Logs and Monitoring

In This Section: Security Logs System Logs External Log Servers Managing Active Devices Viewing Infected Hosts VPN Tunnels Connections Viewing Monitoring Data Viewing Reports Using System Tools SNMP

This section describes the security and system logs. It also describes various monitoring tools.

Security Logs

The Logs & Monitoring > Logs > Security Logs page shows the last 100 log records.

To load more records, continue scrolling down the page. The log table is automatically refreshed.

To search for a security log:

Enter your query in the Enter search query box. You can only search one field at a time (AND/OR operators are not supported).

Use this syntax:
<IP_address>
or
<column_name>:<value>

For example:

203.0.113.64
or
action:drop
or
source port:22

For more details, click Query Syntax in the table header.

To see the security log record:

1. Select a log entry from the list.
2. Click View Details or double-click the entry.

   The log record opens.

To refresh the security log data:

Click the refresh icon .

To stop local logging:

When necessary, you can stop local logging for better performance. This removes the overhead of creating and maintaining logs. No new logs are generated until you set the resume option.

1. Select Options > Stop local logging.
2. To resume, select Options > Resume local logging.

Storing Logs

Logs can be stored locally on the appliance's non-persistent memory or on an external SD card (persistent). Logs can also be sent to an externally managed log server (see Log Servers page).

When you insert an SD card, it mounts automatically and then local logs are saved to it. Before you eject an SD card, make sure to unmount it. Select Options > Eject SD card safely.

To delete logs from local log storage:

1. In Logs & Monitoring > Logs > Security Logs page, click Clear logs.

   A confirmation window opens.

2. Click Yes to delete logs.

   The logs are deleted, and the logs grid reloads automatically.

   Note - Logs are deleted from the external SD card (if inserted) or from the local logs storage. Logs are not deleted from the remote logs server.

System Logs

The Logs & Monitoring > System Logs page shows up to 500 systems logs (syslogs) generated from the appliance at all levels except for the debug level. These logs should be used mainly for troubleshooting purposes and can also give the administrator notifications for events which occurred on the appliance.

These are the syslog types:

• Info - Informative logs such as policy change information, administrator login details, and DHCP requests.
• Notice - Notification logs such as changes made by administrators, date, and time changes.
• Warning - Logs that show a connectivity or possible configuration failure. The problem is not critical but requires your attention.
• Error - System errors that alert you to the fact that a specific feature is not working. This can be due to misconfiguration or connectivity loss which requires the attention of your Internet Service Provider.

To download the full log file:

1. Click Download Full Log File.
2. Click Open or Save.

To save a snapshot of the syslogs to the flash disk:

1. Select Save a snapshot of system logs to flash.
2. Enter a minute value for the interval. The default is 180 minutes (3 hours). The minimum value is 30 minutes.
3. Click Apply.

This is an effort to keep syslogs persistent across boot, but not 100% guaranteed.

To refresh the system logs list:

Click Refresh. The list is refreshed.

To clear the log list:

1. Click Clear Logs.
2. Click OK in the confirmation message.

External Log Servers

The Logs & Monitoring > Log Servers page lets you configure external log servers for security and system logs for additional logging storage.

Note - You cannot configure external log servers when Cloud Services is turned on.

External Check Point Log Server

You can use an external Check Point log server that is managed by a Security Management Server for storing additional logs.

Do these steps before you configure an external Check Point log server from this page in the WebUI:

• Identify the Log Server you want to send logs to.
• Identify the Security Management Server that manages the Log Server.
• Open SmartDashboard on this Security Management Server.
• Run the Security Gateway wizard to define and create a Security Gateway object that represents this Check Point Appliance with the these details:
  • In the General Properties window, select:
    • Gateway platform - Select your appliance
    • Gateway IP address - Dynamic IP address
  • In the Trusted Communication window, from Gateway Identifier select MAC address or First to connect.
• Install the database on the Security Management Server and other related objects.

To configure an external Check Point log server:

1. Under Check Point Log Server, click Configure.

   The External Check Point Log Server window opens.

2. Enter the Management Server IP address. This IP address is used only to establish trusted communication between the Check Point Appliance and the Security Management Server.
3. In SIC name, enter the SIC name of the log server object defined in SmartDashboard. To get this name:
   • Connect with GuiDBedit Tool (see sk13009) to the Security Management Server - From the Tables tab, expand Table > Network Objects. In the right pane, locate the Log Server object. In the bottom pane, locate sic_name.

     or

   • Run this CLI command on the Log Server (use SSH or console connection):

     $CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0

   Copy the SIC name value and paste it into the SIC name field on this page.

4. In Set SIC One-time Password, enter the same password that was entered for the Security Management Server and then enter it again in the Confirm SIC One-time Password field. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
5. If the log server is not located on the Security Management Server, select Log server uses different IP address and enter the IP address.
6. Click Apply.

   Important - After successful configuration of the external log server, any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartDashboard. If you do not reinitialize SIC in SmartDashboard, connectivity to the log server can fail.

External Syslog Server Configuration

You can configure a gateway to send logs to multiple external syslog servers.

To configure an external syslog server:

1. Under Syslog Servers, click Configure.

   The External Syslog Server window opens.

2. Enter a Name and IP address.
3. Enter a Port.
4. Select Enable log server.
5. Select logs to forward:
   • System logs
   • Security logs
   • Both system and security logs
6. Click Apply.

To configure additional syslog servers:

Click Add Syslog Server.

You can send security logs to syslog servers. The security logs show in the syslog format, not in the security logs format. Note - The security logs are sent in plaintext and are not secure.

To edit the external syslog server:

1. Click the Edit link next to the server's IP address.
2. Edit the necessary information.
3. Click Apply.

Note - When more than one server is defined, the syslog servers show in a table. Select the syslog server you want to edit and click Edit.

To delete the external syslog server:

1. Select the syslog server.
2. Click Delete.

   The server is deleted.

Managing Active Devices

See Managing Active Devices.

Viewing Infected Hosts

See Viewing Infected Hosts.

VPN Tunnels

In the VPN Tunnels page you can see current VPN tunnels opened between this gateway and remote sites. Some sites are configured so tunnels are established only when necessary and some are configured with permanent tunnels. When the appliance is managed by Cloud Services, this table also shows the tunnels for the gateways in the community.

This page is commonly used to see the permanent tunnels. The table shows each tunnel's details when there is an active VPN tunnel.

Field	Description
From	Host name or IP address of the tunnel’s source gateway.
Site Name	Name of the VPN site name.
Peer Address	Host name or IP address of the tunnel’s destination gateway.
Community Name	If the gateways are part of a community configured by Cloud Services, this column shows the community name with which the tunnel is associated.
Status	VPN tunnel status indication.

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click Refresh to manually refresh this page with updated tunnel information.

Note - This page is available from the VPN and Logs & Monitoring tabs.

Connections

The Logs & Monitoring > Connections page shows a list of all active connections.

The list shows these fields:

• Protocol
• Source Address
• Source Port
• Destination Address
• Destination Port

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click the Refresh link.

Viewing Monitoring Data

See Viewing Monitoring Data.

Viewing Reports

See Viewing Reports.

Using System Tools

See Using System Tools.

SNMP

In the Logs & Monitoring > SNMP page you can configure SNMP settings for this gateway.

You can do these actions:

• Turn the SNMP agent on or off
• Configure SNMP settings (system location, system contact, and community string for SNMP v1 and v2 authentication)
• Add SNMP v3 users
• Configure the settings for SNMP Trap receivers
• Enable or disable SNMP traps that are sent to the trap receivers

To turn SNMP on or off:

1. Change the SNMP On/Off slider position to ON or OFF.
2. Click Apply.

   SNMP must be set to on to configure all SNMP settings (users, traps, and trap receivers).

To configure SNMP settings:

Click Configure.

The Configure SNMP General Settings window opens. You can enable SNMP traps, configure system location and contact details, and enable SNMP versions in addition to v3.

SNMP v3 Users

• To add a new SNMP v3 user, click New.
• To edit an existing SNMP v3 user, select the user from the list and click Edit.
• To delete an SNMP v3 user, select the user from the list and click Delete.

SNMP Traps Receivers

You can add, delete, or edit the properties of SNMP trap receivers.

• To add an SNMP trap receiver, click New.

  Note - To add a new SNMP v3 trap receiver, there must be an SNMP v3 user defined for it.

• To edit an existing SNMP trap receiver, select the trap receiver from the list and click Edit.
• To delete an SNMP trap receiver, select the trap receiver from the list and click Delete.

SNMP Traps

You can enable or disable specified traps from the list and for some traps set a threshold value. The enabled traps are sent to the receivers.

To edit an SNMP trap:

1. Select the trap from the list and click Edit.
2. Select the Enable trap option to enable the trap or clear it to disable the trap.
3. If the trap contains a value, you can edit the threshold value when necessary.
4. Click Apply.