Logs and Monitoring

In This Section: Security Logs System Logs Log Servers Managing Active Computers Infected Hosts VPN Tunnels Connections Viewing Monitoring Data Viewing Reports Using System Tools SNMP

This section describes the security and system logs. It also describes various monitoring tools.

Security Logs

The Logs & Monitoring > Security Logs page lets you browse the last 100 log records.

These logs are sent to SmartView tracker, but are also available on this page. Note that the number of logs shown is not configurable, and is not related to the SmartDashboard setting "GW properties > Logs and alert > Max log size…" (This setting only applies to logs that are saved by the gateway when the Security Management Server cannot be reached).

To search for a security log:

Enter your query in the Enter search query box.

Use this syntax:
<IP_address>
or
<column_name>:<value>

For example:

203.0.113.64
or
action:drop
or
source port:22

For more details, click Query Syntax in the table header.

To see the security log record:

1. Select a log entry from the list.
2. Click View Details or double-click the entry.

   The log record opens.

To refresh the security log data:

Click the refresh icon .

To stop local logging:

You can stop local logging to remove the overhead to create and maintain logs to improve performance. No new logs are generated until you set the resume option.

1. Select Options > Stop local logging.
2. To resume, select Options > Resume local logging.

Logs can be stored centrally or locally. Logs can be stored locally on the appliance's non-persistent memory or on an external SD card (persistent). When you insert an SD card, it mounts automatically and then local logs are saved to it. Before you eject an SD card, make sure to unmount it. Select Options > Eject SD card safely.

To delete logs from local log storage:

1. In Logs & Monitoring > Logs > Security Logs page, click Clear logs.

   A confirmation window opens.

2. Click Yes to delete logs.

   The logs are deleted, and the logs grid reloads automatically.

   Note - Logs are deleted from the external SD card (if inserted) or from the local logs storage. Logs are not deleted from the remote logs server.

System Logs

The Logs & Monitoring > System Logs page shows up to 500 systems logs (syslogs) generated from the appliance at all levels except for the debug level. These logs should be used mainly for troubleshooting purposes and can also give the administrator notifications for events which occurred on the appliance.

These are the syslog types:

• Info - Informative logs such as policy change information, administrator login details, and DHCP requests.
• Notice - Notification logs such as changes made by administrators, date, and time changes.
• Warning - Logs that show a connectivity or possible configuration failure. The problem is not critical but requires your attention.
• Error - System errors that alert you to the fact that a specific feature is not working. This can be due to misconfiguration or connectivity loss which requires the attention of your Internet Service Provider.

To download the full log file:

1. Click Download Full Log File.
2. Click Open or Save.

To save a snapshot of the syslogs to the flash disk:

1. Select Save a snapshot of system logs to flash.
2. Enter a minute value for the interval. The default is 180 minutes (3 hours). The minimum value is 30 minutes.
3. Click Apply.

This is an effort to keep syslogs persistent across boot, but not 100% guaranteed.

To refresh the system logs list:

Click Refresh. The list is refreshed.

To clear the log list:

1. Click Clear Logs.
2. Click OK in the confirmation message.

Log Servers

The Logs & Monitoring > Log Servers page lets you configure external log servers for system logs when necessary for additional logging storage.

You can configure a gateway to send logs to multiple external syslog servers.

To configure an external syslog server:

1. Under Syslog Servers, click Configure.

   The External Syslog Server window opens.

2. Enter Name.
3. Enter the IP address.
4. Enter the Port.
5. Click Enable log server.
6. Click Apply.

Managing Active Computers

See Managing Active Computers.

Infected Hosts

In the Infected Hosts page you can see information about infected hosts and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected host or server.

The Infected Hosts table shows this information for each entry:

• Icon - Shows icons for the different classifications of infected hosts and servers:

  Description	Host Icon	Server Icon
  Infected host or server - When the Anti-Bot blade detects suspicious communication between the host or server and an external Command & Control center due to a specified triggered protection.
  Possibly infected host or server - When the Anti-Virus blade detects an activity that may result in host or server infection. For example: When you browse to an infected or a potentially unsafe Internet site, there is a possibility that malware was installed. When you download an infected file, there is a possibility that the file was opened or triggered and infected the host or server.

• Object name - Shows the object name if the host or server was configured as a network object.
• IP/MAC address
• Device/User Name - Shows a device or user name if the information is available to the Check Point Appliance through DHCP or User Awareness.
• Incident type - Shows the detected incident type:
  • Found bot activity
  • Downloaded a malware
  • Accessed a site known to contain malware
• Severity - Shows the severity of the malware:
  • Low
  • Medium
  • High
  • Critical
• Protection name - Shows the Anti-Bot or Anti-Virus protection name.
• Last incident - The date of the last incident.
• Incidents - Shows the total number of incidents on the host or server in the last month. If there is a large amount of records, the time frame may be shorter.

To filter the infected hosts list:

1. Click Filter.
2. Select one of the filter options:
   • Servers only - Shows only machines that were identified as servers (and not any machine/device). Servers are defined as server objects in the system from the Access Policy > Servers page.
   • Possibly infected only - Shows only hosts or servers classified as possibly infected.
   • Infected only - Shows only hosts or servers classified as infected.
   • High and above severity only - Shows hosts and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.

To add a malware exception rule for a specified protection:

1. Select the list entry that contains the protection for which to create an exception.
2. Click Add Protection Exception.
3. Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
   • Scope - Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.
     If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.
     For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.
   • Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive. See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
   • Log - Select the tracking option: None, Log, or Alert. Logs are shown on the Logs & Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs.
4. Optional - Add a comment in the Write a comment field.
5. Click Apply.

   The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page.

To view the logs of a specified entry:

1. Select the list entry for which to view logs.
2. Click Logs.

   The Logs & Monitoring > Security Logs page opens and shows the logs applicable to the IP/MAC address.

   Note - This page is available from the Home and Logs & Monitoring tabs.

VPN Tunnels

In the VPN Tunnels page you can see current VPN tunnels opened between this gateway and remote sites. Some sites are configured so tunnels are established only when necessary and some are configured with permanent tunnels. When the appliance is managed by Cloud Services, this table also shows the tunnels for the gateways in the community.

This page is commonly used to see the permanent tunnels. The table shows each tunnel's details when there is an active VPN tunnel.

Field	Description
From	Host name or IP address of the tunnel’s source gateway.
Site Name	Name of the VPN site name.
Peer Address	Host name or IP address of the tunnel’s destination gateway.
Community Name	If the gateways are part of a community configured by Cloud Services, this column shows the community name with which the tunnel is associated.
Status	VPN tunnel status indication.

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click Refresh to manually refresh this page with updated tunnel information.

Note - This page is available from the VPN and Logs & Monitoring tabs.

Connections

The Logs & Monitoring > Connections page shows a list of all active connections.

The list shows these fields:

• Protocol
• Source Address
• Source Port
• Destination Address
• Destination Port

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click the Refresh link.

Viewing Monitoring Data

See Viewing Monitoring Data.

Viewing Reports

See Viewing Reports.

Using System Tools

See Using System Tools.

SNMP

In the Logs & Monitoring > SNMP page you can configure SNMP settings for this gateway.

You can do these actions:

• Turn the SNMP agent on or off
• Configure SNMP settings (system location, system contact, and community string for SNMP v1 and v2 authentication)
• Add SNMP v3 users
• Configure the settings for SNMP Trap receivers
• Enable or disable SNMP traps that are sent to the trap receivers

To turn SNMP on or off:

1. Change the SNMP On/Off slider position to ON or OFF.
2. Click Apply.

   SNMP must be set to on to configure all SNMP settings (users, traps, and trap receivers).

To configure SNMP settings:

Click Configure.

The Configure SNMP General Settings window opens. You can enable SNMP traps, configure system location and contact details, and enable SNMP versions in addition to v3.

SNMP v3 Users

• To add a new SNMP v3 user, click New.
• To edit an existing SNMP v3 user, select the user from the list and click Edit.
• To delete an SNMP v3 user, select the user from the list and click Delete.

SNMP Traps Receivers

You can add, delete, or edit the properties of SNMP trap receivers.

• To add an SNMP trap receiver, click New.

  Note - To add a new SNMP v3 trap receiver, there must be an SNMP v3 user defined for it.

• To edit an existing SNMP trap receiver, select the trap receiver from the list and click Edit.
• To delete an SNMP trap receiver, select the trap receiver from the list and click Delete.

SNMP Traps

You can enable or disable specified traps from the list and for some traps set a threshold value. The enabled traps are sent to the receivers.

To edit an SNMP trap:

1. Select the trap from the list and click Edit.
2. Select the Enable trap option to enable the trap or clear it to disable the trap.
3. If the trap contains a value, you can edit the threshold value when necessary.
4. Click Apply.