Configuring SmartView Tracker

Overview

Choosing which Rules to Track

The extent to which you can benefit from the events log depends on how well they represent the traffic patterns you are interested in. Therefore, you must ensure your Security Policy is indeed tracking all events you may later wish to study. On the other hand, you should keep in mind that tracking multiple events results in an inflated log file, which requires more disk space and management operations.

To balance these conflicting needs, and determine which of your Policy's rules should be tracked, consider how useful this information is to you. For example, consider whether this information:

• Improves your network's security
• Enhances your understanding of your users' behavior
• Is the kind of data you wish to see in reports
• May be useful for future purposes

Choosing the Appropriate Tracking Option

For each rule you track, specify one of the following tracking options:

• None - Does not record the event
• Log - Records the event's details in SmartView Tracker. This option is useful for obtaining general information on your network's traffic.
• Account - Records the event in SmartView Tracker with byte information
• Alert - Logs the event and executes a command, such as display a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in Policy > Global Properties > Log and Alert > Alert Commands
• Mail - Sends an email to the administrator, or runs the mail alert script defined in Policy > Global Properties > Log and Alert > Alert Commands
• SNMP Trap - Sends a SNMP alert to the SNMP GUI, or runs the script defined in Policy > Global Properties > Log and Alert > Alert Commands
• User Defined Alert - Sends one of three possible customized alerts. The alerts are defined by the scripts specified in Policy > Global Properties > Log and Alert > Alert Commands

Forwarding Online or Forwarding on Schedule

By default, Security Gateways forward their log records online, one by one, to the selected destination (the Security Management server or a Log Server). In this case, SmartView Tracker allows you to see new records as they are forwarded to the machine you logged into.

To improve the gateway's performance, you can free it from constantly forwarding logs by configuring a Local Logging system in which the records are saved to a local log file. If you set a log forwarding schedule, you can open this file (instead of the active file) in SmartView Tracker. Otherwise, you can manually import this file from the gateway, using the Remote File Management operation.

Modifying the Log Forwarding Process

Log files can be forwarded without deleting them from the Security Management server, Security Gateway, or Log server that sends them. This is particularly useful in a Multi-Domain Security Management environment.

In a Multi-Domain Security Management environment logs are commonly saved on the customer's Log server, to which the customer connects using SmartView Tracker. However, for analysis and back-up purposes, these logs are soon forwarded to dedicated servers run by the customer's ISP, to which the customer has no access. This enhancement to the scheduled log forwarding process makes the logs available to both the customer and customer's ISP.

By default, this feature is disabled. To enable the feature, use GuiDBEdit to set the forward_log_without_delete property to TRUE.

Basic Tracking Configuration

To track connections in your network:

1. For each of the Security Policy rules you wish to track, right-click in the Track column and choose Log from the menu.

   All events matching these rules are logged.

2. Launch SmartView Tracker through the SmartDashboard's Window menu.

   The Log mode is displayed, showing the records of all events you have logged.

Configuring SmartView Tracker Views

The display of SmartView Tracker can be modified to better suit your auditing needs. The following table lists the operations you can perform to adjust the view.

Query Pane

The Query Tree pane is the area where the Log Files appear. The SmartView Tracker has a new and improved interface enabling you to open multiple windows.

You can open more than one Log File simultaneously. You can also open more than one window of the same Log File. This may be helpful if you want to get different images of the same Log File. For example, you can open two windows of the same file and use different filtering criteria on each window. You can view both windows simultaneously and compare the different images. You can also resize each window so as to fit in as many windows as possible in the Query pane. The Query pane is divided into two sections:

• Query Properties pane shows all the attributes of the fields contained in the Records pane.
• Records pane displays the fields of each record in the Log File.

Resolving IP Addresses

Since the IP address resolution process consumes time and resources, SmartView Tracker allows you to choose whether or not to display source and destination host names in the Log file.

Click the Resolve IP toolbar button to toggle between:

• Displaying the name of the host and the domain.
• Displaying the addresses in conventional IP dot notation.

Resolving Services

With the Resolving Services option you can control the display of the source and destination port in the Log File. Each port number is mapped to the type of service it uses.

This option toggles between:

• Displaying the destination port number.
• Displaying the type of service the port uses.

If you click Resolving Services to see the type of service the port uses, and the port number shows: no service is defined for this port. You can map a port number to a service in the Object Manager, or in the Services Configuration file (/etc/services).

Showing Null Matches

This option controls the display of Null Matches, that is, log entries that are neither included nor excluded by the current filtering criteria.

For example, if you choose to display only log entries whose Action is either Reject or Drop, control logs are null matches because Action is not relevant to a control log. They are neither included nor excluded. If the Show Null Matches toolbar button is clicked, the null matches are displayed.

Configuring a Filter

Make sure the Apply Filter toolbar button is activated. Filter criteria is not applied if this button is not active.

To filter a log field and focus on data of interest:

1. Click View > Query Properties.
2. Right-click the log field in the Filter column, and select Edit Filter.

   Each field shows a type-specific Filter window. Configure the window according to the criteria you want.

3. Click OK.

Configuring the Current Rule Number Filter

To launch the Current Rule Number Filter:

1. Right-click anywhere in the column Curr. Rule No. and select Edit Filter.
2. Select the appropriate policy package from the drop-down list.
3. Select the current rule number(s) of the logs you want to display and click OK.

Using Follow Commands

With the Follow commands you can create a filter that matches a specific query to a specific Source, Destination or User.

Right-click the record with the value of interest in the Records pane and select one of the following Follow commands:

• Follow Source enables a search for a log record according to a specific source.
• Follow Destination enables a search for a log record according to a specific destination.
• Follow User enables a search for a log record according to a specific user.
• Follow Rule Number enables a search for a log record according to the rule name.
• Follow Rule enables a search for a log record according to the rule number.

  Note - A new window opens, displaying the relevant column (Source, Destination or User) first.

Viewing the Logs of a Rule from the Rule Base

From the Rule Base in SmartDashboard, it is possible to generate a filtered view of logs that match a specific rule. There are two ways of achieving this:

• View rule logs in SmartView Tracker

  Right-click on a rule in the No. column in SmartDashboard and select View rule logs in SmartView Tracker.
  SmartView Tracker opens with a filter applied to the Curr. Rule No. column to display only those logs that match on the selected rule.

• Copy rule ID
  1. Right-click on the rule in the No. column in SmartDashboard and select Copy rule ID.
  2. In SmartView Tracker, click View > Query Properties and enable the Rule UID column.
  3. Right-click on the Rule UID column heading and choose Edit Filter.
  4. Paste the UID in the Value field and click OK.

     A filter is applied to the Curr. Rule No. column to display only those logs that matched on the Rule UID.

Configuring Queries

New queries are created by customizing existing queries and saving them under new names. Proceed as follows:

1. Select an existing query in the Query Tree (either a predefined query or a custom query) and choose Query > Copy from the menu.

   A copy of the query, named New, is added to the Custom folder.

2. Rename the new query.
3. In the Query Properties pane, modify the query as desired by specifying the following for each relevant log field (column):
   • Whether to Show the information available for that column.
   • The Width of the column displaying the information.
   • The Filter (conditions) applied to the column.
4. Double-click the query in order to run it.

Opening an Existing Query

You can open an existing query in an active window by:

• Using the Query menu:

  In the Query Tree pane, select the query you would like to open. Select Query > Open. The desired query appears in the Records pane.

• Right-clicking an existing query.

  Right-click the query you would like to open. Select Open. The desired query appears in the Records pane.

• Double-clicking an existing query.

  Double-click the query you would like to open. The desired query appears in the Records pane.

Creating a Customized Entry

Predefined queries contained in the Predefined folder cannot be modified but they can be saved under a different name.

To save a predefined query under a different name:

1. Open a predefined query.
2. Modify the query as desired.
3. From the Query menu, select Save As.
4. Type the desired query name.
5. Click OK. The modified view is placed in the Custom folder.

Saving a Query under a New Name

You can modify a query and save it under a new name.

To change a predefined query and save it under a new name:

1. Modify the predefined query as desired.
2. Choose Save As from the Query menu, and specify a file name for the modified query.
3. Click OK. The modified query is placed in the Custom folder.

To change a custom query:

1. Modify the query as desired.
2. Choose Save from the Query menu.

Renaming a Customized Query

1. Select the query you want to rename.
   • From the Query menu, select Rename, or
   • Right-click the desired query and select Rename from the displayed menu. The newly-duplicated query is placed in the Custom folder.
2. Enter the desired query name and click Enter.

Deleting a Customized Query

Select the query you want to delete:

• From the Query menu, select Delete, or
• Right-click the desired query and select Delete from the displayed menu.

  Note - You cannot delete an open or predefined query.

Hiding and Showing the Query Tree Pane

You can choose to hide or display the Query Tree pane. To toggle the display of the Query Tree pane click Query Tree from the View menu.

Working with the Query Properties Pane

The Query Properties pane shows the attributes for the corresponding columns in the Records pane. These attributes include whether the columns are displayed or hidden, the width of the column and the filtering arguments you used to display specific entries.

The Query Properties pane contains four columns.

Showing/Hiding a Column

• Using the Query Properties pane

  In the Query Properties pane, select the column's check box in the Show column to display the column or clear the check box to hide it. The corresponding column in the Records pane is displayed/hidden respectively.

• Using the Records pane

  In the Records pane, right-click the column heading. Select Hide from the displayed menu. The column is hidden and at the same time, the check box in the Show column in the Query Properties pane is automatically cleared.

Changing a Column's Width

If you change the width of a column in one pane, it is automatically changed in the other. You can change the width of a column either in the:

• Query Properties pane

  Double-click the Width field that you would like to edit in the Width column. The Width field becomes an editable field in which you can specify a new width (in pixels). Edit the width value and click Enter. The corresponding column in the Records pane is widened/narrowed accordingly.

• Records pane

  Place the cursor on the column's right border in the header. The cursor changes to the column resize cursor. Click on the left mouse button without releasing it. Move the column border to the desired position while keeping the left mouse button down. Release the left mouse button. The value in the column's corresponding Width field in the Query Properties pane is automatically modified accordingly.

Rearranging a Column's Position

You can rearrange a column's position in the Query Properties or the Records pane. If you change the position in one pane, it is automatically changed in the other.

• In the Queries Properties pane, drag the column up or down to the desired position.
• In the Records pane, drag the header of the column left or right to the desired position.

Copying Log Record Data

You can copy a whole log record or only one of its cells to the clipboard:

• Right-click the desired record.
• Select Copy Cell from the displayed menu to copy only the cell on which the cursor is standing or select Copy Line to copy the entire record.

Viewing a Record's Details

The Record Details window is displayed by double-clicking the desired record in the Records pane.

This window allows you to conveniently view the record's values for all fields included in your query. Fields that have been defined as hidden for that record are not displayed. The fields appear in the same order as they appear in the Records pane, and all field values appear in their entirety, as can be seen in the tool tip.

This window allows you to perform the following operations:

• Display the details of the former or subsequent record by clicking the Previous or Next button respectively. (These buttons correspond to the keyboard arrows.)
• Copy the record details to the clipboard by clicking Copy.
• End operations that take a long time by clicking Abort (this button is enabled only when the server is running).

  Note - The Abort option only becomes active when a certain action is being executed, for example, when the Log File is being updated or when a search is taking place.

Viewing a Rule

You can view the rule that created the log.

To view a rule:

1. Open SmartDashboard.
   1. Click the Database Revision Control toolbar button.
   2. Click inside the Create new version upon Install Policy operation check box.
   3. Click Close.
   4. Click Install Policy.
2. Go to SmartView Tracker.
3. Right-click on the desired record.
4. Select View Rule in SmartDashboard. The SmartDashboard is opened and the rule appears.

   Note - This process only works for logs that have a rule number and were created after the Create a new version upon Install Policy operation is selected. In addition, this option is only available on a Management Station. It is not available on the Domain Log Server.

Finding an Interface

To find by interface, add the specific Interface. You can find according to direction forward and back.