SmartView Tracker Maintenance
Managing the Log Switch Settings
A log switch can be performed in one of the following ways:
- Automatically, when the log file's size is 2 GB.
You can modify this default size limit, as well as define a log switch schedule, through the SmartDashboard, by editing the properties of the object collecting the logs (the Security Management server, Log Server or the Security Gateway).
- Manually, from SmartView Tracker.
Modifying the Automatic Log Switch Settings
- In the SmartDashboard, double-click the gateway in question.
The gateway's properties window is displayed.
- In Log switch section of the Logs and Masters page, specifies when to perform the log switch:
- To specify the file size that should trigger a log switch, check Log switch when file size is x MBytes and specify the appropriate size.
- To setup a log switch schedule, check Schedule log switch to and choose the appropriate time object from the drop-down list.
If you specify both options, the log switch is performed when the first criterion is met.
- Click OK.
Manual Log Switch
- In SmartView Tracker, choose File > Switch Active File from the menu.
The Switch active Log File window is displayed.
- By default, the current log file is named based on the current date and time.
To specify a different name, uncheck Default and enter the appropriate name under Log File Name.
Managing the Cyclic Logging Settings
To configure the Cyclic Logging process:
- In the SmartDashboard, double-click the gateway in question.
The gateway's properties window is displayed.
- In the Disk Space Management section of the Logs and Masters page, specify the following:
- Whether to Measure free disk space in MBytes or Percent.
- Check Required Free Disk Space and enter the appropriate value.
- To refrain from deleting the most recent log files among your old log files, check Do not delete log files from the last and specify the appropriate number of Days.
Purging a Log File
To delete all records in the active fw.log log file, display the Log or Audit mode and choose Purge Active File from the File menu.
Saving Log Files Locally
To save logs to a local file (instead of forwarding them to the Security Management server or to a Log Server):
- In the SmartDashboard, double-click the gateway in question to display its properties window.
- In the Log Servers page (under the Logs and Masters branch), check Define Log Servers and then check Save logs locally, on this machine (<machine hostname>).
- You can either set a schedule for forwarding the local file to the appropriate machine (the Security Management server or a Log Server), or manually import these files using SmartView Tracker.
To specify a log file forwarding schedule:
- Display the Additional Logging Configuration page (under the Logs and Masters branch).
- In the Log forwarding settings section, set the following:
- Check Forward log files to Security Management server and choose the Log Server from the drop-down list.
- Set a Log forwarding schedule by choosing the appropriate time object from the drop-down list.
To view the local file using SmartView Tracker:
- Select Tools > Remote Files Management.
The Remote Files Management window is displayed, listing all Security Gateways from which you can fetch Log files.
- Select the desired Security Gateway and click Get File List.
The Files on <Gateway Name> window is displayed, listing all Log files found on the selected Security Gateway.
- Select one or more files to be fetched.
|
Note - You cannot fetch an active Log File. If you want to fetch the current file, you must first perform a log switch.
|
- Click Fetch Files.
The Files Fetch Progress window is displayed, showing the progress of the file transfer operation.
Working with Log Servers
To reduce the Security Management server's load via Log Servers:
- Install the Log Server software on the machine you wish to dedicate to logging purposes.
|
Note - For proper Log Server operations, the Plug-ins that are installed on the Security Management server should also be installed on the Log Server.
|
- Launch the SmartDashboard and add the Log Server you have installed as a Check Point network object:
- Install the Check Point Objects Database on the Log Server object:
- Choose Policy > Install Database from the menu.
The Install Database window is displayed. - In the Install Database on list, check the Log Server object and click OK.
- To setup the gateway to forward its logs to this Log Server, double-click the gateway so that its properties window is displayed.
- You can either forward the log records online, one by one; or save the records locally, and then forward them in a file according to a specific schedule.
To forward log records online:
- Display the Log Servers page (under the Logs and Masters branch).
- Check Define Log Servers.
- Add this Log Server to the Always send logs to table (click Add to display the Add Logging Servers window, and move the Log Server from the Available Log Servers list to the Select Log Servers list).
To specify a log file forwarding schedule:
- By default, when the selected Log Server is unreachable, the logs are written to a local file. Alternatively, you can select a backup Log Server as follows:
- Display the Log Servers page (under the Logs and Masters branch).
- Under When a Log Server is unreachable, send logs to section, click Add to display the Add Logging Servers window.
- Move the Log Server from the Available Log Servers list to the Select Log Servers list and click OK.
- Repeat step 4 to step 6 on all relevant gateways.
- Launch SmartView Tracker and login to this Log Server (instead of the Security Management server).
Using Custom Commands
To configure the commands you can run through SmartView Tracker:
- Choose Tools > Custom Commands from the menu.
The Custom Commands window is displayed.
- Click Add.
The Add New Command window is displayed.
- Specify the following command properties:
- Menu Text, defines how this command is to be displayed in the right-click menu (e.g. Ping).
- Command, specifying the name of the command (e.g.
ping.exe). - Arguments to be used by the command.
- IP Columns only, allowing you to apply this command only to columns that have an IP address value (e.g. Origin, Source, Destination etc.).
|
Note - It is recommended not to use a full path name in the Executable field, since the executable file may be found in different directories of different SmartView Tracker clients. The administrator must ensure that the command can be executed from the SmartView Tracker installation directory. Commands requiring a full path can be executed by a script, which all administrators save in the same directory, but each administrator edits according to his or her needs.
|
Example:
- Use the Add New Command window to add the Menu Content TELNET, which runs the command TELNET using <Cell Value> as its Parameter.
- In the Records pane, right-click a record whose IP address is 192.0.2.2 and select Telnet from the menu.
The executed command is: telnet 192.0.2.2.
Using Block Intruder
SmartView Tracker allows you to terminate an active connection and block further connections from and to specific IP addresses. The Block Intruder feature only works on UDP and TCP connections. Proceed as follows:
- Select the connection you wish to block by clicking it in the Active mode's Records pane.
- From the Tools menu, select Block Intruder.
The Block Intruder window is displayed.
- In Blocking Scope, select the connections that you would like to block:
- Block all connections with the same source, destination and service - block the selected connection or any other connection with the same service, source or destination.
- Block access from this source - block access from this source. Block all connections that are coming from the machine specified in the Source field.
- Block access to this destination - block access to this destination. Block all connections that are headed to the machine specified in the Destination field.
- In Blocking Timeout, select one of the following:
- Indefinite blocks all further access
- For x minutes blocks all further access attempts for the specified number of minutes
- In Force this blocking, select one of the following:
- Only on blocks access attempts through the indicated Security Gateway.
- On any Security Gateway blocks access attempts through all Security Gateways defined as gateways or hosts on the Log Server.
- Click OK.
To clear blocked connections from the display, choose Clear Blocking from the Tools menu.
Configuring Alert Commands
When you set a rule's Track column to Alert, SNMP Trap, Mail or UserDefined, a log of the event matching the rule is written to the active log file and the Security Management server executes the appropriate alert script.
Alert scripts are defined through the SmartDashboard, in the Global Properties window's Alert Commands page. You can use the default mail alert and SNMP trap alert scripts, by entering the appropriate IP addresses. Alternatively, define your own alert(s) in the three UserDefined fields.
Enabling Warning Dialogs
When working with SmartView Tracker, messages will appear in a variety of situations. Some of these messages have the option "Don't show this dialog box again". The Tools > Enable Warning Dialogs enables you to view all the dialog boxes for which you selected "Don't show this dialog box again".
|
|
