Logs and Monitoring

In This Section: Security Logs System Logs External Log Servers Managing Active Devices Infected Devices VPN Tunnels Connections Viewing Monitoring Data Viewing Reports Using System Tools SNMP

This section describes the security and system logs. It also describes various monitoring tools.

Security Logs

The Logs & Monitoring > Logs > Security Logs page shows the last 100 log records.

To load more records, continue scrolling down the page. The log table is automatically refreshed.

To search for a security log:

Enter your query in the Enter search query box. You can only search one field at a time (AND/OR operators are not supported).

Use this syntax:
<IP_address>
or
<column_name>:<value>

For example:

203.0.113.64
or
action:drop
or
source port:22

For more details, click Query Syntax in the table header.

To see the security log record:

1. Select a log entry from the list.
2. Click View Details or double-click the entry.

   The log record opens.

To refresh the security log data:

Click the refresh icon .

To stop local logging:

When necessary, you can stop local logging for better performance. This removes the overhead of creating and maintaining logs. No new logs are generated until you set the resume option.

1. Select Options > Stop local logging.
2. To resume, select Options > Resume local logging.

Storing Logs

Logs can be stored locally on the appliance's non-persistent memory or on an external SD card (persistent). Logs can also be sent to an externally managed log server (see Log Servers page).

When you insert an SD card, it mounts automatically and then local logs are saved to it. Before you eject an SD card, make sure to unmount it. Select Options > Eject SD card safely.

Note - From R77.20.85 and higher, SD cards are formatted with ext4. Older versions are formatted as FAT32. If you upgrade from a lower version to R77.20.85 or higher, the SD card will remain with FAT32 for backward compatibility.

To delete logs from local log storage:

1. In Logs & Monitoring > Logs > Security Logs page, click Clear logs.

   A confirmation window opens.

2. Click Yes to delete logs.

   The logs are deleted, and the logs grid reloads automatically.

   Note - Logs are deleted from the external SD card (if inserted) or from the local logs storage. Logs are not deleted from the remote logs server.

System Logs

The Logs & Monitoring > System Logs page shows up to 500 systems logs (syslogs) generated from the appliance at all levels except for the debug level. These logs should be used mainly for troubleshooting purposes and can also give the administrator notifications for events which occurred on the appliance.

These are the syslog types:

• Info - Informative logs such as policy change information, administrator login details, and DHCP requests.
• Notice - Notification logs such as changes made by administrators, date, and time changes.
• Warning - Logs that show a connectivity or possible configuration failure. The problem is not critical but requires your attention.
• Error - System errors that alert you to the fact that a specific feature is not working. This can be due to misconfiguration or connectivity loss which requires the attention of your Internet Service Provider.

To download the full log file:

1. Click Download Full Log File.
2. Click Open or Save.

To save a snapshot of the syslogs to the flash disk:

1. Select Save a snapshot of system logs to flash.
2. Enter a minute value for the interval. The default is 180 minutes (3 hours). The minimum value is 30 minutes.
3. Click Apply.

This is an effort to keep syslogs persistent across boot, but not 100% guaranteed.

To refresh the system logs list:

Click Refresh. The list is refreshed.

To clear the log list:

1. Click Clear Logs.
2. Click OK in the confirmation message.

External Log Servers

The Logs & Monitoring > Log Servers page lets you configure external log servers for security and system logs for additional logging storage.

Note - You cannot configure external log servers when Cloud Services is turned on.

External Check Point Log Server

You can use an external Check Point log server that is managed by a Security Management Server for storing additional logs.

Use cases for an external Check Point Log Server:-

• Extend the log retention time. For example, currently, when your gateway is managed by SMP, you can retain logs for 3 months. If you configure an external Log Server, you can retain the logs for a year.
• Export the logs format to a 3rd party mechanism for data mining.

Do these steps before you configure an external Check Point log server from this page in the WebUI:

• Identify the Log Server you want to send logs to.
• Identify the Security Management Server that manages the Log Server.
• Open SmartDashboard on this Security Management Server.
• Run the Security Gateway wizard to define and create a Security Gateway object that represents this Check Point Appliance with the these details:
  • In the General Properties window, select:
    • Gateway platform - Select your appliance
    • Gateway IP address - Dynamic IP address
  • In the Trusted Communication window, from Gateway Identifier select MAC address or First to connect.
• Install the database on the Security Management Server and other related objects.

To configure an external Check Point log server:

1. Under Check Point Log Server, click Configure.

   The External Check Point Log Server window opens.

2. Enter the Management Server IP address. This IP address is used only to establish trusted communication between the Check Point Appliance and the Security Management Server.
3. In SIC name, enter the SIC name of the log server object defined in SmartDashboard. To get this name:
   • Connect with GuiDBedit Tool (see sk13009) to the Security Management Server - From the Tables tab, expand Table > Network Objects. In the right pane, locate the Log Server object. In the bottom pane, locate sic_name.

     or

   • Run this CLI command on the Log Server (use SSH or console connection):

     $CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0

   Copy the SIC name value and paste it into the SIC name field on this page.

4. In Set SIC One-time Password, enter the same password that was entered for the Security Management Server and then enter it again in the Confirm SIC One-time Password field. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
5. If the log server is not located on the Security Management Server, select Log server uses different IP address and enter the IP address.
6. Click Apply.

   Important - After successful configuration of the external log server, any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartDashboard. If you do not reinitialize SIC in SmartDashboard, connectivity to the log server can fail.

To configure a new external Check Point Log Server when the gateway is connected to SMP (Cloud):

1. In the WebUI, connect to Cloud Services.
2. Go to Logs and Monitoring > External Log Server.
3. Click New to add a new Log Server.
4. In the Add External Log Server window, enter the IP address and the SIC name of the Log Server.
5. Click Apply.
6. To fetch the policy from the cloud, go to Home > Cloud Services and click Fetch now.

After you initiate traffic from resources behind the gateway, open the Check Point Log Server to verify that you see the logs. For more information, see sk145614.

External Syslog Server Configuration

You can configure a gateway to send logs to multiple external syslog servers.

To configure an external syslog server:

1. Under Syslog Servers, click Configure.

   The External Syslog Server window opens.

2. Enter a Name and IP address.
3. Enter a Port.
4. Select Enable log server.
5. Optional - Select Show Obfuscated Fields. Obfuscated packets are shown as plain text.
6. Select logs to forward:
   • System logs
   • Security logs
   • Both system and security logs
7. Click Apply.

To configure additional syslog servers:

Click Add Syslog Server.

You can send security logs to syslog servers. The security logs show in the syslog format, not in the security logs format.

To edit the external syslog server:

1. Click the Edit link next to the server's IP address.
2. Edit the necessary information.
3. Click Apply.

Note - When more than one server is defined, the syslog servers show in a table. Select the syslog server you want to edit and click Edit.

To delete the external syslog server:

1. Select the syslog server.
2. Click Delete.

   The server is deleted.

Managing Active Devices

See Managing Active Devices.

Infected Devices

In the Infected Devices page you can see information about infected devices and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected device or server.

The Infected Devices table shows this information for each entry:

• Icon - Shows icons for the different classifications of infected devices and servers:

  Description	Host Icon	Server Icon
  Infected device or server - When the Anti-Bot blade detects suspicious communication between the host or server and an external Command & Control center due to a specified triggered protection.
  Possibly infected device or server - When the Anti-Virus blade detects an activity that may result in host or server infection. For example: When you browse to an infected or a potentially unsafe Internet site, there is a possibility that malware was installed. When you download an infected file, there is a possibility that the file was opened or triggered and infected the host or server.

• Object name - Shows the object name if the host or server was configured as a network object.
• IP/MAC address
• Device/User Name - Shows a device or user name if the information is available to the Check Point Appliance through DHCP or User Awareness.
• Incident type - Shows the detected incident type:
  • Found bot activity
  • Downloaded a malware
  • Accessed a site known to contain malware
• Severity - Shows the severity of the malware:
  • Low
  • Medium
  • High
  • Critical
• Protection name - Shows the Anti-Bot or Anti-Virus protection name.
• Last incident - The date of the last incident.
• Incidents - Shows the total number of incidents on the device or server in the last month. If there is a large amount of records, the time frame may be shorter.

To filter the infected devices list:

1. Click Filter.
2. Select one of the filter options:
   • Servers only - Shows only machines that were identified as servers (and not any machine/device). Servers are defined as server objects in the system from the Access Policy > Servers page.
   • Possibly infected only - Shows only devices or servers classified as possibly infected.
   • Infected only - Shows only devices or servers classified as infected.
   • High and above severity only - Shows devices and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.

To add a malware exception rule for a specified protection:

1. Select the list entry that contains the protection for which to create an exception.
2. Click Add Protection Exception.
3. Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
   • Scope - Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.
     If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.
     For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.
   • Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive. See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
   • Log - Select the tracking option: None, Log, or Alert. Logs are shown on the Logs & Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs.
4. Optional - Add a comment in the Write a comment field.
5. Click Apply.

   The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page.

To view the logs of a specified entry:

1. Select the list entry for which to view logs.
2. Click Logs.

   The Logs & Monitoring > Security Logs page opens and shows the logs applicable to the IP/MAC address.

   Note - This page is available from the Home and Logs & Monitoring tabs.

VPN Tunnels

In the VPN Tunnels page you can see current VPN tunnels opened between this gateway and remote sites. Some sites are configured so tunnels are established only when necessary and some are configured with permanent tunnels. When the appliance is managed by Cloud Services, this table also shows the tunnels for the gateways in the community.

This page is commonly used to see the permanent tunnels. The table shows each tunnel's details when there is an active VPN tunnel.

Field	Description
From	Host name or IP address of the tunnel’s source gateway.
Site Name	Name of the VPN site name.
Peer Address	Host name or IP address of the tunnel’s destination gateway.
Community Name	If the gateways are part of a community configured by Cloud Services, this column shows the community name with which the tunnel is associated.
Status	VPN tunnel status indication.

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click Refresh to manually refresh this page with updated tunnel information.

Note - This page is available from the VPN and Logs & Monitoring tabs.

Connections

The Logs & Monitoring > Connections page shows a list of all active connections.

The list shows these fields:

• Protocol
• Source Address
• Source Port
• Destination Address
• Destination Port

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click the Refresh link.

Viewing Monitoring Data

See Viewing Monitoring Data.

Viewing Reports

See Viewing Reports.

Using System Tools

See Using System Tools.

SNMP

In the Logs & Monitoring > SNMP page you can configure SNMP settings for this gateway.

You can do these actions:

• Turn the SNMP agent on or off
• Configure SNMP settings (system location, system contact, and community string for SNMP v1 and v2 authentication)
• Add SNMP v3 users
• Configure the settings for SNMP Trap receivers
• Enable or disable SNMP traps that are sent to the trap receivers

To turn SNMP on or off:

1. Change the SNMP On/Off slider position to ON or OFF.
2. Click Apply.

   SNMP must be set to on to configure all SNMP settings (users, traps, and trap receivers).

To configure SNMP settings:

Click Configure.

The Configure SNMP General Settings window opens. You can enable SNMP traps, configure system location and contact details, and enable SNMP versions in addition to v3.

SNMP v3 Users

• To add a new SNMP v3 user, click New.
• To edit an existing SNMP v3 user, select the user from the list and click Edit.
• To delete an SNMP v3 user, select the user from the list and click Delete.

SNMP Traps Receivers

You can add, delete, or edit the properties of SNMP trap receivers.

• To add an SNMP trap receiver, click New.

  Note - To add a new SNMP v3 trap receiver, there must be an SNMP v3 user defined for it.

• To edit an existing SNMP trap receiver, select the trap receiver from the list and click Edit.
• To delete an SNMP trap receiver, select the trap receiver from the list and click Delete.

SNMP Traps

You can enable or disable specified traps from the list and for some traps set a threshold value. The enabled traps are sent to the receivers.

To edit an SNMP trap:

1. Select the trap from the list and click Edit.
2. Select the Enable trap option to enable the trap or clear it to disable the trap.
3. If the trap contains a value, you can edit the threshold value when necessary.
4. Click Apply.