. A log from a Security Gateway must match the
values listed in its column.
SmartEvent divides this procedure into two steps. The SmartEvent Correlation Unit first checks if the
Product value in the log matches one of the permitted Product values of an Event Definition.
If Log 1 did not contain a permitted Product value, the SmartEvent Correlation Unit compares the log
against Event Definition "B", and so on. If the log fails to match against an Event Definition, it is discarded.
The SmartEvent Correlation Unit checks if the log contains the Product-specific criteria to match the Event
Definition. For example: The product Endpoint Security generates logs that involve the Firewall, Spyware,
Malicious Code Protection, and others. The log contains this information in the field Event Type. If an event
is defined to match on Endpoint Security logs with the event type Firewall, an Endpoint Security log with
Event Type "Spyware" fails against the Event Definition filter. Other criteria can be specified to the Product.
                                                 Logging and Monitoring R81.10 Administration Guide      |      126
                                                                          High Level Overview of Event Identification
In our example, Log 1 matched Event Definition "A" with a permitted product value. The SmartEvent
Correlation Unit examines if the log contains the necessary criteria for an Endpoint Security log to match.
If the criteria do not match, the SmartEvent Correlation Unit continues to compare the log criteria to other
event definitions.
Creating an Event Candidate
When a log matches the criteria, it is added to an Event Candidate. Event candidates let SmartEvent track
logs until an event threshold is crossed, at which point an event is generated.
The logs can come from different log servers and be correlated in the same event.
The Event Candidate tracks logs until the criteria is matched (the criteria is the number of logs in a declared
number of seconds).
Each Event Definition can have multiple event candidates, each of which keeps track of logs grouped by
equivalent properties. In the figure above the logs that create the event candidate have a common source
value. They are dropped, blocked or rejected by a Security Gateway. They are grouped together because
the Event Definition is designed to detect this type of activity that originates from one source. Depending on
the event declaration, if there is a grouping declaration on the source field, it will create a new event
candidate.
                                                Logging and Monitoring R81.10 Administration Guide      |      127
                                                                         High Level Overview of Event Identification
When a log matches the event definition, but has properties different than those of the existing event
candidates, a new event candidate is created. This event candidate is added to what can be thought of as
the Event Candidate Pool.
By default, SmartEvent creates a new event candidate for a log with a different source.
To customize the default behavior:
   1. Go to SmartEvent > Policy.
   2. Select an event and right-click > Select Properties.
      The Edit Event Definition window opens.
   3. In the Count logs tab, click the options under Select the fields by which distinct Event Candidates
      will be created.
   4. In the Event Definition Wizard window, select the log fields and click OK.
                                               Logging and Monitoring R81.10 Administration Guide      |      128
                                                                          High Level Overview of Event Identification
To illustrate more, an event defined detects a high rate of blocked connections. SmartEvent tracks the
number of blocked connections for each Security Gateway, and the logs of the blocked traffic at each
Security Gateway forms an event candidate. When the threshold of blocked connection logs from a Security
Gateway is surpassed, that Security Gateway event candidate becomes an event. While this Event
Definition creates one event candidate for each Security Gateway monitored, other Event Definitions can
create many more.
The Event Candidate Pool is a dynamic environment, with new logs added and older logs discarded when
they have exceeded an Event Definition time threshold.
Matching a Log Against Event Exclusion
Before SmartEvent generates logs for a specific event, it checks to see if this event candidate attributes are
listed in the exclusions table or not. Event Exclusions are defined on the Policy tab > Event Policy > Event
Exclusions according to the attributes selected.
If an attribute matches an Event Exclusion, it is discarded by the system (an event is not generated). If not,
the SmartEvent Correlation Unit starts to match it against each Event Definition.
                                                Logging and Monitoring R81.10 Administration Guide      |      129
                                                                        High Level Overview of Event Identification
Event Generation
When a candidate becomes an event, the SmartEvent Correlation Unit forwards the event to the Event
Database. But to discover an event does not mean that SmartEvent stops to track logs related to it. The
SmartEvent Correlation Unit adds matching logs to the event as long as they continue to arrive during the
event threshold. To keep the event open condenses what can appear as many instances of the same event
to one, and provides accurate, up-to-date information as to the start and end time of the event.
Modifying Event Definitions
SmartEvent constantly takes data from your Log Servers, and searches for patterns in all the network
chatter that enters your system.
Depending on the levels set in each Event Definition, the number of events detected can be high. But only a
portion of those events can be meaningful. You can change the thresholds and other criteria of an event, to
reduce the number of false alarms.
                                              Logging and Monitoring R81.10 Administration Guide      |      130
                                                                                       Creating a User-Defined Event
Creating a User-Defined Event
To create New Event Definitions, right-click an existing Event Definition, or use the Actions menu:
 Right        Actions
                               Description
 Click        Menu
 New          New              Launches the Event Definition Wizard, which allows you to select how to base
              Custom           the event: on an existing Event Definition, or from scratch.
              Event
 Save         Save             Creates an Event Definition based on the properties of the highlighted Event
 As           Event As         Definition. When you select Save As, the system prompts you to save the
                               selected Event Definition with a new name for later editing. Save As can also
                               be accessed from the Properties window.
All User Defined Events are saved at Policy tab > Event Policy > User Defined Events. When an Event
Definition exists it can be modified through the Properties window, available by right-click and from the
Actions menu.
Creating a New Event Definition
You can edit all events, not only user-defined events. If you change a predefined event,the result is saved as
a new user defined event.
To create a new event definition:
   1. From the Actions menu, select New Custom Event.
       The Event Definition Wizard opens.
   2. For Create an event
              a. Select that is based on an existing event.
              b. Select an event that has equivalent properties to the event you want to create.
              c. Click Next.
   3. Name the Event Definition.
   4. Enter a Description.
   5. Select a Severity level.
   6. Click Next.
   7. Set which of these options generates the event:
          n   A single log - Frequently depicts an event, such as a log from a virus scanner that reports that
              a virus has been found.
          n   Multiple logs - Required if the event can only be identified as a result of a combination of
              multiple logs, such as a High Connection Rate.
       Click Next.
   8. Examine the products that can cause this event.
                                                  Logging and Monitoring R81.10 Administration Guide      |      131
                                                                                         Creating a User-Defined Event
  9. Select Next.
 10. Optional: Edit the product filters:
         n   If you added a product you can edit the filters for each product (Edit all product filters), or
             those of new products you added (Edit only newly selected productfilters).
         n   If you did not add other products, edit the filters of existing products (Yes) or skip this step (No,
             Leave the original files).
      Click Next.
 11. Edit or add product filters for each log necessary in the Event Definition filter
             a. Select the Log field from the available Log Field list.
             b. Click Add to edit the filter.
             c. Make sure that the filter matches on All Conditions or Any Conditions.
             d. Double-click the Log field and select the values to use in the filter.
      Click Next.
 12. When you defined the filters for each product, select values for these options to define how
      to process logs
             n   Detect the event when at least__ logs occurred over a period of __ seconds contains the
                 event thresholds that define the event. You can modify the event thresholds by altering the
                 number of logs and/or the period of time that define the event.
             n   Each event definition may have multiple Event Candidates existing simultaneously
                 allows you to set whether SmartEvent creates distinct Event Candidates based on a field (or
                 set of fields) that you select below.
                 Select the field(s) by which distinct Event Candidates will be created allows you to set
                 the field (or set of fields) that are used to differentiate between Event Candidates.
             n   Use unique values of the __ field when counting logs directs SmartEvent to count unique
                 values of the specified field when determining whether the Event Threshold has been
                 surpassed. When this property is not selected, SmartEvent counts the total number of logs
                 received.
 13. Click Finish.
Customizing a User-Defined Event
Customizing a user-defined event:
  1. From the Policy tab > Event Policy > User Defined Events, right-click a User-Defined Event and
     select Properties.
  2. In the tabs provided, make the necessary changes
             n   Name - Name the Event Definition, enter a Description and select a Severity level. The
                 text you enter in the Description field shows in the Event Description area (below the event
                 configurable properties).
                                                 Logging and Monitoring R81.10 Administration Guide      |      132
                                                                         Creating a User-Defined Event
n   Filter - To edit a product filter
         a. Select the product.
         b. Select the Log field from the available Log Fields list.
         c. If the necessary field does not show select Show more fields... to add a field to the
            Log Fields list.
         d. Click Add to edit the filter.
         e. Select if the filter matches on All Conditions or Any Conditions.
n   Count logs
    This screen defines how SmartEvent counts logs related to this event.
          l   A Single log - Frequently depicts an event, such as a log from a virus scanner that
              reports that a virus is found.
          l   With this option you can set the fields that are used to group events into Event
              Candidates. Logs with matching values for these fields are added to the same
              event. For example: Multiple logs that report a virus detected on the same source
              with the same virus name are combined into the same event.
          l   Multiple logs - Required for events that identify an activity level, such as a High
              Connection Rate.
          l   When the event is triggered by multiple logs, set the behavior of Event Candidates:
          l   Detect the event when at least... - Set the Event Threshold that, when exceeded,
              indicates that an event has occurred.
          l   Select the field(s) by which distinct event candidates will be created - An event
              is generated by logs with the same values in the fields specified here. To define
              how logs are grouped into Event Candidates, select the related fields here.
          l   Use unique values of the ... - Only logs with unique values for the fields specified
              here are counted in the event candidate. For example: A port scan event counts
              logs that include unique ports scanned. Also, the logs do not increment the log
              count for logs that contain ports already encountered in the event candidate.
          l   Advanced - Define the keep=alive time for the event, and how often the
              SmartEvent Correlation Unit updates the SmartEvent Server with new logs for the
              created event.
n   Event Format
    When an event is generated, information about the event is presented in the Event Detail
    pane.
    This screen lets you specify if the information will be added to the detailed pane and from
    which Log Field the information is taken.
    You can clear it in the Display column. The Event Field will not be populated.
                                    Logging and Monitoring R81.10 Administration Guide      |      133
                                                                                 Creating a User-Defined Event
         n   GUI representation
             All events can be configured. This screen lets you select the configuration
             parameters that show.
                   l   The Threshold section shows the number of logs that must matched to create the
                       event. This is usually not shown for one log events and shown for multiple log
                       events.
                   l   The Exclude section lets you specify the log fields that show when you add an
                       event exclusion.
                   l   The Exception section lets you specify the log fields that show when you add an
                       event exception.
3. Click OK to save your changes.
                                            Logging and Monitoring R81.10 Administration Guide      |      134
                                                                                        Creating a Mail Reaction
Creating a Mail Reaction
 1. Select Add > Mail.
 2. Give the automatic reaction a significant name.
 3. Fill out the Mail Parameters of From, To and Cc.
 4. To add multiple recipients, separate each email address with a semi-colon.
    Note - the Subject field has the default variables of [EventNumber] - [Severity] - [Name]. These
    variables automatically adds to the mail subject the event number, severity and name of the event
    that triggered this reaction. These variables can be removed at your discretion.
 5. Optional: Include your own standard text for each mail reaction.
 6. Enter the domain name of the SMTP server.
 7. Select Save.
                                             Logging and Monitoring R81.10 Administration Guide      |      135
                                                                               Creating a Block Source Reaction
Creating a Block Source Reaction
 1. Select Add > Block Source.
 2. Give the automatic reaction a significant name.
 3. From the drop-down list, select the number of minutes to block this source.
 4. Select Save.
                                             Logging and Monitoring R81.10 Administration Guide      |      136
                                                                         Creating a Block Event Activity Reaction
Creating a Block Event Activity Reaction
 1. Select Add > Block Event Activity.
 2. Give the automatic reaction a significant name.
 3. From the drop-down list, select the number of minutes to block this source.
 4. Select Save.
                                             Logging and Monitoring R81.10 Administration Guide      |      137
                                                                              Creating an SNMP Trap Reaction
Creating an SNMP Trap Reaction
 1. Select Add > SNMP Trap.
 2. Give the automatic reaction a significant name.
 3. Fill out the SNMP Trap parameters of Host, Message, OID and Community name.
    The command send_snmp uses values that are found in the file chkpnnt.mib, in the directory
    $CPDIR/lib/snmp/. An OID value used in the SNMP Trap parameters window must be defined in
    chkpnnt.mib, or in a file that refers it. If the OID field is left blank, the value is determined from
    iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwEvent =
    1.3.6.1.4.1.2620.1.1.11.
    When the automatic reaction occurs, the SNMP Trap is sent as a 256 byte DisplayString text.
    But, if the OID type is not text, the message is not sent.
 4. Select Save.
                                            Logging and Monitoring R81.10 Administration Guide      |      138
                                                                                        Eliminating False Positives
Eliminating False Positives
Services that Generate Events
Some types of services are characterized by a high quantity of traffic that can be misidentified as events.
These are examples of services and protocols that can potentially generate events:
   n   Software that does a routine scan of the network to make sure that everything runs correctly.
       Configuration of SmartEvent to exclude this source from a scan event eliminates a source of false
       positive events.
   n   High connection rate on a web server. Set SmartEvent to allow a higher connection rate for each
       minute on a busy web server, or to exclude this source from a scan event.
Common Events by Service
The information in this table provides a list of server types where high activity is frequently used. To change
the Event Policy, adjust event thresholds and add Exclusions for servers and services . You can decrease
more the quantity of false positives detected.
Common events by service
 Server                       Event
               Category                      Source      Dest        Service                      Reason
 Type                         Name
 SNMP          Scans          IP sweep       Any         Any         SNMP-read                    Hosts that
                              from                                                                query other
                              internal                                                            hosts
                              network
 DNS           Scans          IP sweep       DNS         -           DNS                          Inter-DNS
 Servers                      from           servers                                              servers
                              internal                                                            updates
                              network
               Denial of      High           Any         DNS         DNS                          DNS
               Service        connection                 servers                                  requests
               (DoS)          rate on                                                             and inter-
                              internal                                                            DNS servers
                              host on                                                             updates
                              service
               Anomalies      High           Any         Any         DNS                          DNS
                              connection                                                          requests
                              rate from                                                           and inter-
                              internal                                                            DNS servers
                              network                                                             updates
               Anomalies      High           Any         Any         DNS                          DNS
                              connection                                                          requests
                              rate from                                                           and inter-
                              internal                                                            DNS servers
                              network on                                                          updates
                              service
                                                Logging and Monitoring R81.10 Administration Guide      |      139
                                                                              Eliminating False Positives
Server                Event
          Category                  Source     Dest        Service                      Reason
Type                  Name
          Anomalies   Abnormal      Any        Any         DNS                          DNS
                      activity on                                                       requests
                      service                                                           and inter-
                                                                                        DNS servers
                                                                                        updates
NIS       Scans       Port scan     NIS        Any         -                            Multiple NIS
Servers               from          servers                                             queries
                      internal
                      network
          Denial of   High          Any        NIS         NIS                          NIS queries
          Service     connection               servers
          (DoS)       rate on
                      internal
                      host on
                      service
          Anomalies   High          Any        Any         NIS                          NIS queries
                      connection
                      rate from
                      internal
                      network
          Anomalies   High          Any        Any         NIS                          NIS queries
                      connection
                      rate from
                      internal
                      network on
                      service
          Anomalies   Abnormal      Any        Any         NIS                          NIS queries
                      activity on
                      service
LDAP      Denial of   High          Any        LDAP        LDAP                         LDAP
Servers   Service     connection               servers                                  requests
          (DoS)       rate on
                      internal
                      host on
                      service
          Anomalies   High          Any        LDAP        LDAP                         LDAP
                      connection               servers                                  requests
                      rate from
                      internal
                      network
                                      Logging and Monitoring R81.10 Administration Guide      |      140
                                                                                 Eliminating False Positives
Server                   Event
             Category                  Source     Dest        Service                      Reason
Type                     Name
             Anomalies   High          Any        LDAP        LDAP                         LDAP
                         connection               servers                                  requests
                         rate from
                         internal
                         network on
                         service
             Anomalies   Abnormal      Any        LDAP        LDAP                         LDAP
                         activity on              servers                                  requests
                         service
HTTP         Denial of   High          Any        Proxy       HTTP:8080                    Hosts
Proxy        Service     connection               servers                                  connections
Servers -    (DoS)       rate on                                                           to Proxy
Hosts To                 internal                                                          servers
Proxy                    host on
Server                   service
             Anomalies   High          Any        Proxy       HTTP:8080                    Hosts
                         connection               servers                                  connections
                         rate from                                                         to Proxy
                         internal                                                          servers
                         network
             Anomalies   High          Any        Proxy       HTTP:8080                    Hosts
                         connection               servers                                  connections
                         rate from                                                         to Proxy
                         internal                                                          servers
                         hosts on
                         service
             Anomalies   Abnormal      Any        Proxy       HTTP:8080                    Hosts
                         activity on              servers                                  connections
                         service                                                           to Proxy
                                                                                           servers
HTTP         Scans       IP sweep      Proxy      Any         HTTP/ HTTPS                  Proxy
Proxy                    from          servers                                             servers
Servers -                internal                                                          connections
Out to the               network                                                           out to
Web                                                                                        various sites
             Denial of   High          Proxy      Any         HTTP/ HTTPS                  Proxy
             Service     connection    servers                                             servers
             (DoS)       rate on                                                           connections
                         internal                                                          out to
                         host on                                                           various sites
                         service
                                         Logging and Monitoring R81.10 Administration Guide      |      141
                                                                              Eliminating False Positives
Server                Event
          Category                  Source     Dest        Service                      Reason
Type                  Name
          Anomalies   High          Proxy      Any         HTTP/ HTTPS                  Proxy
                      connection    servers                                             servers
                      rate from                                                         connections
                      internal                                                          out to
                      network                                                           various sites
                      High          Proxy      Any         HTTP/ HTTPS                  Proxy
                      connection    servers                                             servers
                      rate from                                                         connections
                      internal                                                          out to
                      hosts on                                                          various sites
                      service
          Anomalies   Abnormal      Proxy      Any         HTTP/ HTTPS                  Proxy
                      activity on   servers                                             servers
                      service                                                           connections
                                                                                        out to
                                                                                        various sites
UFP       Denial of   High          Any        UFP         Any/UFP by vendor            Firewall
Servers   Service     connection               servers                                  connections
          (DoS)       rate on                                                           to UFP
                      internal                                                          servers
                      host on
                      service
          Anomalies   High          Any        UFP         Any/UFP by vendor            Firewall
                      connection               servers                                  connections
                      rate from                                                         to UFP
                      internal                                                          servers
                      network
          Anomalies   High          Any        UFP         Any/UFP by vendor            Firewall
                      connection               servers                                  connections
                      rate from                                                         to UFP
                      internal                                                          servers
                      hosts on
                      service
          Anomalies   Abnormal      Any        UFP         Any/UFP by vendor            Firewall
                      activity on              servers                                  connections
                      service                                                           to UFP
                                                                                        servers
CVP       Denial of   High          Any        CVP         Any/CVP by vendor            Firewall
Servers   Service     connection               servers                                  connections
Request   (DoS)       rate on                                                           to CVP
                      internal                                                          servers
                      host on
                      service
                                      Logging and Monitoring R81.10 Administration Guide      |      142
                                                                              Eliminating False Positives
Server                Event
          Category                  Source     Dest        Service                      Reason
Type                  Name
          Anomalies   High          Any        CVP         Any/CVP by vendor            Firewall
                      connection               servers                                  connections
                      rate from                                                         to CVP
                      internal                                                          servers
                      network
          Anomalies   High          Any        CVP         Any/CVP by vendor            Firewall
                      connection               servers                                  connections
                      rate from                                                         to CVP
                      internal                                                          servers
                      hosts on
                      service
          Anomalies   Abnormal      Any        CVP         Any/CVP by vendor            Firewall
                      activity on              servers                                  connections
                      service                                                           to CVP
                                                                                        servers
CVP       Scans       Port scans    CVP        Any         -                            Multiple
Servers               from          servers                                             CVP replies
Replies               internal                                                          to same GW
                      network
          Scans       IP sweep      CVP        -           CVP                          CVP replies
                      from          servers                                             to multiple
                      internal                                                          GWs
                      network
          Denial of   High          CVP        Any         Any/CVP by vendor            CVP replies
          Service     connection    servers
          (DoS)       rate on
                      internal
                      host on
                      service
          Anomalies   High          CVP        Any         Any/CVP by vendor            CVP replies
                      connection    servers
                      rate from
                      internal
                      network
          Anomalies   High          CVP        Any         Any/CVP by vendor            CVP replies
                      connection    servers
                      rate from
                      internal
                      hosts on
                      service
          Anomalies   Abnormal      CVP        Any         Any/CVP by vendor            CVP replies
                      activity on   servers
                      service
                                      Logging and Monitoring R81.10 Administration Guide      |      143
                                                                              Eliminating False Positives
Server                Event
          Category                  Source     Dest        Service                      Reason
Type                  Name
UA        Denial of   High          Any        UA          uas-port (TCP:19191          Connections
Server    Service     connection               servers     TCP:19194)                   to UA
Request   (DoS)       rate on                                                           servers
                      internal
                      host on
                      service
          Anomalies   High          Any        UA          (TCP:19191                   Connections
                      connection               servers     TCP:19194)                   to UA
                      rate from                                                         servers
                      internal
                      network
          Anomalies   High          Any        UA          uas-port (TCP:19191          Connections
                      connection               servers     TCP:19194)                   to UA
                      rate from                                                         servers
                      internal
                      hosts on
                      service
          Anomalies   Abnormal      Any        UA          uas-port (TCP:19191          Connections
                      activity on              servers     TCP:19194)                   to UA
                      service                                                           servers
UA        Scans       Port scans    UA         Any         -                            Multiple UA
Servers               from          servers                                             replies to the
Replies               internal                                                          same
                      network                                                           computer
          Scans       IP sweep      UA         Any         uas-port (TCP:19191          Multiple UA
                      from          servers                TCP:19194)                   replies to
                      internal                                                          multiple
                      network                                                           computers
          Denial of   High          UA         Any         uas-port (TCP:19191          UA replies
          Service     connection    servers                TCP:19194)
          (DoS)       rate on
                      internal
                      host on
                      service
          Anomalies   High          UA         Any         uas-port (TCP:19191          UA replies
                      connection    servers                TCP:19194)
                      rate from
                      internal
                      network
                                      Logging and Monitoring R81.10 Administration Guide      |      144
                                                                              Eliminating False Positives
Server                Event
          Category                  Source     Dest        Service                      Reason
Type                  Name
          Anomalies   High          UA         Any         uas-port (TCP:19191          UA replies
                      connection    servers                TCP:19194)
                      rate from
                      internal
                      hosts on
                      service
          Anomalies   Abnormal      UA         Any         uas-port                     UA replies
                      activity on   servers                (TCP:19191TCP:1919
                      service                              4)
SMTP      Scans       IP sweep      SMTP       -           SMTP                         SMTP
Servers               from          servers                                             servers
                      internal                                                          connections
                      network                                                           out to
                                                                                        various
                                                                                        SMTP
                                                                                        servers
          Denial of   High          SMTP       Any         SMTP                         SMTP
          Service     connection    servers                                             servers
          (DoS)       rate on                                                           connections
                      internal                                                          out to
                      host on                                                           various
                      service                                                           SMTP
                                                                                        servers
          Anomalies   High          SMTP       Any         SMTP                         SMTP
                      connection    servers                                             servers
                      rate from                                                         connections
                      internal                                                          out to
                      network                                                           various
                                                                                        SMTP
                                                                                        servers
          Anomalies   High          SMTP       Any         SMTP                         SMTP
                      connection    servers                                             servers
                      rate from                                                         connections
                      internal                                                          out to
                      hosts on                                                          various
                      service                                                           SMTP
                                                                                        servers
          Anomalies   Abnormal      SMTP       Any         SMTP                         SMTP
                      activity on   servers                                             servers
                      service                                                           connections
                                                                                        out to
                                                                                        various
                                                                                        SMTP
                                                                                        servers
                                      Logging and Monitoring R81.10 Administration Guide      |      145
                                                                                 Eliminating False Positives
Server                   Event
             Category                  Source     Dest        Service                      Reason
Type                     Name
Anti-Virus   Scans       IP sweep      AV_        -           Any/AV by vendor             Anti-Virus
Definition               from          Defs                                                definitions
Servers                  internal      servers                                             updates
                         network                                                           deployment
             Denial of   High          AV_        -           Any/AV by vendor             Anti-Virus
             Service     connection    Defs                                                definitions
             (DoS)       rate on       servers                                             updates
                         internal                                                          deployment
                         host on
                         service
             Anomalies   High          AV_        -           Any/AV by vendor             Anti-Virus
                         connection    Defs                                                definitions
                         rate from     servers                                             updates
                         internal                                                          deployment
                         network
             Anomalies   High          AV_        -           Any/AV by vendor             Anti-Virus
                         connection    Defs                                                definitions
                         rate from     servers                                             updates
                         internal                                                          deployment
                         hosts on
                         service
             Anomalies   Abnormal      AV_        -           Any/AV by vendor             Anti-Virus
                         activity on   Defs                                                definitions
                         service       servers                                             updates
                                                                                           deployment
                                         Logging and Monitoring R81.10 Administration Guide      |      146
                                                                                             System Administration
System Administration
To maintain your SmartEvent system, you can do these tasks from the General Settings section of the
Policy tab:
   n   Adding a SmartEvent Correlation Unit and Log Servers
   n   Create offline jobs analyze historical log files (see "Importing Offline Log Files" on page 50).
   n   Adding objects to the Internal Network
   n   Creating scripts to run as Automatic Reactions for certain events (see "Creating an External Script
       Automatic Reaction" on page 149)
   n   Creating objects for use in filters
Adding Network and Host Objects
Network Objects are the objects that are synchronized from the Management object database as well as
user defined additional objects. These objects from the Management server are added to SmartEvent
during the initial sync and updated at set intervals.
As a best practice, use SmartConsole to add new network or host objects to the Management server.
The customer cannot define the internal network until the initial sync is complete.
To add a host or network object to SmartEvent:
   1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Host or Add
      Network.
   2. Give the device a significant name.
   3. For a host, enter the IP Address or select Get Address.
   4. For a network object, enter the Network Address and Net Mask.
   5. Select OK.
Defining the Internal Network
To help SmartEvent conclude if events originated internally or externally, you must define the Internal
Network. These are the options to calculate the traffic direction:
   n   Incoming - All the sources are external to the network and all destinations are internal.
   n   Outgoing - All sources are in the network and all destinations are external.
   n   Internal - Sources and destinations are all in the network.
   n   Other - A mixture of internal and external values makes the result indeterminate.
To define the Internal Network:
   1. From the Policy tab, select General Settings > Initial Settings > Internal Network.
   2. Add internal objects.
       We recommend you add all internal Network objects, and not Host objects.
Some network objects are copied from the Management server to the SmartEvent Server during the the
initial sync and updated afterwards.
                                                 Logging and Monitoring R81.10 Administration Guide      |      147
                                                                                             System Administration
Note - The customer cannot define the internal network until the initial sync is complete.
                                                Logging and Monitoring R81.10 Administration Guide      |      148
                                                                       Creating an External Script Automatic Reaction
Creating an External Script Automatic Reaction
To add an External Script:
   1. Create the script.
   2. Put the script on the SmartEvent Server
          a. In $RTDIR/bin, create the folder ext_commands:
              mkdir $RTDIR/bin/ext_commands
          b. Put the script in $RTDIR/bin/ext_commands/ or in a folder under that location.
              The path and script name must not contain any spaces.
          c. Give the script executable permissions:
              chmod +x $RTDIR/bin/ext_commands/<script_filename>
   3. In the SmartEvent GUI client Policy tab, in Automatic Reactions, select Add > External Script.
   4. In the Add Automatic Reaction window:
          a. Give the automatic reaction object a significant name.
          b. In Command line, enter the name of the script to run.
              Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory.
              Use the relative path if needed.
              Do not specify the full path of $RTDIR/bin/ext_commands/.
          c. Select Save.
Guidelines for creating the script
   n   Run the script manually and make sure it works as expected
   n   Make sure the script runs for no longer than 10 minutes, otherwise it will be terminated by the
       SmartEvent Server.
   n   Use the event fields in the script:
       To refer to the event in the script, define this environment variable:
       EVENT=$(cat)
       and use $EVENT
       Use line editor commands like awk or sed to parse the event and refer to specific fields. You can print
       the $EVENT one time to see its format.
       The format of the event content is a name-value set - a structured set of fields that have the form:
       (name: value ;* );
       where name is a string and value is either free text until a semicolon, or a nested name-value set.
       This is a sample event:
                                                 Logging and Monitoring R81.10 Administration Guide      |      149
                                                                     Creating an External Script Automatic Reaction
        (Name: Check Point administrator credential guessing; RuleID:
        {F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
        <42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
        StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
        16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
        MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy:
        2886735150;
        Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
        hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
        (hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
        States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
        NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;
If you need to add more fields to the event:
  1. In the SmartEvent GUI client, in the Policy tab, right-click the event, and select Properties > Event
     Format tab.
  2. In the Display column, select the Event fields to have in the Event.
  3. Install the Event Policy on the SmartEvent Correlation Unit.
                                               Logging and Monitoring R81.10 Administration Guide      |      150
                                                                                 Monitoring Traffic and Connections
Monitoring Traffic and Connections
SmartView Monitor gives you a complete picture of network and security performance. Use it to respond
quickly and efficiently to changes in Security Gateways, tunnels, remote users and traffic flow patterns or
security activities.
SmartView Monitor is a high-performance network and security analysis system. This system helps you to
establish work habits based on learned system resource patterns. Based on Check Point Security
Management Architecture, SmartView Monitor provides a single, central interface, to monitor network
activity and performance of Check Point Software Blades.
How SmartView Monitor Works
Data for the status of all Security Gateways in the system is collected by the Security Management Server
and viewed in SmartView Monitor.
The data shows status for:
   n   Check Point Security Gateways
   n   OPSEC Gateways
   n   Check Point Software Blades
Gateway Status is the SmartView Monitor view, which shows all component status information.
A Gateway Status view shows a snapshot of all Software Blades, such as VPN and ClusterXL, and third
party products (for example, OPSEC Gateways).
Gateway Status is similar in operation to the SNMP daemon that provides a mechanism to get data about
Gateways in the system.
SIC is initialized between Security Gateways (3) (local and remote), and the Security Management Server
(2). The Security Management Server then gets status data from the Software Blades with the AMON
(Application Monitoring)protocol. SmartView Monitor (1) gets the data from the Security Management
Server.
                                                Logging and Monitoring R81.10 Administration Guide      |      151
                                                                                 Monitoring Traffic and Connections
AMON Protocol Support
The Security Management Server acts as an AMON client. It collects data about installed Software Blades.
Each Security Gateway, or any other OPSEC Gateway, which runs an AMON server, acts as the AMON
server itself. The Gateway requests status updates from other components, such as the Firewall kernel and
network servers. Requests are fetched at a defined interval.
An alternate source for status collection can be any AMON client, such as an OPSEC partner, which uses
the AMON protocol.
The AMON protocol is SIC- based. It can collect data only after SIC is initialized.
Defining Status Fetch Frequency
The Security Management Server collects status data from the Security Gateways on a defined interval. The
default is 60 seconds.
To set the Status Fetching Interval:
   1. Open SmartConsole.
   2. Open Global Properties > Log and Alert > Time Settings.
   3. Enter the number of seconds in Status fetching interval.
                                                Logging and Monitoring R81.10 Administration Guide      |      152
                                                                                           To Start Monitoring
To Start Monitoring
To open the monitoring views in SmartConsole:
  1. From the Gateways & Servers view, select a Security Gateway.
  2. Click Monitor.
     The Device and License information window opens and shows:
         n   Device Status
         n   License Status
         n   System Counters
         n   Traffic
To open SmartView Monitor:
  1. Open SmartConsole > Logs & Monitor.
  2. Open the catalog (new tab).
  3. Click Tunnel & User Monitoring.
                                           Logging and Monitoring R81.10 Administration Guide      |      153
                                                                                      SmartView Monitor Features
SmartView Monitor Features
SmartView Monitor allows administrators to easily configure and monitor different aspects of network
activities. You can see graphical from an integrated, intuitive interface.
Defined views include the most frequently used traffic, counter, tunnel, Security Gateway, and remote user
information. For example, Check Point System Counters collect information on the status and activities of
Check Point products (for example, VPN or NAT). With custom or defined views, administrators can drill-
down the status of a specified Security Gateway and/or a segment of traffic. That way, administrators
identify top bandwidth hosts that can influence network performance. If suspicious activity is detected,
administrators can immediately apply a Firewall rule to the applicable Security Gateway to block that
activity. These Firewall rules can be created dynamically through the graphical interface and be set to expire
in a specified time period.
You can generate Real-time and historical graphical reports of monitored events. This provides a
comprehensive view of Security Gateways, tunnels, remote users, network, security, and performance over
time.
The monitoring views show real-time and historical graphical views of:
   n   Gateway status
   n   Remote users (SmartView Monitor only)
   n   System Counters
   n   VPN tunnel monitoring (SmartView Monitor only)
   n   Cooperative Enforcement, for Endpoint Security Servers
   n   Traffic
In SmartView Monitor, you can create customized monitoring view.
SmartView Monitor Use Cases
Use SmartView Monitor to:
   n   Create a Traffic view and report to identify the reasons for slow internet access. The view can be
       based on an inspection of: Specific Services, Firewall rules or Network Objects, that can be known to
       impede the flow of internet traffic. If the SmartView Monitor Traffic view indicates that users
       aggressively use such Services or Network Objects (for example, Peer to Peer application or HTTP),
       the cause of the slow internet access is determined. If aggressive use is not the cause, the network
       administrator have to look at other avenues. For instance, performance degradation can be the result
       of memory overload.
   n   Create a report to determine why employees who work away from the office cannot connect to the
       network. The view can be based on CPU Use %, to collect information about the status, activities
       hardware and software use of Check Point products in real-time. The SmartView Monitor Counter
       view can indicate that there are more failures than successes. Perhaps the company cannot
       accommodate the number of employees that try to log on at the same time?
                                               Logging and Monitoring R81.10 Administration Guide      |      154
                                                                                                Immediate Actions
Immediate Actions
If the status shows an issue, you can act on that network object.
For example:
   n   Disconnect client - Disconnect one or more of the connected SmartConsole clients.
   n   Start/Stop cluster member - You can see all Cluster Members of a Cluster in SmartView Monitor.
       You can start or stop a selected Cluster Member.
   n   Suspicious Action Rules - You can block suspicious network activity while you investigate the real
       risk or to quickly block an obvious intruder.
                                                Logging and Monitoring R81.10 Administration Guide      |      155
                                                                                    Monitoring and Handling Alerts
Monitoring and Handling Alerts
Alerts provide real-time information about possible security threats, and how to avoid, minimize, or recover
from the damage. The administrator can define alerts to be sent for different Security Gateways and for
certain policies or properties.
The Security Gateways send alerts to the Security Management Server. The Security Management Server
forwards these alerts to SmartView Monitor. By default, an alert is sent as a pop-up message to the
administrator desktop when a new alert arrives to SmartView Monitor.
You can set global alert parameters for all Security Gateways in the system, or specify an action to send an
alert for a particular Security Gateway.
Alerts are sent when:
   n   Rules or attributes which are set to be tracked as alerts are matched by a passing connection.
   n   System events (also called System Alerts) are configured to cause an alert when different predefined
       thresholds are surpassed.
System Alerts are sent for predefined system events or for important situation updates. For example, if free
disk space is less than 10%, or if a security policy is changed. System Alerts can also be defined for each
product. For example, you can define other System Alerts for Check Point QoS.
Viewing Alerts
Alert commands are set in SmartConsole > Global Properties > Log and Alert > Alerts page. The Alerts in
this window apply only to Security Gateways.
To see alerts:
   1. Open SmartConsole > Logs & Monitor view > External Apps.
   2. Click Tunnel & User Monitoring.
       SmartView Monitor opens.
   3. Click the Alerts icon in the toolbar.
       The Alerts window opens. Use this window to monitor or delete alerts.
System Alert Monitoring Mechanism
The Check PointSecurity Management Server System Alert monitoring mechanism uses the defined
System Alert thresholds. If a threshold is reached, it activates the defined action.
To activate System Alert monitoring:
Go to Tools > Start System Alert Daemon.
To stop the System Alert monitoring:
Go to Tools > Stop System Alert Daemon.
                                               Logging and Monitoring R81.10 Administration Guide      |      156
                                                                                  Monitoring Suspicious Activity Rules
Monitoring Suspicious Activity Rules
Suspicious Activity Monitoring (SAM) is a utility integrated in SmartView Monitor. It blocks activities that you
see in the SmartView Monitor results and that appear to be suspicious. For example, you can block a user
who tries several times to gain unauthorized access to a network or internet resource.
A Security Gateway with SAM enabled has Firewall rules to block suspicious connections that are not
restricted by the security policy. These rules are applied immediately (policy installation is not required).
The Need for Suspicious Activity Rules
Connections between enterprise and public networks are a security challenge as they leave the network and
its applications open to attack. You must be able to inspect and identify all inbound and outbound network
activity and decide if it is suspicious.
Creating a Suspicious Activity Rule
SAM rules use CPU resources. Therefore, set an expiration time so you can inspect traffic but not negatively
affect performance.
If you confirm that an activity is risky, edit the Security Policy, educate users, or handle the risk.
You can block suspicious activity based on source, destination, or service.
To block an activity:
   1. In the SmartView Monitor, click the Suspicious Activity Rules icon in the toolbar.
       The Enforced Suspicious Activity Rules window opens.
   2. Click Add.
       The Block Suspicious Activity window opens.
   3. In Source and in Destination, select IP or Network:
           n   To block all sources or destinations that match the other parameters, enter Any.
           n   To block one suspicious source or destination, enter an IP Address and Network Mask.
   4. In Service:
           n   To block all connections that fit the other parameters, enter Any.
           n   To block one suspicious service or protocol, click the button and select a service from the
               window that opens.
   5. In Expiration, set a time limit.
   6. Click Enforce.
To create an activity rule based on TCP or UDP use:
   1. In the Block Suspicious Activity window , click Service.
       The Select Service window opens.
   2. Click Custom Service.
   3. Select TCP or UDP.
                                                  Logging and Monitoring R81.10 Administration Guide      |      157
                                                                                  Monitoring Suspicious Activity Rules
   4. Enter the port number.
   5. Click OK.
To define SmartView Monitor actions on rule match:
   1. In the Block Suspicious Activity window, click Advanced.
      The Advanced window opens.
   2. In Action, select the Firewall action for SmartView Monitor to do on rule match:
          n   Notify - Send a message about the activity, but do not block it.
          n   Drop - Drop packets, but do not send a response. The connection will time out.
          n   Reject - Send an RST packet to the source and close the connection.
   3. In Track, select No Log, Log or Alert.
   4. If the action is Drop: To close the connection immediately on rule match, select Close connections.
   5. Click OK.
Creating a Suspicious Activity Rule from Results
If you monitor traffic, and see a suspicious result, you can create an SAM rule immediately from the results.
Note - You can only create a Suspicious Activity rule for Traffic views with data about the Source or
Destination (Top Sources, Top P2P Users, and so on).
To create an SAM rule:
   1. In SmartView Monitor open a Traffic view.
      The Select Gateway / Interface window opens.
   2. Select an object.
   3. Click OK.
   4. In the Results, right-click the bar in the chart (or the row in the report), that represents the source,
      destination, or other traffic property to block.
   5. Select Block Source.
      The Block Suspicious Activity window opens.
   6. Create the rule.
   7. Click Enforce.
For example:
Your corporate policy does not allow to share peer2peer file, and you see it in the Traffic > Top P2P Users
results.
   1. Right-click the result bar and select Block Source.
      The SAM rule is set up automatically with the user IP address and the P2P_File_Sharing_
      Applications service.
                                                  Logging and Monitoring R81.10 Administration Guide      |      158
                                                                                 Monitoring Suspicious Activity Rules
   2. Click Enforce.
   3. For the next hour, while this traffic is dropped and logged, contact the user.
Managing Suspicious Activity Rules
The Enforced Suspicious Activity Rules window shows the currently enforced rules. If you add a rule that
conflicts with another rule, the conflicting rule remains hidden. For example, if you define a rule to drop http
traffic, and a rule exists to reject http traffic, only the drop rule shows.
sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information
received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts
mechanism.
For more information, see the R81.10 CLI Reference Guide - Chapter Security Management Server
Commands - Section sam_alert.
                                                 Logging and Monitoring R81.10 Administration Guide      |      159
                                                             Configuring Alerts and Thresholds in SmartView Monitor
Configuring Alerts and Thresholds in SmartView
Monitor
System Alerts and Thresholds
You can set thresholds for selected Security Gateways. When a threshold is passed, a system alert is sent.
To set System Alert thresholds:
  1. Open Gateways Status view.
  2. Right-click a network object and select Configure Thresholds.
      The Threshold Settings window opens.
  3. Set the thresholds for the selected object:
          n   Use global settings - All objects get the same thresholds for system alerts.
          n   None - The selected Security Gateway object does not have thresholds for system alerts.
          n   Custom - Change the thresholds for the selected object to be different than the global settings.
To change Global Threshold settings:
  1. In the Threshold Settings window, click Edit Global Settings.
      The Global Threshold Settings window opens.
  2. Select thresholds.
                                                Logging and Monitoring R81.10 Administration Guide      |      160
                                                               Configuring Alerts and Thresholds in SmartView Monitor
   3. In Action, select:
           n   none - No alert.
           n   log - Sends a log entry to the database.
           n   alert - Opens a pop-up window to your desktop.
           n   mail - Sends a mail alert to your Inbox.
           n   snmptrap - Sends an SNMP alert.
           n   useralert - Runs a script. Make sure a user-defined action is available (in SmartConsole, click
               Menu > Global properties > Log and Alert > Alert Commands).
To change custom threshold settings:
   1. In the Threshold Settings window, select Custom.
       The global threshold settings show.
   2. Select thresholds to enable for this Security Gateway or Cluster Member.
   3. Set defining values.
Working with SNMP Monitoring Thresholds
You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts. You can use
these thresholds to monitor many system components automatically without requesting information from
each object or device. The categories of thresholds that you can configure include:
   n   Hardware
   n   High Availability
   n   Networking
   n   Resources
   n   Log Server Connectivity
Some categories apply only to some machines or deployments.
In each category there are many individual thresholds that you can set. For example, the hardware category
includes alerts for the state of the RAID disk, the state of the temperature sensor, the state of the fan speed
sensor, and others. For each individual threshold, you can configure:
   n   If it is enabled or disabled
   n   How frequently alerts are sent
   n   The severity of the alert
   n   The threshold point (if necessary)
   n   Where the alerts are sent to
You can also configure some settings globally, such as how often alerts are send and where they are sent
to.
                                                  Logging and Monitoring R81.10 Administration Guide      |      161
                                                            Configuring Alerts and Thresholds in SmartView Monitor
Types of Alerts
   n   Active alerts are sent when a threshold point is passed or the status of a monitored component is
       problematic.
   n   Clear alerts are sent when the problem is resolved and the component has returned to its normal
       value. Clear alerts look like active alerts but the severity is set to 0.
Configuring SNMP Monitoring Thresholds
Configure the SNMP monitoring thresholds in the command line of the Security Management Server. When
you install the policy on the Security Gateways. the SNMP monitoring thresholds are applied globally to
these Security Gateway.
Configuring SNMP thresholds on a Multi-Domain Server
In a Multi-Domain Security Management environment, you can configure thresholds on the Multi-Domain
Server and on each individual Domain Management Server.
Thresholds that you configure on the Multi-Domain Server lkevel are for the Multi-Domain Server only.
Thresholds that you configure for a Domain Management Server are for that Domain Management Server
and its managed Security Gateways. If a threshold applies to the Multi-Domain Server and the Security
Gateways managed by the Domain Management Server, set it on the Multi-Domain Server and Domain
Management Server. But in this situation you can only get alerts from the Multi-Domain Server if the
threshold passed.
For example, because the Multi-Domain Server and Domain Management Server are on the same machine,
if the CPU threshold is passed, it applies to both of them. But only the Multi-Domain Server generates alerts.
You can see the Multi-Domain Security Management level for each threshold with the "threshold_
config" command.
   n   If the Multi-Domain Security Management level for a threshold is Multi-Domain Server:
       Alerts are generated for the Multi-Domain Server when the threshold point is passed.
   n   If the Multi-Domain Security Management level for a threshold is Multi-Domain Server and Domain
       Management Server:
       Alerts are generated for the Multi-Domain Server and Domain Management Servers separately when
       the threshold point is passed.
Configuring a SNMP thresholds on Security Gateways
You can configure SNMP thresholds locally on a Security Gateway with the same procedure that you do on
a Security Management Server. But each time you install a policy on the Security Gateway, the local
settings are erased and it reverts to the global SNMP threshold settings.
You can use the "threshold_config" command to save the configuration file and load it again later.
The configuration file that you can back up is: $FWDIR/conf/thresholds.conf
For more information about the "threshold_config" command, see the R81.10 CLI Reference Guide.
                                               Logging and Monitoring R81.10 Administration Guide      |      162
                                                                Configuring Alerts and Thresholds in SmartView Monitor
Configuration Procedures
There is one primary command to configure the thresholds in the command line - threshold_config.
You must be in the Expert mode to run it. After you run the threshold_config command, follow the on-
screen instructions to make selections and configure the global settings and each threshold.
When you run threshold_config, you get these options:
   n   Show policy name - Shows you the name configured for the threshold policy.
   n   Set policy name - Lets you set a name for the threshold policy.
   n   Save policy - Lets you save the policy.
   n   Save policy to file - Lets you export the policy to a file.
   n   Load policy from file - Lets you import a threshold policy from a file.
   n   Configure global alert settings - Lets you configure global settings for how frequently alerts are sent
       and how many alerts are sent.
   n   Configure alert destinations - Lets you configure a location or locations where the SNMP alerts are
       sent.
   n   View thresholds overview - Shows a list of all thresholds that you can set including: the category of
       the threshold, if it is active or disabled, the threshold point (if relevant), and a short description of what
       it monitors.
   n   Configure thresholds - Opens the list of threshold categories to let you select thresholds to configure.
Configure Global Alert Settings
If you select Configure global alert settings, you can configure global settings for how frequently alerts are
sent and how many alerts are sent. You can configure these settings for each threshold. If a threshold does
not have its own alert settings, it uses the global settings by default.
You can configure these options:
   n   Enter Alert Repetitions - How many alerts are sent when an active alert is triggered. If you enter 0,
       alerts are sent until the problem is fixed.
   n   Enter Alert Repetitions Delay - How long the system waits between it sends active alerts.
   n   Enter Clear Alert Repetitions - How many clear alerts are sent after a threshold returns to a regular
       value.
   n   Enter Clear Alert Repetitions Delay - How long the system waits between it sends clear alerts.
Configure Alert Destinations
If you select Configure Alert Destinations, you can add and remove destinations for where the alerts are
sent. You can see a list of the configured destinations. A destination is usually an NMS (Network
Management System) or a Check PointLog Server.
After you enter the details for a destination, the CLI asks if the destination applies to all thresholds.
   n   If you enter yes, alerts for all thresholds are sent to that destination, unless you remove the
       destination from an individual threshold.
   n   If you enter no, no alerts are sent to that destination by default. But for each individual threshold, you
       can configure the destinations and you can add destinations that were not applied to all thresholds.
                                                   Logging and Monitoring R81.10 Administration Guide      |      163
                                                               Configuring Alerts and Thresholds in SmartView Monitor
For each threshold, you can choose to which of the alert destinations its alerts are sent. If you do not define
alert destination settings for a threshold, it sends alerts to all of the destinations that you applied to all
thresholds.
For each alert destination enter:
   n   Name - An identifying name.
   n   IP - The IP address of the destination.
   n   Port - Through which port it is accessed
   n   Ver - The version on SNMP that it uses
   n   Other data - Some versions of SNMP require more data. Enter the data that is supplied for that
       SNMP version.
Configure Thresholds
If you select Configure thresholds, you see a list of the categories of thresholds, including:
   n   Hardware
   n   High Availability
   n   Networking
   n   Resources
   n   Log Server Connectivity
Some categories apply only to some machines or deployments. For example, Hardware applies only to
Check Point appliances and High Availability applies only to clusters or High Availability deployments.
Select a category to see the thresholds in it. Each threshold can have these options:
   n   Enable/Disable Threshold - If the threshold is enabled, the system sends alerts when there is a
       problem. If it is disabled it does not generate alerts.
   n   Set Severity - You can give each threshold a severity setting. The options are: Low, Medium, High,
       and Critical. The severity level shows in the alerts and in SmartView Monitor. It lets you know quickly
       how important the alert is.
   n   Set Repetitions - Set how frequently and how many alerts will be sent when the threshold is passed.
       If you do not configure this, it uses the global alert settings.
   n   Set Threshold Point - Enter the value that will cause active alerts when it is passed. Enter the
       number only, without a unit of measurement.
   n   Configure Alert Destinations - See all of the configured alert destinations. By default,
       active alerts and clear alerts are sent to the destinations. You can change this for each
       destination. When you select the destination you see these options
              l   Remove from destinations - If you select this, alerts for this threshold are not sent to the
                  selected destination.
              l   Add a destination - If you configured a destination in the global alert destinations but did not
                  apply it to all thresholds, you can add it to the threshold.
              l   Disable clear alerts - Cleared alerts for this threshold are not sent to the selected
                  destination. Active alerts are sent.
                                                  Logging and Monitoring R81.10 Administration Guide      |      164
                                                              Configuring Alerts and Thresholds in SmartView Monitor
Completing the Configuration
  1. On the Security Management Server, install the policy on all Security Gateways.
  2. For a local Security Gateway threshold policy or a Multi-Domain Server environment, use
      the cpwd_admin utility to restart the CPD process
             a. Run: cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command
                "cpd_admin stop"
             b. Run: cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command
                "cpd"
Monitoring SNMP Thresholds
You can see an overview of the SNMP thresholds that you configure in SmartView Monitor.
To see an overview of the SNMP thresholds:
  1. Open SmartView Monitor and select a Security Gateway.
  2. In the summary of the Security Gateway data that open in the bottom pane, click System Information.
  3. In the new pane that opens, click Thresholds.
      In the pane that opens, you can see these details:
         n   General Info - A summary of the SNMP Threshold policy.
                   l   Policy name - The name that you set for the policy in the CLI.
                   l   State - If the policy is enabled or disabled.
                   l   Thresholds - How many thresholds are enabled.
                   l   Active events - How many thresholds are currently sending alerts.
                   l   Generated Events - How many not active thresholds became active since the policy
                       was installed.
         n   Active Events - Details for the thresholds that are currently sending alerts.
                   l   Name - The name of the alert (given in the CLI).
                   l   Category - The category of the alert (given in the CLI), for example, Hardware or
                       Resources.
                   l   MIB object - The name of the object as recorded in the MIB file.
                   l   MIB object value - The value of the object when the threshold became active, as
                       recorded in the MIB file.
                   l   State - The status of the object: active or clearing (passed the threshold but returns to
                       usual value).
                   l   Severity - The severity of that threshold, as you configured for it in the CLI.
                   l   Activation time - When was the alert first sent.
                                                 Logging and Monitoring R81.10 Administration Guide      |      165
                                                               Configuring Alerts and Thresholds in SmartView Monitor
          n   Alert Destinations - A list of the destinations, to which alerts are sent.
                    l   Name - The name of the location.
                    l   Type - The type of location. For example, a Log Server or NMS.
                    l   State - If logs are sent from the Security Gateway or Security Management Server to
                        the destination machine.
                    l   Alert Count - How many alerts were sent to the destination from when the policy
                        started.
          n   Errors - Shows thresholds that cannot be monitored.
                For example, the Security Gateway cannot monitor RAID sensors on a machine that does
                not have RAID sensors. Therefore, it shows an error for the RAID Sensor Threshold.
                    l   Threshold Name - The name of the threshold with an error.
                    l   Error - A description of the error.
                    l   Time of Error - When the error first occurred.
Customizing Results
You can create Custom Views, to change the fields that show in the results.
Editing a Custom View
The changes you make to a view are not automatically saved. You can use this procedure to save a
predefined view as a new Custom view.
To save a new view with changes:
  1. Right-click the results of the view and select Properties.
      Note - For some of the views, this option is View Properties or Query Properties.
  2. Add or remove fields and other options for the view.
  3. Click OK.
  4. For some of the views, select the Security Gateway.
  5. In the Results toolbar, click the Save View to Tree button.
  6. In the window that opens, enter a name for the new view.
  7. Click Save.
Creating a Custom Gateway Status View
To create a custom Gateway status view:
  1. In the Tree, right-click Custom and select New Gateways View.
      The Gateway Properties window opens.
  2. In Select available fields from, select the source of the data.
                                                  Logging and Monitoring R81.10 Administration Guide      |      166
                                                              Configuring Alerts and Thresholds in SmartView Monitor
  3. In Available fields, double-click the data to add to SmartView Monitor.
  4. Open the Filter Gateways tab to remove Security Gateways from the results of this view.
  5. Click OK.
  6. Right-click the new Custom view and select Rename.
  7. Enter a name for the view.
Creating a Custom Traffic View
To creating a custom traffic view:
  1. In the Tree, right-click Custom and select New Traffic View.
      The Query Properties window opens.
  2. Select History or Real Time.
  3. If you select Real Time, select what you want to see
              n   Interfaces
              n   Services
              n   IPs / Network Objects
              n   QoS Rules
              n   Security Rules
              n   Connections
              n   Tunnels
              n   Virtual Links
              n   Packet Size Distribution
  4. Select the Target Security Gateway.
          n   If you often need results for on Security Gateway, select it in Specific Gateway.
          n   If you have a small number of Security Gateways, you can create a custom view for each one.
          n   If not, select Prompt for Gateway before run.
  5. Open the next tabs.
      The tabs that show depend on the Query Type you selected.
          n   If you select History, the next tab is Traffic History, where you select the Time Frame and type
              of report.
          n   If you select Real Time, the next tabs let you set services or objects to monitor, Security
              Gateways or specified IP addresses to monitor, update interval, result type, and chart settings.
  6. Click Save.
  7. Right-click the new Custom view and select Rename.
  8. Enter a name for the view.
                                                Logging and Monitoring R81.10 Administration Guide      |      167
                                                             Configuring Alerts and Thresholds in SmartView Monitor
Creating a Custom Counters View
To create a custom counters view:
  1. In the Tree, right-click Custom and select New Counters View.
      The Query Properties window opens.
  2. Select History or Real Time.
  3. Select the Target Security Gateway.
         n   If results for one Security Gateway are frequently necessary, select it in Specific Gateway.
         n   If you have a small number of Security Gateways, you can create a custom view for each one.
         n   If not, select Prompt for Gateway before run.
  4. Open the Counters tab.
  5. Select a category and the counters to add.
      You can add counters from different categories to one view.
  6. In the Query Type:
         n   If the Query Type is History: Select the Time Frame and click Save.
         n   If the Query Type is Real Time:
                  a. Open the Settings tab.
                  b. Set the update interval and chart type.
                   c. Click Save.
  7. Right-click the new Custom view and select Rename.
  8. Enter a name for the view.
Creating a Custom Tunnel View
To create a custom tunnel view:
  1. In the SmartView Monitor client, select File > New > Tunnels View.
      The Query Properties window shows.
  2. Select Prompt on to generate a report about a specified Tunnel, Community or Gateway.
      Prompt on: When you run the view, you will be asked for the specified Tunnel, Community or Security
      Gateway, on which to base your view.
      Important - Do not select Prompt on if your view is not about one of these three.
  3. Select Show one record per tunnel or Show two records per tunnel.
      Show two records per tunnel shows a more accurate status because the report provides the status
      for the tunnels in both directions.
  4. In the Show column, select the filter to be related to this view
  5. In the Filter column, click the corresponding Any(*) link.
                                                Logging and Monitoring R81.10 Administration Guide      |      168
                                                                 Configuring Alerts and Thresholds in SmartView Monitor
   6. Select the related objects to edit the selected filters.
   7. Click the Advanced button.
   8. Set a limit in the Records limitation window for the number of lines that show in the report.
   9. Enter a record limitation.
 10. Click OK.
      A Tunnels view shows in the Custom branch of the Tree View.
 11. Enter the name of the new Tunnel view.
 12. Click Enter.
Creating a Custom Users View
To create a custom users view:
   1. In SmartView Monitor, select File > New > Users View.
      The Query Properties window shows.
   2. Select Prompt on to generate a user report about a specified user or Gateway.
      Prompt on: When you decide to run the view, you will be asked for the specified User DN or Security
      Gateway, on which to base your view.
      Important - Do not select Prompt on if your view is not about one of these two.
   3. In the Show column, select the filter to be related with this view.
   4. In the Filter column, click the corresponding Any(*) link.
   5. Select the related objects to edit the selected filters.
   6. Click the Advanced button to set a limit (in the Records limitation window) to the number of lines that
      show in the report.
   7. Enter a record limitation.
   8. Click OK.
      A Users view shows in the Custom branch of the Tree View.
   9. Enter a name for the new Users view.
 10. Click Enter.
Custom View Example
For example purposes, we create a real-time Traffic view for Services.
To create a real-time traffic view:
   1. Double-click the view to change and select the Security Gateway, for which you create the view.
   2. Select the View Properties button on the view toolbar.
      The Query Properties window shows.
   3. Select Real-Time.
                                                  Logging and Monitoring R81.10 Administration Guide      |      169
                                                               Configuring Alerts and Thresholds in SmartView Monitor
      Real-Time provides information about currently monitored traffic or system counters.
   4. Select History for information that was logged before.
   5. Select the topic about which you want to create a Real-Time traffic view in the drop-down list
      provided. For example, for purposes select Services.
      Note - The remaining tabs in the Query Properties window change according to the type of view you
      create and the selection you made in the Real-Time drop-down list.
   6. Select the Target of this Custom Traffic view.
      Target is the Security Gateway, for which you monitor traffic.
   7. Click the Monitor by Services tab.
   8. Select Specific Services and the Services for which you want to create a custom Traffic view.
   9. Click the Filter tab.
 10. Make the necessary selections.
 11. Click the Settings tab.
 12. Make the necessary selections.
 13. Click OK when you are done with your selections.
      The Select Gateway / Interface window shows.
 14. Select the Security Gateway or interface, for which you want to create or run this new view.
 15. Click the Save to Tree button on the toolbar.
 16. Enter a name for the new view.
 17. Click OK.
      The new view is saved in the Custom branch.
Exporting a Custom View
You can back up a custom view before you install an upgrade. You can share a custom view with other
SmartView Monitor GUI clients and other users.
To export a custom view:
   1. Right-click the view and select Export Properties.
   2. In the window that opens, enter a pathname for the export file.
   3. Click Save.
      A file with an svm_setting extension is created.
Setting Your Default View
You can set which view to see when SmartView Monitor starts.
In the Tree, right-click the view and select Run at Startup.
Refreshing Views
Results are automatically refreshed every 60 seconds.
                                                Logging and Monitoring R81.10 Administration Guide      |      170
                                                              Configuring Alerts and Thresholds in SmartView Monitor
To refresh the view earlier, right-click the view name in the Tree and select Run.
To refresh data about an object in the current view, right-click the object in the results and select Refresh.
                                                 Logging and Monitoring R81.10 Administration Guide      |      171
                                                                              Monitoring Security Gateway Status
Monitoring Security Gateway Status
This section describes how monitor your Security Gateway status.
Gateway Status
Status updates show for Security Gateways and Software Blades. The Overall status of a Security Gateway
is the most important status of its Software Blades.
For example, if statuses of all the Software Blades are OK, except for the SmartEvent blade, which has a
Problem status, the Overall status is Problem.
 Status Icon         Description
   OK                The Security Gateway and all its Software Blades work properly.
   Attention         At least one Software Blade has a minor issue, but the Security Gateway works.
   Problem           At least one Software Blade reported a malfunction, or an enabled Software Blade is
                     not installed.
  Waiting            SmartView Monitor waits for the Security Management Server to send data from
                     Security Gateways.
   Disconnected      Cannot reach the Security Gateway.
   Untrusted         Cannot make Secure Internal Communication between the Security Management
                     Server and the Security Gateway.
Displaying Gateway Data
Gateway Status data shows for each Check Point or OPSEC Gateway.
To see data about a gateway:
  1. Open Gateways Status and click All Gateways.
  2. Right-click the gateway name and select Gateway Details.
       The gateway status window opens and shows the IP address, version, and OS information.
  3. Click System Information to view the system data.
System Data
   n   OS Information - The name, the version name/number, the build number, the service pack, and any
       additional information about the Operating System in use.
   n   CPU - The specific CPU parameters (for example, Idle, User, Kernel, and Total) for each CPU.
       Note - In the Gateways Results view the Average CPU indicates the average total CPU usage of all
       existing CPOS.
                                              Logging and Monitoring R81.10 Administration Guide      |      172
                                                                                 Monitoring Security Gateway Status
   n   Memory - The total amount of virtual memory, what percentage of this total is used. The total amount
       of real memory, what percentage of this total is used, and the amount of real memory available for
       use.
   n   Disk - Shows all the disk partitions and their specific details (for example, capacity, used, and free).
       Note - In the Gateways Results view the percentage/total of free space in the hard disk on which the
       Firewall is installed. For example, if there are two hard drives C and D and the Firewall is on C, the
       Disk Free percentage represents the free space in C and not D.
To view the status of Check Point applications on the local server or another appliance, the cpstat
command. For more information, see the R81.10 CLI Reference Guide - Chapter Security Gateway
Commands - Section cpstat.
Firewall
   n   Policy information - The name of the Security Policy installed on the Security Gateway, and the date
       and time that this policy was installed.
   n   Packets - The number of packets accepted, dropped and logged by the Security Gateway.
   n   UFP Cache performance - The hit ratio percentage and the total number of hits handled by the
       cache, the number of connections inspected by the UFP Server.
   n   Hash Kernel Memory (the memory status) and System Kernel Memory (the OS memory) - The total
       amount of memory allocated and used. The total amount of memory blocks used. The number of
       memory allocations, and those allocation operations which failed. The number of times that the
       memory allocation freed up, or failed to free up. The NAT Cache, including the total amount of hits
       and misses.
Virtual Private Networks
The Virtual Private Networks (VPN) is divided into these main statuses:
   n   Current represents the current number of active output.
   n   High Watermark represents the maximum number of current output
   n   Accumulative data represents the total number of the output.
This includes:
   n   Active Tunnels - All types of active VPN peers to which there is currently an open IPsec tunnel. This
       is useful to track the activity level of the VPN Security Gateway. High Watermark includes the
       maximum number of VPN peers for which there was an open IPsec tunnel since the Security
       Gateway was restarted.
   n   Remote Access - All types of Remote Access VPN users with which there is currently an open IPsec
       tunnel. This is useful to track the activity level and load patterns of VPN Security Gateways that serve
       as a remote access server. High Watermark includes the maximum number of Remote Access VPN
       users with which there was an open IPsec tunnel since the Security Gateway was restarted.
   n   Tunnels Establishment Negotiation - The current rate of successful Phase I IKE Negotiations
       (measured in Negotiations per second). This is useful to track the activity level and load patterns of a
       VPN Gateway that serve as a remote access server. High Watermark includes the highest rate of
       successful Phase I IKE Negotiations since the Policy was installed (measured in Negotiations per
       second). Accumulative data includes the total number of successful Phase I IKE negotiations since
       the Policy was installed.
                                                 Logging and Monitoring R81.10 Administration Guide      |      173
                                                                              Monitoring Security Gateway Status
 n   Failed - The current failure rate of Phase I IKE Negotiations can be used to troubleshoot (for instance,
     denial of service) or for a heavy load of VPN remote access connections. High Watermark includes
     the highest rate of failed Phase I IKE negotiations since the Policy was installed. Accumulative is the
     total number of failed Phase I IKE negotiations since the Policy was installed.
 n   Concurrent - The current number of concurrent IKE negotiations. This is useful to track the behavior
     of VPN connection initiation, especially in large deployments of remote access VPN scenarios. High
     Watermark includes the maximum number of concurrent IKE negotiations since the Policy was
     installed.
 n   Encrypted and Decrypted throughput - The current rate of encrypted or decrypted traffic (measured
     in Mbps). Encrypted or decrypted throughput is useful (in conjunction with encrypted or decrypted
     packet rate) to track VPN usage and VPN performance of the Security Gateway. High Watermark
     includes the maximum rate of encrypted or decrypted traffic (measured in Mbps) since the Security
     Gateway was restarted. Accumulative includes the total encrypted or decrypted traffic since the
     Security Gateway was restarted (measured in Mbps).
 n   Encrypted and Decrypted packets - The current rate of encrypted or decrypted packets (measured
     in packets per second). Encrypted or decrypted packet rate is useful (in conjunction with
     encrypted/decrypted throughput) to track VPN usage and VPN performance of the Security Gateway.
     High Watermark includes the maximum rate of encrypted or decrypted packets since the Security
     Gateway was restarted, and Accumulative, the total number of encrypted packets since the Security
     Gateway was restarted.
 n   Encryption and Decryption errors - The current rate at which errors are encountered by the Security
     Gateway (measured in errors per second). This is useful to troubleshoot VPN connectivity issues.
     High Watermark includes the maximum rate at which errors are encountered by the Security Gateway
     (measured in errors per second) since the Security Gateway was restarted, and the total number of
     errors encountered by the Security Gateway since the Security Gateway was restarted.
 n   Hardware - The name of the VPN Accelerator Vendor, and the status of the Accelerator. General
     errors such as the current rate at which VPN Accelerator general errors are encountered by the
     Security Gateway (measured in errors per second). The High Watermark includes the maximum rate
     at which VPN Accelerator general errors are encountered by the Security Gateway (measured in
     errors per second) since the Security Gateway was restarted. The total number of VPN Accelerator
     general errors encountered by the Security Gateway since it was restarted.
 n   IP Compression - Compressed/Decompressed packets statistics and errors.
QoS
 n   Policy information - The name of the QoS Policy and the date and time that it was installed.
 n   Number of interfaces - The number of interfaces on the Check Point QoS Security Gateway.
     Information about the interfaces applies to both inbound and outbound traffic. This includes the
     maximum and average amount of bytes that pass per second, and the total number of conversations,
     where conversations are active connections and connections that are anticipated as a result of prior
     inspection. Examples are data connections in FTP, and the "second half" of UDP connections.
 n   Packet and Byte information - The number of packets and bytes in Check Point QoS queues.
ClusterXL
 n   Gateway working mode - The Security Gateway works mode as a Cluster Member (Active or not),
     and its place in the priority sequence. Working modes are: ClusterXL, Load Sharing, Sync only.
     Running modes: Active, Standby, Ready, and Down.
                                              Logging and Monitoring R81.10 Administration Guide      |      174
                                                                                 Monitoring Security Gateway Status
   n   Interfaces - Interfaces recognized by the Security Gateway. The interface data includes the IP
       Address and status of the specified interface, if the connection that passes through the interface is
       verified, trusted or shared.
   n   Problem Notes - Descriptions of the problem notification device such as its status, priority and when
       the status was last verified.
OPSEC
   n   The version name or number, and build number of the Check Point OPSEC SDK and OPSEC
       product. The time it takes (in seconds) since the OPSEC Gateway is up and running.
   n   The OPSEC vendor can add fields to their OPSEC Application Gateway details.
Check Point Security Management
   n   The synchronization status indicates the status of the peer Security Management Servers in relation
       to that of the selected Security Management Server. View this status in the Management High
       Availability Servers window, if you are connected to the Active or Standby Security Management
       Server. The possible synchronization statuses are:
           l   Never been synchronized - Immediately after the Secondary Security Management Server
               was installed, it did not undergo with the first manual synchronization. This synchronization
               brings it up to date with the Primary Management.
           l   Synchronized - The peer is synchronized correctly and has the same database information
               and installed Security Policy.
           l   Collision - The active Security Management Server and its peer have different installed
               policies and databases. The administrator must do manual synchronization and decide which
               of the Security Management Servers to overwrite.
   n   Clients - The number of connected clients on the Security Management Server, the name of the
       SmartConsole, the administrator that manages the SmartConsole, the name of the SmartConsole
       host, the name of the locked database, and the type of SmartConsole application.
SmartEvent Correlation Unit and the SmartEvent Server
SmartView Monitor reads statuses from the SmartEvent Correlation Unit and SmartEvent Server.
SmartEvent Correlation Unit status examples:
   n   Is the SmartEvent Correlation Unit active or inactive
   n   Is the SmartEvent Correlation Unit connected to the SmartEvent Server
   n   Is the SmartEvent Correlation Unit connected to the Log Server
   n   SmartEvent Correlation Unit and Log Server connection status
   n   Offline job status
   n   Lack of disk space status
SmartEvent Server status examples:
   n   Last handle event time
   n   Is the SmartEvent Server active or inactive
                                                 Logging and Monitoring R81.10 Administration Guide      |      175
                                                                                  Monitoring Security Gateway Status
   n   A list of SmartEvent Correlation Unit the SmartEvent Server is connected to
   n   How many events arrived in a specified time period
Connect the SmartEvent Correlation Unit to the Log Server to read logs. Connect it to the SmartEvent
Server to send events. If problems occur in the SmartEvent Correlation Unit connection to other
components (for example, SIC problems) the problems are reported in the SmartEvent Correlation Unit
status.
For the same reasons, the SmartEvent Server contains statuses that provide information about connections
to all SmartEvent Correlation Unit.
Anti-Virus and URL Filtering
SmartView Monitor can now provide statuses and counters for Security Gateways with enabled Anti-Virus
and URL Filtering.
The statuses are divided into these categories:
   n   Current Status
   n   Update Status (for example, when was the signature update last checked)
Anti-Virus statuses are associated with signature checks and URL Filtering statuses are associated with
URLs and categories.
In addition, SmartView Monitor can now run Anti-Virus and URL Filtering counters.
For example:
   n   Top five attacks in the last hour
   n   Top 10 attacks since last reset
   n   Top 10 http attacks in the last hour
   n   HTTP attacks general info
Multi-Domain Security Management
SmartView Monitor can be used to monitor Multi-Domain Servers. This information can be viewed in the
Gateway Status view. In this view you can see Multi-Domain Security Management counter information (for
example, CPU or Overall Status).
The 'cpstat' Command
Description
Displays the status and statistics information of Check Point applications.
Syntax
  cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o
  <Polling Interval> [-c <Count>] [-e <Period>]] <Application Flag>
Note - You can write the parameters in the syntax in any order.
For more information, see the R81.10 CLI Reference Guide - Chapter Security Gateway Commands -
Section cpstat.
                                                  Logging and Monitoring R81.10 Administration Guide      |      176
                                                                           Monitoring Security Gateway Status
Starting and Stopping Cluster Members
To stop and start one member of a cluster from SmartView Monitor:
  1. Open a Gateway Status view.
  2. Right-click the cluster member and select Cluster Member > Start Member or Stop Member.
                                           Logging and Monitoring R81.10 Administration Guide      |      177
                                                                                            Monitoring VPN Tunnels
Monitoring VPN Tunnels
This section describes how to monitor VPN tunnels.
VPN Tunnels Solution
VPN Tunnels are secure links between gateways. These Tunnels ensure secure connections between
gateways of an organization and remote access clients.
When Tunnels are created and put to use, you can keep track of their normal function, so that possible
malfunctions and connectivity problems can be accessed and solved as soon as possible.
To ensure this security level, SmartView Monitor constantly monitor and analyze the status of an
organization's Tunnels to recognize malfunctions and connectivity problems. With the use of Tunnel views,
you can generate fully detailed reports that include information about the Tunnels that fulfill the specific
Tunnel views conditions. With this information you can monitor Tunnel status, the Community with which a
Tunnel is associated, the gateways, to which the Tunnel is connected, and so on.
These are the Tunnel types:
   n   A Regular tunnel refers to the ability to send encrypted data between two peers. The Regular tunnel
       is considered up if both peers have Phase 1 and Phase 2 keys.
   n   Permanent tunnels are constantly kept active. As a result, it is easier to recognize malfunctions and
       connectivity problems. With Permanent tunnels administrators can monitor the two sides of a VPN
       tunnel and identify problems without delay.
       Permanent tunnels are constantly monitored. Therefore, each VPN tunnel in the community can be
       set as a Permanent tunnel. A log, alert or user defined action can be issued when the VPN tunnel is
       down.
       The configuration of Permanent tunnels takes place on the community level and:
           l   Can be specified for an entire community. This option sets every VPN tunnel in the community
               as permanent.
           l   Can be specified for a specific Security Gateway. Use this option to configure specific Security
               Gateways to have Permanent tunnels.
           l   Can be specified for a single VPN tunnel. This feature allows you to configure specific tunnels
               between specific Security Gateways as permanent.
This table shows the possible Tunnel states and their significance to a Permanent or Regular Tunnel.
 State                Permanent Tunnel               Regular Tunnel
 Up                   The tunnel works and the       IDE SA (Phase 1) and IPSEC SA (Phase 2) exist with a
                      data can flow with no          peer gateway.
                      problems.
 Destroyed            The tunnel is destroyed.       The tunnel is destroyed.
 Up Phase1            Irrelevant                     Tunnel initialization is in process and Phase 1 is
                                                     complete (that is, IKE SA exists with cookies), but there
                                                     is no Phase 2.
                                                 Logging and Monitoring R81.10 Administration Guide      |      178
                                                                                            Monitoring VPN Tunnels
 State              Permanent Tunnel                 Regular Tunnel
 Down               There is a tunnel failure.       Irrelevant.
                    You cannot send and
                    receive data to or from a
                    remote peer.
 Up Init            The tunnel is initialized.       Irrelevant.
 Gateway not        The Security Gateway is          The Security Gateway is not responding.
 Responding         not responding.
VPN Tunnel View Updates
If a Tunnel is deleted from SmartConsole, the Tunnel Results View shows the deleted Tunnel for an hour
after it was deleted.
If a community is edited, the Results View shows removed tunnels for an hour after they were removed from
the community.
Running VPN Tunnel Views
When a Tunnel view runs the results show in the SmartView Monitor client.
A Tunnel view can run:
   n   From an existing view
   n   When you create a new view
   n   When you change an existing view
A Tunnels view can be created and run for:
   n   Down Permanent Tunnels
   n   Permanent Tunnels
   n   Tunnels on Community
   n   Tunnels on a Security Gateway
Run a Down Tunnel View
Down Tunnel view results list all the Tunnels that are currently not active.
To run a down tunnel view:
   1. In the SmartView Monitor, click the Tunnels branch in the Tree View.
   2. In the Tunnels branch (Custom or Predefined), double-click the Down Permanent Tunnel view.
       A list of all the Down Tunnels associated with the selected view properties shows.
Run a Permanent Tunnel View
Permanent Tunnel view results list all of the existing Permanent Tunnels and their current status.
A Permanent Tunnel is a Tunnel that is constantly kept active.
                                                 Logging and Monitoring R81.10 Administration Guide      |      179
                                                                                          Monitoring VPN Tunnels
To run a permanent tunnel view:
  1. In the SmartView Monitor client, click the Tunnels branch in the Tree View.
  2. In the Tunnels branch, double-click the Custom Permanent Tunnel view that you want to run.
      A list of the Permanent Tunnels related to the selected view properties shows.
Run a Tunnels on Community View
Tunnels on Community view results list all the Tunnels related to a selected Community.
To run a tunnels on community view:
  1. In the SmartView Monitor client, click the Tunnels branch in the Tree View.
  2. In the Tunnels branch (Custom or Predefined), double-click the Tunnels on Community view.
      A list of all Communities shows.
  3. Select the Community whose Tunnels you want to monitor.
  4. Click OK.
      A list of all the Tunnels related to the selected Community shows.
Run Tunnels on Gateway View
Tunnels on Gateways view results list all of the Tunnels related to a selected Security Gateway.
To run tunnels on Gateway view:
  1. In the SmartView Monitor client, click the Tunnels branch in the Tree View.
  2. In the Tunnels branch (Custom or Predefined), double-click the Tunnels on Gateway view.
      A list of the Security Gateways shows.
  3. Select the Security Gateway, whose Tunnels and their status you want to see.
  4. Click OK.
      A list of the Tunnels related to the selected Security Gateway shows.
                                               Logging and Monitoring R81.10 Administration Guide      |      180
                                                                               Monitoring Traffic or System Counters
Monitoring Traffic or System Counters
This sections describes how to monitor traffic or system counters.
Traffic or System Counters Solution
SmartView Monitor provides tools that enable you to monitor traffic related to specified network activities,
and server, as well as the status of activities, hardware and software use of different Check Point products in
real-time. With this knowledge you can:
   n   Block specified traffic.
   n   Control traffic flow on a Security Gateway.
   n   See how many tunnels are currently open, or the rate of new connections that pass through the VPN
       Gateway.
SmartView Monitor delivers a comprehensive solution to monitor and analyze network traffic and network
usage. You can generate fully detailed or summarized graphs and charts for all connections intercepted and
logged when you monitor traffic, and for numerous rates and figures when you count usage throughout the
network.
Traffic
Traffic Monitoring provides in-depth details on network traffic and activity. As a network administrator you
can generate traffic information to:
   n   Analyze network traffic pattern
       Network traffic patterns help administrators determine which services demand the most network
       resources.
   n   Audit and estimate costs of network us
       Monitoring traffic can provide information on how the use of network resources is divided among
       corporate users and departments. Reports that summarize customer use of services, bandwidth and
       time can provide a basis to estimate costs for each user or department.
   n   Identify the departments and users that generate the most traffic and the times of peak activity.
   n   Detect and monitor suspicious activity. Network administrators can produce graphs and charts that
       document blocked traffic, alerts, rejected connections, or failed authentication attempts to identify
       possible intrusion attempts.
A Traffic view can be created to monitor the Traffic types listed in the following table.
 Traffic Type         Explanation
 Services             Shows the current status view about Services used through the selected Security
                      Gateway.
 IPs/Network          Shows the current status view about active IPs/Network Objects through the selected
 Objects              Security Gateway.
 Security Rules       Shows the current status view about the most frequently used Access Control rules.
                      The Name column in the legend states the rule number as previously configured in
                      SmartConsole.
                                                 Logging and Monitoring R81.10 Administration Guide      |      181
                                                                               Monitoring Traffic or System Counters
 Traffic Type         Explanation
 Interfaces           Shows the current status view about the Interfaces associated with the selected
                      Security Gateway.
 Connections          Shows the current status view about current connections initiated through the
                      selected Security Gateway.
 Tunnels              Shows the current status view about the Tunnels associated with the selected
                      Security Gateway and their usage.
 Virtual Link         Shows the current traffic status view between two Security Gateways (for example,
                      Bandwidth, Bandwidth Loss, and Round Trip Time).
 Packet Size          Shows the current status view about packets according to the size of the packets.
 Distribution
 QoS                  Shows the current traffic level for each QoS rule.
                      Note - "Top QoS Rules" view in SmartView Monitor shows that almost all traffic
                      matches the "No Match" rule when SecureXL is enabled on the Security Gateway.
                      Refer to sk118720.
Traffic Legend Output
The values that you see in the legend depend on the Traffic view that you run.
All units in the view results show in configurable Intervals.
System Counters
Monitoring System Counters provides in-depth details about Check PointSoftware Blade usage and
activities. As a network administrator, you can generate system status information about:
   n   Resource usage for the variety of components associated with the Security Gateway. For example,
       the average use of real physical memory, the average percent of CPU time used by user applications,
       free disk space, and so on.
   n   Security Gateway performance statistics for a variety of Firewall components. For example, the
       average number of concurrent CVP sessions handled by the HTTP security server, the number of
       concurrent IKE negotiations, the number of new sessions handled by the SMTP security server, and
       so on.
   n   Detect and monitor suspicious activity. Network administrators can produce graphs and charts that
       document the number of alerts, rejected connections, or failed authentication attempts to identify
       possible intrusion attempts.
Select and Run a Traffic or System Counters View
When a Traffic or System Counters view runs, the results show in the SmartView Monitor client. A Traffic or
System Counter view can run:
   n   From an existing view
   n   When you create a new view
   n   When you change an existing view
                                                 Logging and Monitoring R81.10 Administration Guide      |      182
                                                                              Monitoring Traffic or System Counters
To run a Traffic or System Counters view:
   1. In the SmartView Monitor client, select the Traffic or System Counter branch in the Tree View.
   2. Double-click the Traffic or System Counter view that you want to run.
       A list of available Security Gateways shows.
   3. Select the Security Gateway, for which you want to run the selected Traffic or System Counter view.
   4. Click OK.
       The results of the selected view show in the SmartView Monitor client.
Recording a Traffic or Counter View
You can save a record of the Traffic or System Counter view results.
To record a traffic or counter view:
   1. Run the Traffic or System Counters view.
   2. Select the Traffic menu.
   3. Select Recording > Record.
       A Save As window shows.
   4. Name the record.
   5. Save it in the related directory.
   6. Click Save.
       The word Recording shows below the Traffic or Counter toolbar. The appearance of this word
       signifies that the view currently running is recorded and saved.
   7. To stop recording, open the Traffic menu and select Recording > Stop.
       A record of the view results is saved in the directory you selected in step 3 above.
Play the Results of a Recorded Traffic or Counter View
After you record a view, you can play it back. You can select Play or Fast Play, to see results change faster.
To play the results:
   1. In the SmartView Monitor client, select Traffic > Recording > Play.
       The Select Recorded File window shows.
   2. Access the directory in which the recorded file is kept and select the related record.
   3. Click Open.
       The results of the selected recorded view start to run. The word Playing shows below the toolbar.
Pause or Stop the Results of a Recorded View that is Playing
   n   To pause the record select Traffic > Recording > Pause.
   n   Click Recording > Play to resume to play the Traffic or Counter view results recorded before.
                                                Logging and Monitoring R81.10 Administration Guide      |      183
                                                                          Monitoring Traffic or System Counters
n   To stop the record select Traffic > Recording > Stop.
                                            Logging and Monitoring R81.10 Administration Guide      |      184
                                                                                                  Monitoring Users
Monitoring Users
This section describes how to monitor users.
Users Solution
The User Monitor is an administrative feature. This feature lets you to keep track of Endpoint Security VPN
users currently logged on to the specific Security Management Servers. The User Monitor provides you with
a comprehensive set of filters which makes the view definition process user-friendly and highly efficient. It
lets you to easily navigate through the obtained results.
With data on current open sessions, overlapping sessions, route traffic, connection time, and more, the User
Monitor gives detailed information about connectivity experience of remote users. This SmartView Monitor
feature lets you view real-time statistics about open remote access sessions.
If specific data are irrelevant for a given User, the column shows N/A for the User.
Run a Users View
When you run a Users view, the results show in the SmartView Monitor:
   n   From an existing view
   n   When you create a new view
   n   When you change an existing view
A Users view can be created and run for:
   n   One user
   n   All users
   n   A specific Security Gateway
   n   Mobile Access user
Run a User View for a Specified User
To run a user view for a specified user:
   1. In SmartView Monitor > Tree View, click Users.
   2. Click Get User by Name.
       The User DN Filter window opens.
   3. Enter the specified User DN in the area provided.
   4. Click OK.
       The view results show in the Results View.
                                                Logging and Monitoring R81.10 Administration Guide      |      185
                                                                                               Monitoring Users
Run a User View for all Users or Mobile Access Users
To run a user view for all users or Mobile Access users:
  1. In SmartView Monitor > Tree View, click Users.
  2. Click All Users or Mobile Access Users.
      The view results show in the Results View.
Run a User View for a Specified Security Gateway
To run a user view for a specified Security Gateway:
  1. In SmartView Monitor > Tree View, click Users.
  2. Click Users by Gateway.
      The Select Gateway window shows.
  3. Select the Security Gateway, for which you want to run the view.
  4. Click OK.
      The view results show in the Results View.
                                             Logging and Monitoring R81.10 Administration Guide      |      186
                                                                                 Cooperative Enforcement Solution
Cooperative Enforcement Solution
Cooperative Enforcement works with Check Point Point Endpoint Security Management Servers. This
feature utilizes the Endpoint Security Management Server compliance function to make sure connections
that come from different hosts across the internal network.
Endpoint Security Management Server is a centrally managed, multi-layered endpoint security solution that
employs policy based security enforcement for internal and remote PCs. The Endpoint Security
Management Server mitigates the risk of hackers, worms, spyware, and other security threats.
Features such as policy templates and application privilege controls enable administrators to easily
develop, manage, and enforce Cooperative Enforcement.
With Cooperative Enforcement, a host that initiates a connection through a Security Gateway is tested for
compliance. This increases the integrity of the network because it prevents hosts with malicious software
components to access the network.
Cooperative Enforcement acts as a middle-man between hosts managed by an Endpoint Security
Management Server and the Endpoint Security Management Server itself. It relies on the Endpoint Security
Management Server compliance feature. It defines if a host is secure and can block connections that do not
meet the defined prerequisites of software components.
       Unauthorized
       Authorized
   1. The Endpoint Security client (A) in the internal network (B) opens a connection to the internet (C)
      through a Security Gateway (D).
   2. Cooperative Enforcement starts to work on the first server's reply to the client.
   3. The Security Gateway sees the client's compliance in its tables and queries the Endpoint Security
      Management Server (E).
   4. When a reply is received, a connection from a compliant host to the internet is allowed.
      If the client is non-compliant and Cooperative Enforcement is not in Monitor-only mode, the
      connection is closed.
NAT Environments
Cooperative Enforcement is not supported by all the NAT configurations.
                                                Logging and Monitoring R81.10 Administration Guide      |      187
                                                                                   Cooperative Enforcement Solution
For Cooperative Enforcement to work in a NAT environment, the Security Gateway and the Endpoint
Security Management Server must recognize the same IP address of a client. If NAT causes the IP address
received by Security Gateway to be different than the IP address received by the Endpoint Security
Management Server, Cooperative Enforcement will not work.
Configuring Cooperative Enforcement
To configure Cooperative Enforcement:
From the Security Gateway's Cooperative Enforcement page, click Authorize clients using Endpoint
Security Server to enable Cooperative Enforcement.
   n   Monitor Only The Security Gateway requests authorization from the Endpoint Security Management
       Server, but connections are not dropped. Hosts can connect while the Security Gateway grants
       authorization. The Security Gateway generates logs for unauthorized hosts. You can add
       unauthorized hosts to the host's exception list or make those hosts compliant in other ways.
       If Monitor Only is not selected, Cooperative Enforcement works in Enforcement mode. The Endpoint
       Security Firewall blocks non-compliant host connections. For HTTP connections, the client is notified
       that its host is non-compliant. The user can change the computer to make compliant. For example,
       the user can upgrade the version of the Endpoint Security client.
   n   Track unauthorized client status. Set a log, or alert option for the hosts that would be dropped if not
       in Monitor Only mode.
   n   In the Endpoint Security Server Selection section, select which Endpoint Security Management
       Server is used:
           l   To use this machine, select Use Endpoint Security Server installed on this machine.
           l   To use another machine, select a server from Select Endpoint Security Server. Click New to
               create a new server.
   n   In the Client Authorization. section, define exceptions for client authorization.
           l   Check authorization of all clients - Get authorization from all clients.
           l   Bypass authorization of the following clients - Allow clients in the selected groups to always
               connect, without authorization inspection. All other clients are inspected.
           l   Check authorization only of the following clients - Inspect authorization of clients from the
               selected groups. All other clients bypass authorization.
Non-Compliant Hosts by Gateway View
The Non-Compliant Hosts by Gateway view lets you to see Host IP addresses by Endpoint Security
Management Server compliance:
   n   Authorized - Enables access to the internet. If a Security Gateway has Authorized status, it does not
       show in the Non-Compliant Hosts by Gateway view.
   n   Unauthorized - The Endpoint Security client is not compliant and the host is not authorized.
           l   Monitor Only mode - The Endpoint Security client has access to the internet, authorized or not.
           l   Blocked mode - Blocks access to the internet.
   n   No Endpoint Security client - The Security Gateway is not related to an Endpoint Security client.
                                                  Logging and Monitoring R81.10 Administration Guide      |      188
                                                                                          Third-Party Log Formats
Third-Party Log Formats
You can import these third-party log formats to a Check Point Log Server:
   n   Syslog messages.
   n   Windows Events.
   n   SNMP Traps.
The Log Server converts the third-party log messages to a Check Point log. The log is then available for
further analysis by SmartEvent.
Importing Syslog Messages
Many third-party devices use the syslog format for logging. The Log Server reformats the raw data to the
Check Point log format to process third-party syslog messages.
The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.
To import syslog messages, define your own syslog parser and install it on the Log Server.
SmartEvent can take the reformatted logs and convert them into security events.
Generating a Syslog Parser and Importing syslog Messages
To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020.
This shows you how to:
   1. Import some sample syslog messages to the Log Parsing Editor.
   2. Define the mapping between syslog fields and the Check Point log fields.
   3. Install the syslog parser on the Log Server.
After you imported the syslog messages to the Log Server, you can see them in SmartConsole, in the Logs
& Monitor > Logs tab.
Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log
Server.
Configuring SmartEvent to Read Imported Syslog
Messages
After you imported the syslog messages to the Log Server, you can forward them to SmartEvent Server
(and other OPSEC LEA clients), as other Check Point logs. SmartEvent converts the syslog messages into
security events.
To configure the SmartEvent Server to read logs from this Log Server:
   1. Configure SmartEvent to read logs from the Log Server.
   2. In SmartEvent or in the SmartConsole event views, make a query to filter by the Product Name field.
      This field uniquely identifies the events that are created from the syslog messages.
                                               Logging and Monitoring R81.10 Administration Guide      |      189
                                                                                          Third-Party Log Formats
Importing Windows Events
Check Point Windows Event Service is a Windows service application. It reads events from the Windows
server and other configured Windows computers, converts them to Check Point logs, and places the data in
the Check Point Log Server. The Log Server processes this data. The process can only be installed on a
Windows computer, but it does not have to be the computer that runs Log Server. Therefore, Windows
events can be processed even if the Log Server is installed on a different platform.
How Windows Event Service Works
To convert Windows events into Check Point logs:
  1. Download the Windows Event Service agent WinEventToCPLog from the Check Point Support
     Center.
  2. Install the service agent on a Windows server.
       An administrator user name and password are necessary. The administrator name is one of these:
          n   A domain administrator responsible for the endpoint computer
          n   A local administrator on the endpoint computer
  3. Create SIC between the Windows server and the management.
  4. Configure the Windows server to collect Windows events from required computers.
Administrator Support for WinEventToCPLog
WinEventToCPLog uses Microsoft APIs to read events from Windows operating system event files. To see
these files, use the Windows Event Viewer.
WinEventToCPLog can read event files on the local machine, and can read log files from remote machines
with the right privileges. This is useful when you make a central WinEventToCPLog server that forwards
multiple Window hosts events to a Check Point Log Server.
To set the privileges, invoke the "WinEventToCPLog -s" to specify an administrator login and password.
These are the ways to access the files on a remote machine:
   n   To define a local administrator on the remote machine that their name matches the name registered
       with WinEventToCPLog.
   n   To define the administrator registered with WinEventToCPLog as an administrator in the domain.
       This administrator can access all of the machines in the domain.
Sending Windows Events to the Log Server
This section describes how to send Windows events to the Log Server. For advanced Windows event
configuration, see sk98861.
                                               Logging and Monitoring R81.10 Administration Guide      |      190
                                                                                           Third-Party Log Formats
Creating an OPSEC Object for Windows Event Service
In SmartConsole, create an OPSEC object for Windows Event Service.
To create an OPSEC object for windows event service:
  1. From the Object Explore, click New > Server > OPSEC Application > Application.
      The OPSEC Applications Properties window shows.
  2. Enter the name of the application that sends log files to the Log Server.
  3. Click New to create a Host.
  4. Enter an object name and the IP address of the machine that runs WinEventToCPLog.
  5. Click OK.
  6. Below Client Entities, select ELA.
  7. Select Communication.
  8. Enter an Activation Key, enter it again in the confirmation line, and keep a record of it for later use.
  9. Click Initialize.
      The system must report the trust status as Initialized but trust not established.
 10. Click Close.
 11. Click OK.
 12. Publish the SmartConsole session.
Note - Make sure that Access Control rules allow ELA traffic between the Windows computer and the Log
Server.
Configuring the Windows service
On the Windows host, configure the Windows service to send logs to the Log Server.
To configure the Windows service:
  1. Install the WinEventToCPLog package from the Check Point Support Center.
  2. When the installation completes, restart the computer.
  3. Open a command prompt window and go to this location:
         n   On Windows 32-bit:
             C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin\
         n   On Windows 64-bit:
             C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R65\bin\
  4. Pull the certificate.
                                                Logging and Monitoring R81.10 Administration Guide      |      191
                                                                                          Third-Party Log Formats
      Instructions
              a. Run:
                 windowEventToCPLog -pull_cert
              b. Enter the IP address of the management server.
              c. Enter the name of the corresponding OPSEC Application object that you created in
                 SmartConsole for the Windows events.
              d. Enter the Activation Key of the OPSEC object.
   5. Restart the Check Point Windows Event Service.
Establishing Trust
Establish trust between the Security Management Server and the windows host.
To establish trust:
   1. Edit the OPSEC Application that you created in SmartConsole for the Windows events.
   2. Select Communication.
   3. Make sure that the trust status is Trust Established.
   4. Publish the SmartConsole session.
Configuring the Windows Audit Policy
On each machine that sends Windows Events, configure the Windows Audit Policy.
To configure the windows audit:
   1. From the Start menu, click Settings > Control Panel.
   2. Click Administrative Tools > Local Security Policy >Local Policies >Audit Policy.
   3. Make sure that the Security Setting for the Policy Audit Logon Events is set to Failure. If not, double-
      click it and select Failure.
   4. Open a command prompt window and go to this path:
          n   On Windows 32 bit:
              C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin\
          n   On Windows 64 bit:
              C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R65\bin\
   5. Run these commands:
      windowEventToCPLog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that
      receives the Windows Events.
      windowEventToCPLog -a <ipaddr>, where <ipaddr> is the IP address of each machine that sends
      Windows Events.
                                               Logging and Monitoring R81.10 Administration Guide      |      192
                                                                                         Third-Party Log Formats
      windowEventToCPLog -s, where you are prompted for an administrator name and the administrator
      password that to be registered with the windowEventToCPLog service.
      The administrator that runs the windowEventToCPLog service must have permissions to access and
      read logs from the IP addressed defined in this procedure. This is the IP address of the computer that
      sends Windows events.
  6. When you configure windowEventToCPLog to read Windows events from a remote machine, log in
     as the administrator. This makes sure that the administrator can access remote computer events.
  7. Use the Microsoft Event Viewer to read the events from the remote machine.
Working with SNMP
SNMP (Simple Network Management Protocol) is an internet standard protocol. SNMP is used to send and
receive management data, protocol data units (PDUs), to network devices. SNMP-compliant devices, called
agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the
SNMP requesters.
For more information, see R81.10 Gaia Administration Guide > Chapter System Management
> Section SNMP.
                                              Logging and Monitoring R81.10 Administration Guide      |      193
                                                                                                      Log Exporter
Log Exporter
Overview
Check Point Log Exporter is an easy and secure method to export Check Point logs over the syslog protocol
from a Management Server / Log Server.
You can configure the Log Exporter settings in SmartConsole or with CLI commands.
You can configure advanced settings in various configuration files.
Log Exporter supports:
   n   Multiple SIEM applications that can run a Syslog agent.
   n   Syslog over TCP or UDP.
   n   Multiple formats (Syslog, CEF, LEEF, JSON, and so on).
   n   Mutual authentication based on TLS 1.2.
   n   Export of Security logs, Audit logs, or both.
   n   Export of links to the relevant log card in SmartView and the log attachment (such as Forensics /
       Threat Emulation report).
   n   Filtering of logs.
Log Exporter is constantly updated. For the most up to date information about the supported versions and
applications, see:
   n   sk122323 - Log Exporter - Check Point Log Export
   n   sk144192 - Log Fields Description
          Note - The Check Point App for Splunk uses the Log Exporter to seamlessly send logs
          from your Check PointLog Server to your Splunk server. This enables you to collect and
          analyze millions of logs from all Check Point technologies and platforms. For more
          information, see the App for Splunk User Guide.
                                                 Logging and Monitoring R81.10 Administration Guide      |      194
                                                                                           How Log Exporter Works
How Log Exporter Works
Log Exporter is a multi-threaded daemon service which runs on a log server. The Log Exporter daemon
reads each log, transforms it into the desired format and mapping, and sends it to the configured target.
On Multi-Domain Server / Multi-Domain Log Server, if Log Exporter is deployed on several Domains, each
Domain Server has its own Log Exporter daemon service. If you export the logs to several targets, each
target has its own Log Exporter daemon.
Log Exporter is implemented as the "E-T-L" procedure:
   n   Extract - Reads incoming logs from itself, the Log Server / SmartEvent Server of the Security
       Gateways.
   n   Transform - Changes the logs according to the configuration.
   n   Export - Sends the logs to the configured target server.
Log Exporter stops exporting when disconnected from the 3rd party server and remembers the last position
exported. After the connection is established again, Log Exporter automatically starts exporting logs from
the last known position. Log Exporter is exporting both online and offline (if any) logs in parallel. In case the
3rd party server is slow, Log Exporter reduces the offline exporting rate to prioritize the online logs over the
offline logs.
                                                 Logging and Monitoring R81.10 Administration Guide      |      195
                                                                             Configuring Log Exporter in SmartConsole
Configuring Log Exporter in SmartConsole
Starting in R81, you can configure a Log Exporter directly from SmartConsole and link it to the relevant Log
Servers.
Procedure:
   1. Create a new Log Exporter/SIEM object in SmartConsole.
             a. Click Objects > More object types > Server > Log Exporter/SIEM.
             b. Configure all relevant settings:
                    i. Enter the Object Name. This is the name of the new Log Exporter.
                    ii. In the General section, enter the Target Server, Target Port, and Protocol.
                   iii. In the Data Manipulation section (optional:
                            n    Select the format for the exported logs.
                            n    Update logs contain on the data that was changed compared to the last log for
                                 the same event. To export all logs with the full data, select Aggregate log
                                 updates before export.
                   iv. Attachment (optional): Log Exporter does not include attachments by default.
                       Select one or more options to configure the log attachments:
                            n    Add link to Log Attachment in SmartView.
                            n    Add link to Log Attachment in SmartView.
                            n    Add Log Attachment ID.
             c. Click OK.
   2. Configure the Management Server or Dedicated Log Server object.
             a. From the left navigation panel, go to the Gateways & Servers view.
             b. Open the Management Server or Dedicated Log Server object.
             c. From the left tree, click Logs > Export.
             d. Click [+] and select the Log Exporter / SIEM object you configured earlier.
             e. Click OK.
   3. Install the database.
             a. Click Menu > Install database.
             b. Select all objects.
             c. Click Install.
                                                   Logging and Monitoring R81.10 Administration Guide      |      196
                                                                          Configuring Log Exporter in SmartConsole
                    Important in a Multi-Domain Server environment - If you configured Log
                    Exporter object(s) in the Global Domain and assigned Global Policy, you must
                    install the database in SmartConsole connected to the applicable Domain
                    Management Server.
After you upgrade to a new version, you must:
  1. Connect to the command line on the Log Server configured with Log Exporter and run this command:
       cp_log_export reconf
  2. In SmartConsole, click Menu > Install database > select all objects > click Install.
Notes:
   n   An existing Log Exporter configured in a previous version retains its configuration, but does not show
       in SmartConsole unless it is reconfigured.
   n   If you configure a Log Exporter object in SmartConsole with the same name as an existing Log
       Exporter configured in a previous version, the new Log Exporter overrides the existing exporter
       configuration (other than filtering and TLS configurations).
                                                Logging and Monitoring R81.10 Administration Guide      |      197
                                                                                 Configuring Log Exporter in CLI
Configuring Log Exporter in CLI
This section describes the Expert mode CLI commands to configure the Log Exporter settings.
Log Exporter Basic Configuration in CLI
Common method for creating and modifying Log Exporter targets.
To configure a new target for the exported logs:
  1. Connect to the command line on the Management Server / Log Server.
  2. Log in to the Expert mode.
  3. Configure the Log Exporter settings:
        cp_log_export add name <Name of Log Exporter Configuration> [domain-
        server <Name or IP address of Domain Server>] target-server <HostName
        or IP address of Target Server> target-port <Port on Target Server>
        protocol {udp | tcp} format {syslog | splunk | cef | leef | generic |
        json | logrhythm | rsa} [--apply-now] [<Other Optional Arguments>]
      Parameters:
       Parameter                              Description
       name <Name of Log Exporter             Configures the name of the Log Exporter configuration
       Configuration>                         directory in:
                                              $EXPORTERDIR/targets/
       domain-server <Name or IP              On a Multi-Domain Server / Multi-Domain Log Server,
       address of Domain Server>              specifies the Domain Management Server / Domain Log
                                              Server.
                                              This parameter is mandatory.
                                                 n Use mds as the value to export Audit logs from the
                                                     MDS level.
                                                 n Use all as the value to configure the Log Exporter
                                                     instance on every Domain.
       target-server <HostName or             Configures the target server, to which Log Exporter sends
       IP address of Target                   the exported logs.
       Server>                                You can enter an IP address or an FQDN.
       target-port <Port on                   Configures the listening port on the target server, to which
       Target Server>                         Log Exporter sends the exported logs.
       protocol {udp | tcp}                   Configures the Layer 4 protocol for Syslog traffic - TCP or
                                              UDP.
                                             Logging and Monitoring R81.10 Administration Guide      |      198
                                                                        Configuring Log Exporter in CLI
Parameter                            Description
format {...}                         Configures the format of exported logs:
                                        n syslog - Syslog
                                        n splunk - Splunk
                                        n cef - CEF (default)
                                        n leef - LEEF
                                        n generic - Generic
                                        n json - JSON
                                        n logrhythm - LogRhythm
                                        n rsa - RSA
--apply-now                          Optional.
                                     Automatically starts the new Log Exporter instance with
                                     the new settings.
                                     If you do not use this parameter, you must start the new
                                     Log Exporter instance manually with this command:
                                       cp_log_export restart
<Other Optional Arguments>           Optional.
                                     See sk122323.
 Important - By default, Log Exporter sends the exported in clear text. To send the
 exported logs over an encrypted connection, see "Log Exporter TLS Configuration" on
 page 207.
                                    Logging and Monitoring R81.10 Administration Guide      |      199
                                                                       Log Exporter Advanced Configuration in CLI
Log Exporter Advanced Configuration in CLI
Advanced method for creating and modifying Log Exporter targets.
Syntax:
 cp_log_export <Command-Name> [<Command-Arguments>]
To see a built-in help for a specific command:
 cp_log_export <Command-Name> help
Commands
 Name             Description
 add              Deploy a new Check Point Log Exporter.
 delete           Remove an existing Log Exporter.
 reexport         Reset the current position and export all logs again based on the configuration.
 restart          Restart a Log Exporter process.
 set              Update an existing Log Exporter configuration.
 show             Print the current Log Exporter configuration.
 start            Start an existing Log Exporter process.
 status           Show a Log Exporter overview status.
 stop             Stop an existing Log Exporter process.
Command Arguments
                                                                                     Required
                                                                                     for
                                                                       Required      "show",       Required
                                         Required       Required                     "status",
                                                                       for                         for
 Name            Description             for "add"      for "set"                    "start",
                                                                       "delete"                    "reexport"
                                         command        command                      "stop",
                                                                       command                     command
                                                                                     "restart"
                                                                                     comman
                                                                                     d
 --apply-        Applying any            Optional       Optional       Mandator      N/A           Mandator
 now             change that was                                       y                           y
                 done immediately.
                                               Logging and Monitoring R81.10 Administration Guide      |      200
                                                               Log Exporter Advanced Configuration in CLI
                                                                             Required
                                                                             for
                                                               Required      "show",       Required
                                  Required      Required                     "status",
                                                               for                         for
Name        Description           for "add"     for "set"                    "start",
                                                               "delete"                    "reexport"
                                  command       command                      "stop",
                                                               command                     command
                                                                             "restart"
                                                                             comman
                                                                             d
ca-cert     Full path to the CA   Optional      Optional       N/A           N/A           N/A
            certificate file
            *.pem.
            Applicable only
            when the value of
            the "encrypted"
            argument is "true".
client-     Full path to the      Optional      Optional       N/A           N/A           N/A
cert        client certificate
            *.p12.
            Applicable only
            when the value of
            the "encrypted"
            argument is "true".
client-     The challenge         Optional      Optional       N/A           N/A           N/A
secret      phrase used to
            create the client
            certificate *.p12.
            Applicable only
            when the value of
            the "encrypted"
            argument is "true".
domain-     The name or IP        Mandator      Mandator       Mandator      Optional.     Mandator
server      address of the        y             y              y             By            y
            applicable Domain                                                default,
            Management                                                       applies to
            Server or Domain                                                 all.
            Log Server.
enabled     Allow the Log         Optional      Optional       N/A           N/A           N/A
            Exporter to start
            when you run the
            "cpstart" or
            "mdsstart"
            command.
encrypted   Use TSL (SSL)         Optional      Optional       N/A           N/A           N/A
            encryption to send
            the logs.
                                       Logging and Monitoring R81.10 Administration Guide      |      201
                                                                Log Exporter Advanced Configuration in CLI
                                                                              Required
                                                                              for
                                                                Required      "show",       Required
                                   Required      Required                     "status",
                                                                for                         for
Name        Description            for "add"     for "set"                    "start",
                                                                "delete"                    "reexport"
                                   command       command                      "stop",
                                                                command                     command
                                                                              "restart"
                                                                              comman
                                                                              d
export-     Add a field to the     Optional      Optional       N/A           N/A           N/A
attachmen   exported log that
t-ids       represents the ID of
            log's attachment (if
            exists).
export-     Add a field to the     Optional      Optional       N/A           N/A           N/A
attachmen   exported log that
t-link      represents a link to
            SmartView that
            shows the log card
            and automatically
            opens the
            attachment.
export-     Add a field to the     Optional      Optional       N/A           N/A           N/A
link        exported log that
            represents a link to
            SmartView that
            shows the log card.
export-     Make the links to      Optional      Optional       N/A           N/A           N/A
link-ip     SmartView use a
            custom IP address
            (for example, for a
            Log Server behind
            NAT).
                                        Logging and Monitoring R81.10 Administration Guide      |      202
                                                                  Log Exporter Advanced Configuration in CLI
                                                                                Required
                                                                                for
                                                                  Required      "show",       Required
                                     Required      Required                     "status",
                                                                  for                         for
Name        Description              for "add"     for "set"                    "start",
                                                                  "delete"                    "reexport"
                                     command       command                      "stop",
                                                                  command                     command
                                                                                "restart"
                                                                                comman
                                                                                d
filter-     Export all logs with     Optional      Optional       N/A           N/A           N/A
action-in   a specific action.
            The value must be
            surrounded by
            double quotes ("").
            Multiple values are
            supported and must
            be separated by a
            comma.
                   Important -
                   This
                   parameter
                   replaces any
                   other filter
                   configuration
                   that was
                   declared
                   earlier on
                   this field
                   directly in the
                   filtering XML
                   file. Other
                   field filters
                   are not
                   overwritten.
                                          Logging and Monitoring R81.10 Administration Guide      |      203
                                                                 Log Exporter Advanced Configuration in CLI
                                                                               Required
                                                                               for
                                                                 Required      "show",       Required
                                    Required      Required                     "status",
                                                                 for                         for
Name       Description              for "add"     for "set"                    "start",
                                                                 "delete"                    "reexport"
                                    command       command                      "stop",
                                                                 command                     command
                                                                               "restart"
                                                                               comman
                                                                               d
filter-    Export all logs that     Optional      Optional       N/A           N/A           N/A
blade-in   belong to a specific
           Software Blade.
           The value must be
           surrounded by
           double quotes ("").
           Multiple values are
           supported and must
           be separated by a
           comma.
           Predefined blade
           families can be
           selected (Access,
           TP, Endpoint,
           Mobile).
                  Important -
                  This
                  parameter
                  replaces any
                  other filter
                  configuration
                  that was
                  declared
                  earlier on
                  this field
                  directly in the
                  filtering XML
                  file. Other
                  field filters
                  are not
                  overwritten.
                                         Logging and Monitoring R81.10 Administration Guide      |      204
                                                                  Log Exporter Advanced Configuration in CLI
                                                                                Required
                                                                                for
                                                                  Required      "show",       Required
                                     Required      Required                     "status",
                                                                  for                         for
Name        Description              for "add"     for "set"                    "start",
                                                                  "delete"                    "reexport"
                                     command       command                      "stop",
                                                                  command                     command
                                                                                "restart"
                                                                                comman
                                                                                d
filter-     Export all logs from     Optional      Optional       N/A           N/A           N/A
origin-in   a specific origin.
            The value must be
            surrounded by
            double quotes ("").
            Multiple values are
            supported and must
            be separated by a
            comma.
                   Important -
                   This
                   parameter
                   replaces any
                   other filter
                   configuration
                   that was
                   declared
                   earlier on
                   this field
                   directly in the
                   filtering XML
                   file. Other
                   field filters
                   are not
                   overwritten.
format      The format, in which     Optional      Optional       N/A           N/A           N/A
            the logs are
            exported.
name        Unique name of the       Mandator      Mandator       Mandator      Optional.     Mandator
            exporter                 y             y              y             By            y
            configuration.                                                      default,
                                                                                applies to
                                                                                all.
protocol    Layer 4 Transport        Mandator      Optional       N/A           N/A           N/A
            protocol to use          y
            (TCP or UDP).
                                          Logging and Monitoring R81.10 Administration Guide      |      205
                                                                  Log Exporter Advanced Configuration in CLI
                                                                                Required
                                                                                for
                                                                  Required      "show",       Required
                                     Required      Required                     "status",
                                                                  for                         for
Name         Description             for "add"     for "set"                    "start",
                                                                  "delete"                    "reexport"
                                     command       command                      "stop",
                                                                  command                     command
                                                                                "restart"
                                                                                comman
                                                                                d
read-mode    Configure the           Optional      Optional       N/A           N/A           N/A
             mode, in which the
             log files are read
             and exported.
reconnect-   Schedule a              Optional      Optional       N/A           N/A           N/A
interval     reconnection to the
             target server after
             the connection is
             lost.
target-      The listening port on   Mandator      Optional       N/A           N/A           N/A
port         the target server, to   y
             which you export
             the logs.
target-      The IP address or       Mandator      Optional       N/A           N/A           N/A
server       FQDN of the target      y
             server, to which you
             export the logs.
                                          Logging and Monitoring R81.10 Administration Guide      |      206
                                                                                       Log Exporter TLS Configuration
Log Exporter TLS Configuration
Log Exporter can export logs over an encrypted connection using the TLS protocol.
Only mutual authentication is allowed.
For mutual authentication, Log Exporter requires these certificates:
   n   A Certificate Authority (CA) certificate file in the PEM format (this is the CA that signed both the client
       (Log Exporter side) and target server certificates)
   n   A client certificate in the P12 format on the Management Server / Log Server with Log Exporter
           Notes:
               n   The Management Server / Log Server with Log Exporter must be able to connect
                   to the Certificate Authority.
               n   In addition to these two certificates, a third certificate should be installed on the
                   target server (based on the server requirement).
               n   It is possible to use self-signed certificates.
If you do not already have the required certificates, the procedure below is an example of how to create the
required certificates.
The procedure below uses the openssl commands on a Linux server (non-Check Point).
To create a self signed Certificate Authority (CA)
   Run this if you do not already have a trusted CA certificates in the PEM format:
       1. Generate the root CA key and do not give it to anyone:
            openssl genrsa -out RootCA.key 2048
       2. Generate the root CA certificate in the PEM format:
            openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out
            RootCA.pem
       3. Enter the Distinguished Name (DN) information for the certificate.
              n    Common Name(CN) is the exact Fully Qualified Domain Name (FQDN) of the host on
                   which you use the certificate.
              n    All other fields are optional. If you purchase an SSL certificate from a Certificate Authority,
                   these additional fields may be required.
To create a client certificate file in the P12 format (for Log Exporter)
       1. Generate the client key and do not give it to anyone:
            openssl genrsa -out log_exporter.key 2048
       2. Generate the client certificate sign request:
            openssl req -new -key log_exporter.key -out log_exporter.csr
       3. Use the CA files to sign the certificate:
                                                   Logging and Monitoring R81.10 Administration Guide      |      207
                                                                                     Log Exporter TLS Configuration
           openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey
           RootCA.key -CAcreateserial -out log_exporter.crt -days 2048 -sha256
      4. Convert the certificate file to the P12 format:
           openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export
           -out log_exporter.p12
                    Note - The challenge phrase used in this conversion is required in the "log_
                    exporter" TLS configuration.
After you created the required certificates, you must update the security parameters on the Check Point
Management Server / Log Server.
To update the security parameters
      1. Connect to the command line on the Management Server / Log Server.
      2. Log in to the Expert mode.
      3. On a Multi-Domain Server / Multi-Domain Log Server, switch to the required Domain:
           mdsenv <IP Address or Name of Domain Management Server / Domain Log
           Server>
      4. Go to the directory with the applicable Log Exporter Configuration:
           cd $EXPORTERDIR/targets/<Name of Log Exporter Configuration>
      5. Create a new directory for the certificates:
           mkdir -v certificates
           cd certificates
      6. Transfer these certificate files to the new directory "certificates":
             n   RootCA.pem
             n   log_exporter.p12
      7. Give the certificate files the execution permission:
           chmod -v +r RootCA.pem
           chmod -v +r log_exporter.p12
      8. Go to the directory with the applicable Log Exporter Configuration:
           cd $EXPORTERDIR/targets/<Name of Log Exporter Configuration>
      9. Update the targetConfiguration.xml file:
                                                 Logging and Monitoring R81.10 Administration Guide      |      208
                                                                                    Log Exporter TLS Configuration
           a. Edit the file:
                 vi targetConfiguration.xml
           b. Configure the full path to the new certificate files and the challenge phrase used to create
              the P12 certificate.
            c. Save the changes in the file and exit the editor.
To create a target server certificate
     1. Generate the server key and do not give it to anyone:
          openssl genrsa -out syslogServer.key 2048
     2. Generate the server certificate sign request:
          openssl req -new -key syslogServer.key -out syslogServer.csr
     3. Use the CA files to sign the certificate:
          openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey
          RootCA.key -CAcreateserial -out syslogServer.crt -days 2048 -sha256
                                                Logging and Monitoring R81.10 Administration Guide      |      209
                                                                    Log Exporter Advanced Configuration Parameters
Log Exporter Advanced Configuration
Parameters
After deploying a new instance of Log Exporter, all configuration files for that deployment are located in this
directory:
  $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/
          Note - On a Multi-Domain Server / Multi-Domain Log Server, the value of the
          environment variable EXPORTERDIR changes automatically when you switch between
          Domain server contexts with the mdsenv command.
          Important:
              n   You must restart the Log Exporter instance for the new settings to take effect.
                  Run the "cp_log_export restart" command.
              n   For information on how to backup and restore your Log Exporter configuration,
                  see sk127653.
You can configure specific parameters to control how Log Exporter exports the logs.
Target Server Configuration
   The Log Exporter configuration for the target server is saved in this file:
     $EXPORTERDIR/targets/<Name of Log Exporter
     Configuration>/targetConfiguration.xml
   These are some of the configuration options:
                                                                                                Valid / Default
    Parameter                         Description
                                                                                                Values
    <version></version>               Current Log Exporter version - used for upgrades.
    <is_enabled></is_                 Determines if the Log Exporter process is                 true
    enabled>                          monitored by the watch dog.                               false
                                                 Logging and Monitoring R81.10 Administration Guide      |      210
                                                                  Log Exporter Advanced Configuration Parameters
Destination Parameters
                                                                                              Valid / Default
   Parameter                          Description
                                                                                              Values
   type                               Reserved for future use.
   <ip></ip>                          The IP address of the target server that receives       Any IPv4
                                      the logs.                                               address or
                                                                                              FQDN
   <port></port>                      The port on the target.                                 Any valid port
                                                                                              number
   <protocol></protocol>              The protocol used in the connection.                    TCP or UDP
   <reconnect_                        Determines how frequently to start the                  Number of
   interval></reconnect_              connection to the target server after it is lost.       minutes
   interval>
Security Parameters
  These are discussed in more detail in "Log Exporter TLS Configuration" on page 207.
                                                                                          Valid / Default
   Parameter                                        Description
                                                                                          Values
   <security></security>                            Determines if the connection is          n   clear -
                                                    sent in clear text or encrypted.             clear text
                                                                                                 (this is the
                                                                                                 default)
                                                                                             n   tls -
                                                                                                 encrypted
   <pem_ca_file></pem_ca_file>                      The location of the root
                                                    Certificate Authority certificate
                                                    file in the PEM format.
   <p12_certificate_file></p12_                     The location of the client key
   certificate_file>                                pair in the P12 format.
   <client_certificate_challenge_                   The challenge phrase that was
   phrase></client_certificate_                     used to create the P12
   challenge_phrase>                                certificate.
                                                    The value is hashed when the
                                                    Log Exporter is started or
                                                    restarted.
                                             Logging and Monitoring R81.10 Administration Guide      |      211
                                                         Log Exporter Advanced Configuration Parameters
Source Parameters
   Parameter            Description                                  Valid / Default Values
   <folder></folder>    The path where the log files are             Default location is
                        located.                                     $FWDIR/log/
   <log_files></log_    Determines which log records to                  n   <Number> - reads logs
   files>               export or how far back to read the log               from the specific
                        records from the                                     number (default=1) of
                        $FWDIR/log/fw.log file.                              days back
                                                                             (recommended)
                                                                         n   <Specific File
                                                                             Name> - reads logs
                                                                             from the specified file
                                                                         n   on-line
                                                                         n   If no value is specified,
                                                                             uses 'on-line'
   <log_types></log_    Determines which logs to export.                 n   all - Security and
   types>                                                                    Audit (default)
                                                                         n   log - Security only
                                                                         n   audit - Audit only
   <read_mode></read_   Determines whether to export                     n   semi-unified
   mode>                complete logs or only their delta.                   (default)
                                                                         n   raw
                                      Logging and Monitoring R81.10 Administration Guide      |      212
                                                    Log Exporter Advanced Configuration Parameters
Resolver Parameters
                                                                                    Valid /
   Parameter                                  Description                           Default
                                                                                    Values
   <mappingConfiguration></mappingConfig      Configures the XML file that          Default
   uration>                                   contains the log field mapping        values are
                                              scheme.                               based on
                                              If left empty, uses the default       the format
                                              settings.
   <exportAllFields>true</exportAllField      When this field is set to 'true',         n   true
   s>                                         all log fields are sent                   n   fals
                                              regardless of whether they                    e
                                              appear in the mapping
                                              scheme, except for specifically
                                              black-listed fields in the
                                              relevant log format mapping
                                              file (
                                              <exported>false</expor
                                              ted>).
                                              When this field is set to
                                              'false', only those fields
                                              which appear in the relevant
                                              log format mapping file are
                                              sent (with exported flag set to
                                              'true':
                                              <exported>true</export
                                              ed>)
Format Parameters
                                                                                  Valid / Default
   Parameter                                    Description
                                                                                  Values
   <formatHeaderFile></formatHeaderFile>        Configures the XML file           Default values
                                                that contains the log             are based on
                                                header format scheme.             the format
                                                If left empty, uses the
                                                default settings.
                                 Logging and Monitoring R81.10 Administration Guide      |      213
                                                                  Log Exporter Advanced Configuration Parameters
SmartView Link Parameters
                                                                                            Valid / Default
   Parameter             Description
                                                                                            Values
   export_log_           Adds a field to the exported log that represents a link to             n       true
   link                  SmartView that shows the log card.                                     n       false
                                                                                                        (default)
   export_               Adds a field to the exported log that represents a link to             n       true
   attachment_           SmartView that shows the log card and automatically opens              n       false
   link                  the attachment.                                                                (default)
   export_link_          Makes the above two links use a customized IP address                  n       IPv4
   ip                    (for example, for a NATed Log Server).                                         address
                                                                                                n       empty
                                                                                                        (default)
Filter Parameters
  This configuration allows Log Exporter instance to filter out the Security Gateway traffic logs for several
  Software Blades (VPN-1 & Firewall-1, HTTPS Inspection, and Security Gateway/Management).
            Note:
                n   Security Gateway session logs are still exported (generated by tracking a
                    Security Gateway rule per session).
                n   HTTPS Inspection logs, Security Gateway logs generated not from rules, and
                    a few NAT update logs are still exported.
                                                                                             Valid / Default
   Parameter                         Description
                                                                                             Values
   <filter filter_out_               Determines whether to filtered out the Access                  n    true
   by_                               logs.                                                          n    false
   connection="false">               When set to true, VPN-1 & Firewall-1 logs are
                                     filtered out (HTTPS Inspection logs are still
                                     exported).
                                     Note - These are the only Software Blade filters
                                     currently supported.
                                               Logging and Monitoring R81.10 Administration Guide      |      214
                                                                       Log Exporter Advanced Configuration Parameters
Format Configuration
  The Log Exporter format configuration is saved in these files:
    $EXPORTERDIR/targets/<Name of Log Exporter
    Configuration>/conf/*FormatDefinition.xml
            Important - Do not edit the original *FormatDefinition.xml files. Doing so
            causes a data loss after an upgrade. Instead, create a copy of the file and modify
            the copied file, while leaving the original intact. After modifying the copied file, refer to
            it (using a full path) in the <formatHeaderFile> element in the applicable
            targetConfiguration.xml file.
  Body
                           Descript                       Splu                          Gen      LogRh
   Parameter                             Syslog                    CEF        LEEF                           RSA
                           ion                            nk                            eric     ythm
   <start_                 The           [
   message_                characte
   body></start_           r that
   message_body>           precede
                           s the log
                           data
                           payload.
   <end_message_           The           ]
   body></end_             characte
   message_body>           r that
                           follows
                           the log
                           data
                           payload.
   <message_               The           
                                 ('\      
       
   separator></me          delimete      (
==         0;       0;         0;        n')      ('\         0;
   ssage_                  r that        '\n')            ('\      ('\        ('\                n')         ('\
   separator>              separate                       n')      n')        n')                            n')
                           s logs.
   <fields_                The           '; '             |        ' '        �       ' '      |           ' '
   separatator></          delimete      (semi            (pip     (spa       9;        (spa     (pipe)      (spa
   fields_                 r that        colon,           e)       ce)        (<TA      ce)                  ce)
   separatator>            separate      space)                               B>)
                           s log
                           fields.
   <field_value_           The           :                =        =          =         =        =           =
   separatator></          assignm
   field_value_            ent
   separatator>            operator.
                                                  Logging and Monitoring R81.10 Administration Guide      |      215
                                                         Log Exporter Advanced Configuration Parameters
                    Descript                  Splu                        Gen       LogRh
 Parameter                      Syslog                 CEF       LEEF                           RSA
                    ion                       nk                          eric      ythm
 <value_            The         "                                "        "
 encapsulation_     value
 start>"</     encapsu
 value_             lation
 encapsulation_     operator
 start>             (start).
 <value_            The         "                                "        "
 encapsulation_     value
 start>"</     encapsu
 value_             lation
 encapsulation_     operator
 start>             (end).
 <escape_chars>     To          ;\ -->        | --     ;\ -      = --     \ --      | -->       = --
   <char>           escape      \\            > ;      ->        > \=     > \\      ;           > \=
     <orig></or     unwante                            \\
 ig>                d           " --> \"      = --                     " --      = -->       
     <escaped><     characte                  > \=     = --      0; -     > '       \=          0; -
 /escaped>          rs.         
 --               > \=      -> '                           -> '
   </char>          The         > ' '                         '               
       '
 </escape_          escape                    0; -                     0; -      --> '
 chars>             function    ] --> \]      -> '     0; -               -> '      '
                    ality                     '        -> '               '
                    replaces                           '
                    the
                    string                             | --
                    that is                            > \|
                    encapsu
                    lated by
                    the orig
                    tags with
                    the
                    string
                    encapsu
                    lated by
                    the
                    escape
                    d tags.
Header
                                                                            Default        Default
 Parameter              Description                                         values for     values for
                                                                            sysl           CEF
 <header_               The delimeter between the header values and         ' ' (space)    |
 format></header_       the number of values. Every {} is replaced with
 format>                one value.
                                      Logging and Monitoring R81.10 Administration Guide      |      216
                                                                     Log Exporter Advanced Configuration Parameters
            Notes:
                n   To add a constant string to the header, add the string to the <header_
                    format> tag value.
                n   To add a new field to the header, add a new header format replacement string
                    (for example: {}) to the <header_format> tag and add the applicable
                    information in the <headers> tag.
Field Mapping Configuration
  Every format has its own predefined fields configuration file that allow to change the name / value of the
  exported field, filter out irrelevant fields, and so on.
  The Log Exporter format configuration is saved in these files:
    $EXPORTERDIR/targets/<Name of Log Exporter
    Configuration>/conf/*FieldsMapping.xml
            Important - Do not edit the original *FieldsMapping.xml files. Doing so causes a
            data loss after an upgrade. Instead, create a copy of the file and modify the copied
            file, while leaving the original intact. After modifying the copied file, refer to it (using a
            full path) in the <formatHeaderFile> element in the applicable
            targetConfiguration.xml file.
                                                                                                 Valid / Default
   Parameter                             Description
                                                                                                 Values
   <table>                               Some fields appear in the tables based on the
                                         log format.
                                         This information can be found in the .elg log
                                         file - one entry for every new field.
                                         A field can appear in multiple tables.
                                         Each distinct instance is considered a new
                                         field.
   <exported></exported>                 Optional                                                    n   true
                                         You can use the exported true/false tag in the              n   false
                                         mapping configuration file to filter out specific
                                         fields.
                                         Alternatively, if the exportAllFields tag in
                                         the targetConfiguration.xml file is set to
                                         false, only those fields which are listed in the
                                         mapping file are exported.
   <origName></origName>                 The name of the field that is mapped to
                                         <dstName>
   <dstName></dstName>                   The new mapping scheme name for the
                                         applicable field.
   <required></required>                 Optional                                                    n   true
                                         When set to true, only logs that contain this               n   false
                                         field are exported.
                                                 Logging and Monitoring R81.10 Administration Guide      |      217
                                                                          Log Exporter Instructions for Specific SIEM
Log Exporter Instructions for Specific SIEM
This section shows how to configure SIEM applications to receive logs optimally.
          Notes:
              n   When using Client Authentication, you must provide the absolute path to the client
                  certificate.
              n   Make sure the "Common Name" is unique in every certificate.
Rsyslog
Procedure
   By default, Rsyslog is not configured to use the RFC 5424 timestamp format. Therefore, you should
   manually change the setting on the Rsyslog server for it to be compliant with the Log Exporter output
   format.
      1. Edit the /etc/rsyslog.conf file:
            vi /etc/rsyslog.conf
      2. Comment out this line (add the # character in the beginning), if it is not commented out already:
            #"$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat"
      3. Add this line in the file:
            $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
      4. Save the changes in the file and exit the editor.
      5. Restart the Rsyslog service:
            service rsyslog restart
ArcSight
Procedure
   ArcSight recommends to name the server certificate file as "syslog-ng".
   To name the certificate:
   Convert the key to the P12 format:
     openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out
     syslog-ng.p12 -name "syslogng-alias" -password pass:changeit
                                                Logging and Monitoring R81.10 Administration Guide      |      218
                                                                       Log Exporter Instructions for Specific SIEM
  To make sure the value of the environment variable ARCSIGHT_HOME is the connector install
  directory:
    1. Run the certificates manager on the Linux KDE console:
          $ARCSIGHT_HOME/current/bin/arcsight agent keytoolgui
    2. From the File menu, open the keystore:
          $ARCSIGHT_HOME/current/jre/lib/security/cacerts
        The password "changeit".
    3. From the menu, select Import Trusted Certificate.
    4. From the file dialog, select Ca.pem and save it.
    5. Save the changes and close the certificate manager.
  To edit the "agent.properties" file to enable mutual authentication:
    1. Edit the file:
          vi $ARCSIGHT_HOME//current/user/agent/agent.properties
    2. Change this value to true:
          syslogng.mutual.auth.enabled=true
    3. Add these lines to the end:
          syslogng.tls.keystore.file=user/agent/syslog-ng.p12
          syslogng.tls.keystore.alias=syslogng-alias
    4. Restart the connector service:
          /etc/init.d/arc_connector_name restart
Splunk
Procedure
    1. Generate the server certificate file in the PEM format:
          cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem
    2. Update the inputs.conf file on the Splunk server:
                                             Logging and Monitoring R81.10 Administration Guide      |      219
                                                                         Log Exporter Instructions for Specific SIEM
            a. Edit the file:
                  vi /opt/splunk/etc/apps/<Name of the app, where the
                  configuration is saved>/local/inputs.conf
            b. Configure these settings to use TLS:
                  [SSL]
                  serverCert = <Full path to CA PEM file>
                  sslPassword = <Challenge Password>
                  requireClientCert = true
                  [tcp-ssl://<Port>]
                  index = <Index>
            c. Save the changes in the file and exit the editor.
    3. Update the server.conf file on the Splunk server:
            a. Edit the file:
                  vi /opt/splunk/etc/system/local/server.conf
            b. Configure these settings:
                  [sslConfig]
                  sslRootCAPath = <Full path to CA PEM file>
                  [SSL]
                  cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
            c. Save the changes in the file and exit the editor.
    4. Restart the Splunk service:
         /opt/splunk/bin/splunk restart
QRadar
Procedure
    1. In the Authentication Mode field, select TLS And Client Authentication.
       When you use Client Authentication, you must provide the absolute path to the client certificate.
    2. Upload the Check Point certificate and private key to QRadar to the same directory.
    3. Enter the absolute path to the uploaded files in the Provide Certificate option.
                                               Logging and Monitoring R81.10 Administration Guide      |      220
                          Log Exporter Instructions for Specific SIEM
Logging and Monitoring R81.10 Administration Guide      |      221
                                                                             Transition from LEA to Log Exporter
Transition from LEA to Log Exporter
To move from the existing LEA connector to the new Log Exporter:
  1. In SmartConsole, delete the OPSEC application object if it is the only use for the OPSEC application.
     If not, remove the LEA client entity.
  2. If this is the only OPSEC LEA client, configure the $FWDIR/conf/fwopsec.conf file to not allow
     LEA:
        a. Connect to the command line on the Management Server / Log Server with Log Exporter.
        b. Log in to the Expert mode.
        c. Back up the current file:
              cp -v $FWDIR/conf/fwopsec.conf{,_BKP}
        d. Edit the current file:
              vi $FWDIR/conf/fwopsec.conf
                                             Logging and Monitoring R81.10 Administration Guide      |      222
                                                                               Transition from LEA to Log Exporter
        e. Comment out these lines (add the # character in the beginning):
              From                                     To
               lea_server auth_port 18184              # lea_server auth_port 18184
               lea_server port 0                       # lea_server port 0
         f. Save the changes in the file and exit the editor.
  3. Configure the Log Exporter settings in one of these ways:
         n   In SmartConsole - "Configuring Log Exporter in SmartConsole" on page 196
         n   In CLI - see "Configuring Log Exporter in CLI" on page 198
 Note - Reading logs through LEA, which were configured manually in the SmartLog custom settings file, is
 not available in R80.x.
Transition from CPLogToSyslog to Log Exporter
To move from the existing CPLogToSyslog to the new Log Exporter:
  1. Use CPUSE to uninstall the CPLogToSyslog package. See section 4-C in sk92449.
  2. Configure the Log Exporter settings in one of these ways:
         n   In SmartConsole - "Configuring Log Exporter in SmartConsole" on page 196
         n   In CLI - see "Configuring Log Exporter in CLI" on page 198
                                               Logging and Monitoring R81.10 Administration Guide      |      223
                                                                                           Log Exporter - Appendix
Log Exporter - Appendix
Special Log Fields
 Field         Description
 loguid        Log Unification ID.
               Some Check Point logs are updated over time.
               Updated logs have the same Log UID value.
               Check Point SmartLog client correlates those updates into a single unified log.
               When the update logs are sent to 3rd party servers, they arrive as distinct logs.
               Administrators can use the "loguid" field to correlate updated logs and get the full event
               chain.
               Note - Log Exporter's new semi-unified mode correlates all previous logs into one, so the
               latest log always shows the complete data.
               Examples of updated logs:
                  n   The total amount of bytes sent and received over time.
                  n   The severity field which is updated over time as more information becomes available.
 hll_key       High Level Log Key.
               This concept was introduced in R80.10.
               Multiple connection logs can comprise one session with one shared HLL Key.
               For example, when you browse to a webpage, the Security Gateway may generate multiple
               connection logs which are related to the same session.
               Connection logs which are part of the same session share the same "hll_key" value.
Syslog-NG Listener Configuration
We recommend you use the syslog-protocol flag when you configure a source on a Syslog NG server.
For example:
 source s_network { network(transport("tcp") port(514) flags(syslog-
 protocol) ); };
Splunk Listener Configuration
We recommend that you add these time settings to your "sourcetype":
   n   TIME_FORMAT = %s
   n   TIME_PREFIX = time=
   n   MAX_TIMESTAMP_LOOKAHEAD = 15
                                                Logging and Monitoring R81.10 Administration Guide      |      224
                                                                                          Log Exporter - Appendix
ArcSight Listener Configuration
The Log Exporter solution does not work with the OPSEC LEA connector. Instead, you must install the
ArcSight Syslog-NG connector.
ArcSight Common Event Format (CEF) Mapping
CEF is an extensible, text-based format that supports multiple device types by offering the most relevant
information. Message syntax is reduced to work with ESM normalization. Specifically, CEF defines a syntax
for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The
CEF format can be used with on-premises devices by implementing the ArcSight Syslog SmartConnector.
CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight
Common Event Format REST.
CEF Header Format
                      Device    Device     Device
           Versio                                      Device Event
 Item                 Vendo     Produc     Versio                          Name               Severity
           n                                           Class ID
                      r         t          n
 Defaul    CEF:0      Check     Log        Check       Log                 Log                0
 t                    Point     Update     Point
 Values    -          -         Product    -               n   Attack
                                Name                           Name
                                (Blade)
                                                                               n   Protecti
                                                           n   Protecti
                                                                                   on             n   Applicat
                                                               on Type
                                                                                   Name               ion Risk
                                                           n   Verdict         n   Applicat       n   Risk
                                                           n   Matche
                                                                                   ion            n   Severity
                                                               d
                                                                                   Name
                                                               Categor         n   Messag
                                                               y
                                                                                   e Info
                                                           n   DLP             n   Service
                                                               Data
                                                                                   ID
                                                               Type
                                                                               n   Service
                                                           n   Applicat
                                                               ion
                                                               Categor
                                                               y
                                                           n   Applicat
                                                               ion
                                                               Properti
                                                               es
                                               Logging and Monitoring R81.10 Administration Guide      |      225
                                                                                           Log Exporter - Appendix
QRadar Log Event Extended Format (LEEF) Mapping
The LEEF is a customized event format for IBM Security QRadar.
LEEF Header Format
               LEEF
 Item                           Vendor          Product                   Version        EventID
               Version
 Default       LEEF:2.0         Check           Log Update                1.0            Check Point Log
                                Point
 Values        -                -               Product Name              -                  n   Protection
                                                (Blade)                                          Name
                                                                                             n   Application
                                                                                                 Name
                                                                                             n   Action
Note - The time format is not compliant with the official LEEF format.
As there is currently no Epoch time format, Log Exporter with LEEF format is only partially supported.
                                                Logging and Monitoring R81.10 Administration Guide      |      226
                                                                                                Logs in Milliseconds
Logs in Milliseconds
Many users export logs to third parties. In some cases, the volume of logs is so large that several logs arrive
all at the same second. To construct a chain of events from the logs’ arrival, you must know the specific
order the logs arrive. Now you can send the time of arrival in a format that includes milliseconds.
Logs in milliseconds is intended for customers who:
   n   Use Log Exporter.
   n   Have environments with high logging rates.
   n   This feature is disabled by default.
To turn on logs in milliseconds on the gateway side:
Note – This procedure starts the FWD process.
   1. Connect to the gateway via SSH.
   2. Go to: $FWDIR/scripts/
   3. Run the script: enable_disable_time_in_milli.sh <param>
          n   To enable the feature, run the script with param ‘1’
          n   To disable the feature, run the script with param ‘0’
You must run this procedure for every VSX/Cluster member.
To turn on the feature on the Log Server side:
   1. Connect to your Log Server via SSH.
   2. To create a new exporter to export logs with the milliseconds format, run these commands:
          n   cp_log_export add name <exporter_name> target-server <target_ip>
              target-port <port_number> protocol <tcp/udp> time-in-milli true
          n   cp_log_export restart name <exporter_name>
   3. To modify an existing exporter to export logs with the milliseconds format, run these commands:
          n   cp_log_export set name <exporter_name> time-in-milli true
          n   cp_log_export restart name <exporter_name>
After Log Exporter is configured to export logs in milliseconds, the additional field is added to the time field.
Logs from gateways without the feature enabled are exported with the value 000 for the additional time field.
                                                 Logging and Monitoring R81.10 Administration Guide      |      227
                                                                                                          API for Logs
API for Logs
Overview
API for Logs lets you use a single management API command to query for logs or top statistics. The API
uses the same filter parameters as entered in the SmartConsole Logs tab search bar (see Configuration
below).
Run the API on the Management Server to get the logs from the environment.
With API for Logs, you can:
   n   Fetch logs from any Log Server in the environment with a single management API command.
       Input: Optional query parameters include:
           l   Logs type: Traffic / Audit
           l   Time-frame
           l   Filter criteria – Equivalent to query line in SmartConsole.
           l   Query from specific Log Servers.
           l   Limit results count
       Output: Matching logs with all fields in JSON format.
   n   Paging - Logs are fetched in small chunks (default and max limit is 100) so queries do not overload
       the Log Server. The first "page" of results shows a limited number of logs. To get the next set of
       results from a previously run query, enter the query-id from the API command.
   n   Top statistics – Query for the top statistics for multiple fields, including top sources and top
       destinations.
   n   Fetch log attachments:
           n   Each log in a query response indicates whether it contains an attachment. An attachment can
               be a packet capture or Threat Emulation report.
           n   Another API command ("Log Attachments API" on page 231) fetches the attachment by log ID,
               and returns all the attachments in a single JSON response.
   n   Automatic command generation – In SmartConsole, click the button to generate an API command
       according to the currently presented query in the Logs tab. This includes:
           l   Time-frame.
           l   Selected log servers.
           l   Filter criteria - Query line.
           l   Limit of 50 results by default.
The mechanism for API for logs is the same as for SmartConsole log queries.
Permissions are enforced according to the logged in user profile.
                                                  Logging and Monitoring R81.10 Administration Guide      |      228
                                                                                                       API for Logs
Use Case
For customers who do not have access to SmartConsole and are familiar with using management APIs. The
API for logs can be used inside a customer's automation script to get logs and run statistics on the logs
without the need to access SmartConsole.
Configuration
For a new logs query:
mgmt_cli show-logs new-query.filter product:<product name> new-query.time-
frame <time-frame> new-query.max-logs-per-request <limit>
 Parameter               Description
 filter                  The filter as entered in SmartConsole/SmartView.
                         Type: String
 time-frame              Specify the time frame to query logs.
                         Valid values:
                             n   last-7-days
                             n   last-hour
                             n   today
                             n   last-24-hours
                             n   yesterday
                             n   this-week
                             n   this-month
                             n   last-30-days
                             n   all-time
                             n   custom
                         Default: last-7-days
                         Type: String
 custom-start            Type: String
                         Must be in ISO861 format.
 custom-end              Type: String
                         Must be in ISO861 format .
 max-logs-per-request    Valid values: 1-100
                         Default: 10
                         Type: String
 type                    Type of logs to return
                         Valid values: logs, audit
                         Default: logs
                         Type: String
 log-servers             List of IPs of log servers to query
                         Default: all
                         Type: String
                                                 Logging and Monitoring R81.10 Administration Guide      |      229
                                                                                                       API for Logs
To get results for custom time frames:
mgmt_cli show logs new-query.time-frame "custom" new-query.custom-start YYYY-
MM-DD new-query.custom-end YYYY-MM-DD
To get results for top statistics:
mgmt_cli show-logs new-query.filter product:<product name> new-query.top.field
blades new-query.top.count <number> --format json -r true
 Parameter          Description
 count              Valid values: 1-50
                    Type: String
 field              Valid values:
                        n   sources
                        n   destinations
                        n   services
                        n   actions
                        n   blades
                        n   origins
                        n   users
                        n   applications
                    Type: String
To get more results for an existing query:
mgmt_cli show-logs query-id <query-id> --session-id <session-id>
 Parameter            Description
 query-id             Get the next page of the last run query with a specified limit.
                      Type: String
 ignore-warnings      Ignore warnings if they exist.
                      Type: Boolean
Limitations:
   n     The parameter "time-frame" in the API command does not accept the format:
         "yyyymmddThhmmssZ" as input.
   n     The command does not support non-index mode log queries.
                                                 Logging and Monitoring R81.10 Administration Guide      |      230
                                                                                              Log Attachments API
Log Attachments API
Log Attachments API provides an automated way to fetch log attachments. Each blade has its own type of
attachments. For example, IPS logs contain packet captures, and Threat Emulation logs contain a summary
report. Logs are not usually exported with all their attachments to save traffic load.
Use Cases:
This feature is intended for users who:
   n   Use Log Exporter to get log attachments in an external syslog system and use specific scripts in their
       automation process.
   n   Use Log Exporter and do not have (or want to provide) SmartConsole access to end users.
   n   Use API for Logs.
Log Attachments API supports all gateway versions.
There are two different modes to fetch log attachments:
   n   Log Exporter – Provides attachment ID.
   n   API for Logs – Log ID provided in the results.
Log Exporter
Log Exporter exports logs to a third party SIEM and adds an identifier called log-attachment-id which
represents all attachment IDs, separated by a space. Log Exporter has a new parameter which lets you
export the attachment-id.
You get the identifier and use it to get a json response with the desired attachment. The json format contains
encoded base64 data of the attachment and must be decoded and put in a specified destination folder so it
can be used.
To get a log attachment using Log Exporter, run these commands:
   1. cp_log_export set name <name> [domain-server <domain-server>] export-
      attachment-ids true
   2. cp_log_export restart name <name> [domain-server <domain-server>
   3. mgmt_cli get-attachment attachment-id ”<id from the exported log>”
To disable Log Exporter from exporting attachment IDs, run these commands:
   1. cp_log_export set name <name> [domain-server <domain-server>] export-
      attachment-ids false
   2. cp_log_export restart name <name> [domain-server <domain-server>]
API for Logs
Run a query for logs on the Management Server. In the json response, there is a field “id” for each log in the
response. After you have the log-id, run the log attachments API and get all the attachments for that log.
                                                Logging and Monitoring R81.10 Administration Guide      |      231
                                                                                            Log Attachments API
To get an attachment for one of the log results:
  1. Use the management API to fetch logs:
      Run: mgmt_cli show-logs
  2. Run: mgmt_cli get-attachment id “<log id from the previous response>”
                                              Logging and Monitoring R81.10 Administration Guide      |      232
                                                                                  Appendix: Manual Syslog Parsing
Appendix: Manual Syslog Parsing
Many third-party devices use the syslog format to log. The Log Server reformats the raw data to the Check
Point log format to process third-party syslog messages. SmartEvent can take the reformatted logs and
convert them into security events.
You can use the Log Parsing Editor to make a parsing file (see "Importing Syslog Messages" on page 52).
As an alternative you can manually create a parsing file. This section shows you how to do that.
         Warning - Manual modifications to out-of-the-box parsing files cannot be preserved
         automatically during an upgrade. Mark your modifications with comments so you can
         remember what changed.
Planning and Considerations
  1. Learn the accurate structure of the logs the device generates with these guides.
            a. The vendor logging guide, or other documentation that specifies the logs the device can
               generate and their structure. Documentation is important to make sure that you found all
               possible logs. Usually it is sufficient to write the parsing file.
            b. Log samples, as many as possible. Use logs generated from the actual devices to be used
               with SmartEvent. Samples are important to examine the parsing file and to tune it
               accordingly.
  2. Learn and know "The Free Text Parsing Language" on page 237 and the necessary parsing files and
     their location on the Log Server (see "The Parsing Procedure" on page 247).
  3. Compare existing parsing files of an equivalent product.
  4. Select the fields to extract from the log. The fields to extract are different from one device to another.
     But devices of the same category usually have equivalent log fields. For example:
       Device Type                                Typical Log Fields
       Firewall, router and other devices         source IP address, destination IP address, source port,
       that send connection based logs            destination port, protocol, accept/reject indication
       IDS / IPS, application Firewall and        attack name/ID
       other devices that send attack logs
                                                Logging and Monitoring R81.10 Administration Guide      |      233
                                                                                    Appendix: Manual Syslog Parsing
The Parsing Procedure
The procedure occurs on the Log Server and starts with the syslog daemon. The syslog daemon that runs
on the Log Server receives the syslogs and calls for their parsing. The parsing involves many parsing files,
which contain the different parsing definitions and specifications, and can be found in the
$FWDIR/conf/syslog/ directory. In these files there are the device-specific parsing files, which define the
actual parsing and extraction of fields, according to each device specific syslog format.
The parsing starts with the syslog_free_text_parser.C file. This file defines the different "Dictionary" on
page 246 terms and parses the syslog. The file extracts fields, which are common to all syslog messages
(such as PRI, date and time), and the machine and application that generated the syslog.
The syslog_free_text_parser.C file uses the allDevices.C file (which refers to two files:
UserDefined/UserDefinedSyslogDevices.C and CPdefined/CPdefinedSyslogDevices.C).
   n   The first file (UserDefined/UserDefinedSyslogDevices.C) contains the names of the devices
       parsing files that the user defines.
   n   The second file (CPdefined/CPdefinedSyslogDevices.C) contains devices parsing files that Check
       Point defines.
The allDevices.C file goes over the device parsing files, and tries to match the incoming syslog with the
syslog format parsed in that file.
After the parsing-file succeeds in the preliminary parsing of the syslog (that is, it matches the syslog format
and is therefore the syslog origin), the remaining of the syslog is parsed in that file. If a match is not found,
the file will continue to go over the Check Point device parsing files until it finds a match.
                                                  Logging and Monitoring R81.10 Administration Guide      |      234
                                                                                           Manual Syslog Parsing
Manual Syslog Parsing
To parse a syslog file:
   1. Create a new parsing file called <device product name>.C.
   2. Put this file in the directory $FWDIR/conf/syslog/UserDefined on the Log Server.
   3. On the Log Server, edit the file $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDevices.C to
      add a line that includes the new parsing file. For example:
         : (
                    :command (
                          :cmd_name (include)
                          :file_name ("snortPolicy.C")
                    )
              )
   4. Optional: If required.
         a. Create a new dictionary file called <device product name>_dict.ini. See "Dictionary" on
            page 246.
         b. Put it in the directory $FWDIR/conf/syslog/UserDefined on the Log Server.
             A dictionary translates values with the same meaning from logs from different devices into a
             common value. This common value is used in the Event Definitions.
         c. Edit the file $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDictionaries.C on the Log
            Server.
         d. Add a line to include the dictionary file. For example:
               :filename ("snort_dict.ini")
   5. To examine the parsing, send syslog samples to a Check Point Log Server.
To send syslog samples:
   1. To configure the Log Server to accept syslogs, connect to the Security Management Server with
      SmartConsole.
   2. In Logs and Masters > Additional Logging Configuration, enable the property Accept Syslog
      messages.
   3. Edit the Log Server network object.
   4. Run the commands cpstop & cpstart, or fw kill fwd & fwd -n.
      The fwd procedure on the Log Server restarts.
   5. Send syslogs from the device itself, or from a syslog generator.
      For example: Kiwi Syslog Message Generator, available at
      http://www.kiwisyslog.com/software_downloads.htm#sysloggen.
Troubleshooting:
If SmartConsole does not show the logs as expected, there can be problems with the parsing files:
                                               Logging and Monitoring R81.10 Administration Guide      |      235
                                                                                           Manual Syslog Parsing
n   If there is a syntax error in the parsing files, an error message shows. To read a specified error
    message, set the TDERROR_ALL_FTPARSER value to 5 before you run the procedure fwd -n.
n   If the syslogs show in SmartConsole with 'Product syslog', the log was not parsed properly, but as a
    general syslog.
n   If the Product field contains another product (not the one you have just added) this means there is a
    problem with the other product parsing file. Report this to the Check Point SmartEvent team.
n   If the product reports correctly in the log, look for all the fields you extracted. Some of them are in the
    Information section. Some fields can be seen only when you select More Columns.
                                               Logging and Monitoring R81.10 Administration Guide      |      236
                                                                                        The Free Text Parsing Language
The Free Text Parsing Language
The free text parsing language enables to parse an input string, extract information, and define log fields.
These log fields which show as part of the Check Point log in the Log Server. They are used in the definition
of events. Each parsing file contains a tree of commands. Each command examines or parses part of the
input string (sometimes it adds fields to the log as a result), and decides if to continue to parse the string
(according to the success/failure of its execution).
The Commands
Each command consists of these parts:
     n   cmd_name - the name of the command.
     n   command arguments - arguments that define the behavior of the command.
     n   on_success (optional) - the next command executed if the current command execution succeeds.
     n   on_fail (optional) - the next command executed if the current command execution fails.
Sample
 :command (  
             
    :cmd_name (try)
    :try_arguments
         .
         .
    :on_success (   
        :command()
    )
    :on_fail (  
                
        :command()
    )
 )
Try
The try command matches a regular expression against the input string.
'Try' Command Parameters
 Argument              Description
 parse_                start_position - run the regular expression from the start of the input string.
 from                  last_position - run the regular expression from the last position of the previous
                       successful command.
 regexp                The regular expression to match.
 add_field             One or more fields to add to the result (only if the regular expression is successful).
                                                     Logging and Monitoring R81.10 Administration Guide      |      237
                                                                                           The Free Text Parsing Language
'Try' Command - Sample
    :command (                  
         :cmd_name (try)
         :parse_from (start_position)
         :regexp ("([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)")
         :add_field (                         
           :type (index)
           :field_name (Src)
           :field_type (ipaddr)
           :field_index (1)
         )
    )
   In the above example, we try to match the regular expression "([0-9]+\.[0-9]+\.[0-9]+\.[0-
   9]+)" that looks at the entire log (parse_from (start_position)) - parse from the start of the log).
   If the regular expression is matched, we add a source field.
Group_try
The command group_try executes one or more commands in one of these modes:
   n   "try_all" tries all commands in the group, and ignores the return code of the commands.
   n   "try_all_successively" tries all the commands in the group, and ignores the return code of the
       commands.
       Each command tries to execute from the last position of the earlier successful command.
   n   "try_until_success" tries all the commands until one succeeds.
   n   "try_until_fail" tries all the commands until one fails.
The command "group_try" is commonly used when it parses a "free-text" piece of a log, which contains a
number of fields we want to extract.
For example:
%PIX-6-605004: Login denied from 194.29.40.24/4813 to
outside:192.168.35.15/ssh for user 'root'
When you look at see this section of the log, you can use this structure:
'Group_try' Command - Sample 1
    :command (  
                
       :cmd_name (group_try)
       :mode (try_all_successively)
       :(  
           
          # A "try" command for the source.
          :command ()
       )
       :(  
           
          # A "try" command for the destination.
          :command ()
       )
       :(  
           
          # A "try" command for the user.
          :command ()
       )
               .
               .
               .
    )
   In this example, the first try command in the "group_try" block (for the source) is executed.
   If the source, destination and user are not in a specified sequence in the syslog, use the "try_all"
   mode instead of "try_all_successively".
'Group_try' Command - Sample 2
   In this example, the regular expressions in the different commands try to match more specified logs.
                                                        Logging and Monitoring R81.10 Administration Guide      |      238
                                                                                                              The Free Text Parsing Language
   At most, one command in the group_try block will be successful.
   When it is found, it is not necessary to examine the others:
    :command (                  
       :cmd_name (group_try)
       :mode (try_until_success)
       :(             
          :command (                        
          .
          .
          .
            :regexp ("(\(|)(login|su)(\)|).* session (opened|closed) for user ([a-z,A-Z,0-9]*)")
          )
        )
       :(             
          :command (                        
           .
           .
           .
            :regexp ("(\(|)su(\)|).* authentication failure; logname=([a-zA-Z0-9]*).* user=([a-zA-Z0-9]*)")
          )
        )
          .
          .
          .
    )
   Note - When you add a new device, the first "try" command in the parsing file must use the "try_
   until_success" parameter:
    :cmd_name (group_try)
    :mode (try_until_success)
    : (  
         
    ?
    )
Switch
This command enables to compare the result of a specified field against a list of predefined constant values.
'Switch' Command Parameters
 Parameter               Description
 Parameter               Description
 field_name              The field name whose value is checked.
 case                    One or more case attributes followed by the value with which to compare.
 default                 Execute only if no relevant case is available. The default value is optional.
'Switch' Command - Sample
    :command (                  
       :cmd_name (switch)
       :field_name (msgID)
       :(   
          :case (302005)
          :command ()
         )
       :(   
          :case (302001)
          :case (302002)
          :command ()
         )
       :default (                     
          :command()
         )
    )
                                                                   Logging and Monitoring R81.10 Administration Guide      |      239
                                                                                                      The Free Text Parsing Language
Unconditional_try
This command is an "empty" command that allows you to add fields to the result without any conditions.
'Unconditional_try' Command - Sample 1
    :command (  
                
       :cmd_name (unconditional_try)
       :add_field (  
                     
          :type (const)
          :field_name (product)
          :field_type (string)
          :field_value ("Antivirus")
       )
    )
   A common usage of unconditional_try is with the switch command.
'Unconditional_try' Command - Sample 2
   In this example, each message ID is attached with its corresponding "message" field which denotes its
   meaning.
    :command (  
                
       :cmd_name (switch)
       :field_name (msgID)
       (  
          
       :case (106017)
       :command (  
                   
          :cmd_name (unconditional_try)
          :add_field (  
                        
          :type (const)
          :field_name (message)
          :field_type (string_id)
          :field_value ("LAND Attack")
          )
       )
       )
       :(   
       :case (106020)
       :command (  
                   
          :cmd_name (unconditional_try)
          :add_field (  
                        
          :type (const)
          :field_name (message)
          :field_type (string_id)
          :field_value ("Teardrop Attack")
          )
       )
       )
       .
       .
       .
    )
Include
This command enables the inclusion of a new parsing file.
 file_name              The full path plus the file name of the file to be included.
'Include' Command - Sample
    :command (                  
       :cmd_name (include)
       :file_name ("c:\freeTextParser\device\antivirusPolicy.C")
    )
Add_field
Each "add_field" has some parameters:
                                                                   Logging and Monitoring R81.10 Administration Guide      |      240
                                                                                    The Free Text Parsing Language
n   Type - The type of the "add_field" command. This parameter has these possible values:
        l   Index - Part of the regular expression will be extracted as the field. The "field_index" value
            denotes which part will be extracted (see "field_index" bullet).
        l   Const - Add a constant field whose value does not depend on information extracted from the
            regular expression. See field_value bullet.
n   field_name - the name of the new field.
    There are some fields, which have corresponding columns in SmartConsole > Logs & Monitor >
    Logs.
    This table shows the names to give these fields to show in their Logs & Monitor > Logs column (and
    not in the Information field, where other added fields appear):
     Field Name to be Given         Column in Logs & Monitor > Logs
     Src                            Source
     Dst                            Destination
     proto                          Protocol
     s_port                         Source Port
     product                        Product
     service                        Service (when resolved includes the port
                                    and protocol.)
     Action                         Action
     ifname                         Interface
     User                           User
    When you name the above fields accordingly, they are placed in their correct column in Logs &
    Monitor > Logs.
    This enables them to participate in all filtering done on these columns. These fields automatically take
    part in existing event definitions with these field names.
n   field_type - the type of the field in the log.
    This table shows the possible field types.
     Field Type         Comment
     int
     uint
     string
     ipaddr             For IP addresses used with the Src and Dst fields.
                                                 Logging and Monitoring R81.10 Administration Guide      |      241
                                                                                 The Free Text Parsing Language
     Field Type        Comment
     pri               Includes the facility and severity of a syslog.
     timestmp          Includes the date and time of the syslog. Supports the format 'Oct 10 2019
                       15:05:00'.
     time              Supports the format '15:05:00'.
     string_id         For a more efficient usage of strings. Used when there is a finite number of
                       possible values for this field.
     action            Supports these actions: drop, reject, accept, encrypt, decrypt, vpnroute, keyinst,
                       authorize, deauthorize, authcrypt, and default.
     ifdir             0 - inbound
                       1 - outbound
     ifname            For an interface name (used with the "ifname" field).
     protocol          The field name should be "proto".
     port              For "service", "s_port" or "port" fields.
    The field type of the field names in this table must be as mentioned:
     Field Name       Field Type
     Src              ipaddr
     Dst              ipaddr
     proto            protocol
     s_port           port
     service          port
     Action           action
     ifname           ifname
n   field_index or field_value - The parameter used depends on the value of the "type" field.
        l   If the "type" field is index, the "field_index" shows.
        l   If the "type" field is const, the "field_value" shows.
    The "field_index" denotes which part of the regular expression is extracted, according to the
    grouping of the patterns.
    To make this grouping, write a certain expression in brackets.
    In this expression, the number in the "field_index" denotes the bracket number whose pattern is
    taken into account.
                                              Logging and Monitoring R81.10 Administration Guide      |      242
                                                                                                           The Free Text Parsing Language
'Add_field' Command - Sample 1
   :command ( 
      :cmd_name (try)
      :parse_from (last_position)
      :regexp ("Failed password for ([a-zA-Z0-9]+) from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) port ([0-9]+)")
      :add_field ( 
         :type (index)
         :field_name (User)
         :field_type (string)
         :field_index (1)
        )
      :add_field ( 
         :type (index)
         :field_name (Src)
         :field_type (ipaddr)
         :field_index (2)
      )
      :add_field ( 
         :type (index)
         :field_name (port)
         :field_type (port)
         :field_index (3)
      )
   )
  The pattern for the User, "[a-zA-Z0-9]+", is located in the first pair of brackets. Therefore, the
  "field_index" is one.
  The pattern for the Source address, "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+", is located in the
  second pair of brackets. Therefore, the index is two.
  The pattern for the port is in the third pair of brackets.
  In each parsed regular expression the maximum number of brackets must be up to nine.
  To extract more than nine elements from the regular expression, break the expression into two
  pieces.
  The first regular expression contains the first nine brackets.
  The remaining of the regular expression is in the "on_success" command.
                                                        Logging and Monitoring R81.10 Administration Guide      |      243
                                                                                                               The Free Text Parsing Language
         :command ( 
            :cmd_name (try)
            :parse_from (start_position)
            :regexp ("access-list (.*) (permitted|denied|est-allowed) ([a-zA-Z0-9_\([a-zA-Z0-9_\\.[0-9]+\.[0-9]+\.[0-9]+)\(([0-9]*)\) -> "))
            :add_field ( 
               :type (index)
               :field_name (listID)
               :field_type (string)
               :field_index (1)
            )
            :add_field ( 
               :type (index)
               :field_name (action)
               :field_type (action)
               :field_index (2)
            )
            :add_field ( 
               :type (index)
               :field_name (proto)
               :field_type (protocol)
               :field_index (3)
            )
            :add_field ( 
               :type (index)
               :field_name (ifname)
               :field_type (ifname)
               :field_index (4)
            )
            :add_field ( 
               :type (index)
               :field_name (Src)
               :field_type (ipaddr)
               :field_index (5)
            )
            :on_success ( 
               :command ( 
                  :cmd_name (try)
                  :parse_from (last_position)
                  :regexp ("([a-zA-Z0-9_\\.[0-9]+\.[0-9]+\.[0-9]+)\(([0-9]*)\) hit-cnt ([0-9]+) ")
                  :add_field ( 
                     :type (index)
                     :field_name (destination_interface)
                     :field_type (string)
                     :field_index (1)
                  )
               )
            )
         )
    'Add_field' Command - Sample 2
       The "field_value" is the constant value to be added.
         :command ( 
            :cmd_name (try)
            :parse_from (last_position)
            :regexp ("%PIX-([0-9])-([0-9]*)"))
            :add_field ( 
                :type (const)
                :field_name (product)
                :field_type (string_id)
                :field_value ("CISCO PIX")
            )
         )
n   dict_name is the name of the dictionary to use to convert the value. If the value is not found in the
    dictionary, the value is the result.
    The free text parser enables us to use dictionaries to convert values from the log. These conversions
    are used to translate values from logs from different devices, with the same meaning, into a common
    value, which is used in the event definitions.
    Each dictionary file is defined as an .ini file.
    In the .ini file the section name is the dictionary name and the values are the dictionary values
    (each dictionary can include one or more sections).
     [dictionary_name]
     Name1 = val1
     Name2 = val2
     [cisco_action]       [3com_action]
     permitted = accept   Permit    = accept
     denied = reject      Deny   = reject
                                                              Logging and Monitoring R81.10 Administration Guide      |      244
                                                                                                         The Free Text Parsing Language
'Add_field' Command - Sample 3
   :command (                 
      :cmd_name (try)
      :parse_from (start_position)
      :regexp ("list (.*) (permitted|denied) (icmp) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* packet")
      :add_field (                      
            :type (index)
            :field_name (action)
            :field_type (action)
            :field_index (2)
            :dict_name (cisco_action)
       )
   )
                                                        Logging and Monitoring R81.10 Administration Guide      |      245
                                                                                                          Dictionary
Dictionary
The free text parser enables us to use dictionaries to convert values from the log. These conversions are
used to translate values from logs from different devices, with the same meaning, into a common value,
which is used in the event definitions.
Each dictionary file is defined as an .ini file. In the .ini file the section name is the dictionary name and
the values are the dictionary values (each dictionary can include one or more sections).
  [dictionary_name]
  Name1 = val1
  Name2 = val2
  [cisco_action]          [3com_action]
  permitted = accept      Permit    = accept
  denied = reject         Deny      = reject
Example
The reference to a dictionary in the parsing file is shown in this table:
  :command (
        :cmd_name (try)
        :parse_from (start_position)
        :regexp ("list (.*) (permitted|denied) (icmp) ([0-9]+\.[0-9]+\.[0-
  9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* packet")
         :add_field (
                 :type (index)
                 :field_name (action)
                 :field_type (action)
                 :field_index (2)
                 :dict_name (cisco_action)
         )
  )
                                                  Logging and Monitoring R81.10 Administration Guide      |      246
                                                                                              The Parsing Procedure
The Parsing Procedure
The procedure occurs on the Log Server and starts with the syslog daemon. The syslog daemon that runs
on the Log Server receives the syslogs and calls for their parsing. The parsing involves many parsing files,
which contain the different parsing definitions and specifications, and can be found in the
$FWDIR/conf/syslog/ directory. In these files there are the device-specific parsing files, which define the
actual parsing and extraction of fields, according to each device specific syslog format.
The parsing starts with the syslog_free_text_parser.C file. This file defines the different "Dictionary" on
page 246 terms and parses the syslog. The file extracts fields, which are common to all syslog messages
(such as PRI, date and time), and the machine and application that generated the syslog.
The syslog_free_text_parser.C file uses the allDevices.C file (which refers to two files:
UserDefined/UserDefinedSyslogDevices.C and CPdefined/CPdefinedSyslogDevices.C).
   n   The first file (UserDefined/UserDefinedSyslogDevices.C) contains the names of the devices
       parsing files that the user defines.
   n   The second file (CPdefined/CPdefinedSyslogDevices.C) contains devices parsing files that Check
       Point defines.
The allDevices.C file goes over the device parsing files, and tries to match the incoming syslog with the
syslog format parsed in that file.
After the parsing-file succeeds in the preliminary parsing of the syslog (that is, it matches the syslog format
and is therefore the syslog origin), the remaining of the syslog is parsed in that file. If a match is not found,
the file will continue to go over the Check Point device parsing files until it finds a match.
                                                  Logging and Monitoring R81.10 Administration Guide      |      247