Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

Using SmartView Tracker

Related Topics

Viewing Log Files

Maintaining Log Files with Log Switch

Managing Disk Space with Cyclic Logging

Exporting Logs

Saving Logs on Security Gateways

Maintaining a Secure Network

Running Custom Commands

Viewing Packet Capture

Viewing Log Files

Filters

SmartView Tracker's filtering mechanism allows you to conveniently focus on log data of interest and hide other data, by defining the appropriate criteria per-log field. Once you have applied the filtering criteria, only entries matching the selected criteria are displayed.

The filtering options available are a function of the log field in question. For example, while the Date field is filtered to show data that is after, before or in the range of the specified date, the Source, Destination and Origin fields are filtered to match (or differ from) the specified machines.

It is very useful to filter the Product field and focus on a specific Check Point product. SmartView Tracker features these filters as predefined queries.

Queries

SmartView Tracker gives you control over the Log file information displayed. You can either display all records in the Log file, or filter the display to focus on a limited set of records matching one or more conditions you are interested in. This filtering is achieved by running a query.

A query consists of the following components:

  • Condition(s) applied to one or more log fields (record columns) — for example, to investigate all HTTP requests arriving from a specific source, you can run a query specifying HTTP as the Service column's filter and the machine in question as the Source column's filter.
  • A selection of the columns you wish to show — for example, when investigating HTTP requests it is relevant to show the URL log field.

Each of the SmartDashboard modes (Log, Active and Audit) has its own Query Tree, with these folders:

  • Predefined: contains the default queries that cannot be directly modified or saved.

    The predefined queries available depend on the mode you are in. The default query of all three modes is All Records. In addition, the Log mode includes predefined per product or feature.

  • Custom: allows you to customize your own Query based on a predefined one, to better address your needs. Customized queries are the main querying tool, allowing you to pinpoint the data you are interested in. An existing query that is copied or saved under a new name is automatically added to the Custom folder.

The attributes of the selected query are displayed in the Query Properties pane.

Matching Rules

SmartView Tracker records the Firewall Rule Base rule to which a connection was matched. The matching rule is recorded in four columns in SmartView Tracker, as depicted in the figure below:

  • The Rule column, which records the number of the rule in the Rule Base at the time the log entry was recorded. Like other properties in SmartView Tracker, logs can be sorted and queried by rule number.
  • The Current Rule Number column, which is a dynamic field that reflects the current placement of the rule in the Rule Base and displays the current policy package name. As the Rule Base is typically subject to change, this column makes it possible to locate the rules that have changed their relative positions in the Rule Base since the log was recorded, and to create filters for log entries that match the rule, not just the rule number. By way of example, note the log entry in the figure. When this log was first recorded, it recorded the matching rule as Rule 1. Since then the rule's position in the Rule Base has changed, and so the Current Rule Number column reports its present position as 2 [Standard], where [Standard] is the name of the policy package in which this rule resides.
  • The Rule Name column, which records the short textual description of the rule in the Name column of the Rule Base, when in use.
  • The Rule UID column, which records the unique identifying number (UID) that is generated for each rule at the time that it is created. This number serves an internal tracking function, and as such the column is hidden by default. To display this column, click on View > Query Properties and enable the Rule UID property.

Filtering Log Entries by Matching Rule

In order to filter log entries based on a matching rule, right-click on a log entry and choose either Follow Rule or Follow Rule Number.

  • Follow Rule generates a filtered view of all logs that matched this rule, and is based on the UID number of the rule.
  • Follow Rule Number generates a filtered view of all log files that match the number recorded in the Rule column of the selected log.

These two operations are essentially short-cuts to creating a filter. You can achieve the same results by right-clicking anywhere in a given column and selecting Edit Filter, and then entering the filtering criteria you want to apply.

The Rule and Current Rule Number filters, which provide the same functionality as the Follow Rule and Follow Rule Number commands, can also create filtered views based on multiple matching rules. The figure below shows the Current Rule Number Filter.

Viewing the Matching Rule in Context

From SmartView Tracker, you can launch SmartDashboard to examine the rule within the context of the Firewall Rule Base. By right-clicking on the relevant log and selecting View rule in SmartDashboard, SmartDashboard will open with the rule highlighted in white.

If you are using version control, SmartDashboard opens with the revision that was saved when this record was created. If no revision is available, SmartDashboard uses the unique identifying number to display the relevant rule. If neither version control nor a UID number are available, the View rule in SmartDashboard option is not available.

Viewing the Logs of a Rule from SmartDashboard

From the firewall Rule Base in SmartDashboard, there are two methods by which you can launch SmartView Tracker to view all of the log entries that matched on a particular rule. By right-clicking on the rule, you can choose to either:

  • View rule logs in SmartView Tracker, which opens SmartView Tracker to a filtered view of all logs that matched on the rule.
  • Copy Rule ID, which copies the unique identifying number of the rule to the clipboard, allowing the user to paste the value into the Rule UID Filter in SmartView Tracker.

Maintaining Log Files with Log Switch

The active Log file's size is kept below the 2 GB default limit by closing the current file when it approaches this limit and starting a new file. This operation, known as a log switch, is performed either automatically, when the Log file reaches the specified size or according to a log switch schedule; or manually, from SmartView Tracker.

The file that is closed is written to the disk and named according to the current date and time. The new Log file automatically receives the default Log file name ($FWDIR/log/fw.log for log mode and $FWDIR/log/fw.adtlog for audit mode).

Managing Disk Space with Cyclic Logging

When there is a lack of sufficient free disk space, the system stops generating logs. To ensure the logging process continues even when there is not enough disk space, you can set a process known as Cyclic Logging. This process automatically starts deleting old log files when the specified free disk space limit is reached, so that the Security Gateway can continue logging new information. The Cyclic Logging process is controlled by:

  • Modifying the amount of required free disk space.
  • Setting the Security Gateway to refrain from deleting logs from a specific number of days back.

Exporting Logs

While SmartView Tracker is the standard log tracking solution, you may also wish to use your logs in other ways that are specific to your organization. For that purpose, Check Point products provide you with the option to export log files to the appropriate destination.

A log file can be exported in two different ways:

  • As a simple text file
  • In a database format, exported to an external Oracle database

SmartView Tracker supports a basic export operation, in which the display is copied as-is into a text file. More advanced export operations (for example, exporting the whole log file or exporting logs online) are performed using the command line (using the fwm logexport, log_export and fw log commands).

With the Export option (File > Export) you can create a comma delimited ASCII file that can be used as input for other applications.

Saving Logs on Security Gateways

By default, Security Gateways forward their log records online to the Security Management server. Alternatively, to improve the gateway's performance, you can free it from constantly sending logs by saving the information to local log files. These files can either be automatically forwarded to the Security Management server or Log Server, according to a specified schedule; or manually imported through SmartView Tracker, using the Remote File Management operation.

Logging Behavior during Downtime

During downtime, when the gateway cannot forward its logs, they are written to a local file. To view these local files, you must manually import them using the Remote File Management operation.

Logging Using Log Servers

To reduce the load on the Security Management server, administrators can install Log Servers and then configure the gateways to forward their logs to these Log Servers. In this case, the logs are viewed by logging with SmartView Tracker into the Log Server machine (instead of the Security Management server machine).

A Log Server behaves just like a Security Management server for all log management purposes: it executes the operation specified in the Policy for events matching certain rules (e.g., issuing an alert or an email); performs an Automatic Log Switch when fw.log reaches 2GB, allows you to export files, etc.

Setting Up Security Management Server for Log Server

Logs are not automatically forwarded to new log servers. You must manually setup each relevant gateway to send its logs to the new log server. The same plug-ins should be installed on all Security Management servers and log servers involved in order for the install policy procedure to be successful.

To instruct a Security Management server to send logs to a Log server:

  1. In SmartDashboard, double-click the gateway object to display its Check Point Gateway window.
  2. Select Logs and Masters > Additional Logging. Select Forward log files to Log Server.

    The Security Management server drop-down list is enabled.

  3. Select the new log server from the Security Managements drop-down list and click OK.
  4. Select Policy > Install, and then select the gateways and log servers on which the Policy should be installed.

Maintaining a Secure Network

Using Check Point Advisories

Check Point Advisory are detailed descriptions and step-by-step instructions on how to activate and configure relevant defenses provided by Check Point and IPS Updates.

The ability to view a Check Point Advisory in SmartView Tracker provides information about the IPS protection that is directly related to the selected IPS log. This information can help you analyze your configuration choices and better understand why the specific SmartView Tracker log appeared.

In addition, Check Point Advisory supplies all of your IPS configuration choices so that you can learn why the specific log appeared. To view Check Point Advisory for a specific IPS log, right-click the log and select Go to Advisory.

For more detailed information about the IPS log and associated protection, scroll down to the bottom of the Check Point Advisory window and select Read the Full ADVISORY and SOLUTION.

The Check Point Advisory feature will not appear for logs that do not contain an Attack Name and/or Attack Information.

Blocking Intruders

The Active mode of SmartView Tracker allows you to shut out intruders by selecting the connection you've identified as intrusive and blocking one of the following. Block Intruder uses SAM to perform the block action.

  • The connection - block the selected connection or any other connection with the same service, source or destination.
  • The source of the connection - block access to and from this source. Block all connections that are headed to or coming from the machine specified in the Source field.
  • The destination of the connection - block access to and from this destination. Block all connections that are headed to or coming from the machine specified in the Destination field.
  • Specify a time frame during which this connection is to be blocked.

Running Custom Commands

SmartView Tracker allows you to conveniently run commands from the SmartConsole, instead of working in the command line. The commands available by default are ping and whois. These commands, along with the ones you add manually, are available through the menu displayed by right-clicking a relevant cell in the Records pane.

Viewing Packet Capture

Certain Check Point products include the ability to capture network traffic. After this feature is activated, a packet capture file is sent with a log to the log server. The packet capture can be retrieved at a later time to allow the administrator greater insight into the exact traffic which generated the alert.

The packet capture file can be accessed from the log entry in SmartView Tracker. The file can be saved as a file to a file location, or can be opened in the internal viewer included in the SmartConsole or any packet capture viewer installed on the SmartConsole client.

  
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print