Print Download PDF Send Feedback

Previous

Next

Logs and Monitoring

In This Section:

Security Logs

System Logs

External Log Servers

Managing Active Devices

Infected Devices

VPN Tunnels

Connections

Viewing Monitoring Data

Viewing Reports

Using System Tools

SNMP

This section describes the security and system logs. It also describes various monitoring tools.

Security Logs

The Logs & Monitoring > Logs > Security Logs page shows the last 100 log records.

To load more records, continue scrolling down the page. The log table is automatically refreshed.

To search for a security log:

Enter your query in the Enter search query box. You can only search one field at a time (AND/OR operators are not supported).

Use this syntax:
<IP_address>
or
<column_name>:<value>

For example:

203.0.113.64
or
action:drop
or
source port:22

For more details, click Query Syntax in the table header.

To see the security log record:

  1. Select a log entry from the list.
  2. Click View Details or double-click the entry.

    The log record opens.

To refresh the security log data:

Click the refresh icon .

To stop local logging:

When necessary, you can stop local logging for better performance. This removes the overhead of creating and maintaining logs. No new logs are generated until you set the resume option.

  1. Select Options > Stop local logging.
  2. To resume, select Options > Resume local logging.

Storing Logs

Logs can be stored locally on the appliance's non-persistent memory or on an external SD card (persistent). Logs can also be sent to an externally managed log server (see Log Servers page).

When you insert an SD card, it mounts automatically and then local logs are saved to it. Before you eject an SD card, make sure to unmount it. Select Options > Eject SD card safely.

Note - From R77.20.85 and higher, SD cards are formatted with ext4. Older versions are formatted as FAT32. If you upgrade from a lower version to R77.20.85 or higher, the SD card will remain with FAT32 for backward compatibility.

To delete logs from local log storage:

  1. In Logs & Monitoring > Logs > Security Logs page, click Clear logs.

    A confirmation window opens.

  2. Click Yes to delete logs.

    The logs are deleted, and the logs grid reloads automatically.

    Note - Logs are deleted from the external SD card (if inserted) or from the local logs storage. Logs are not deleted from the remote logs server.

System Logs

The Logs & Monitoring > System Logs page shows up to 500 systems logs (syslogs) generated from the appliance at all levels except for the debug level. These logs should be used mainly for troubleshooting purposes and can also give the administrator notifications for events which occurred on the appliance.

These are the syslog types:

To download the full log file:

  1. Click Download Full Log File.
  2. Click Open or Save.

To save a snapshot of the syslogs to the flash disk:

  1. Select Save a snapshot of system logs to flash.
  2. Enter a minute value for the interval. The default is 180 minutes (3 hours). The minimum value is 30 minutes.
  3. Click Apply.

This is an effort to keep syslogs persistent across boot, but not 100% guaranteed.

To refresh the system logs list:

Click Refresh. The list is refreshed.

To clear the log list:

  1. Click Clear Logs.
  2. Click OK in the confirmation message.

External Log Servers

The Logs & Monitoring > Log Servers page lets you configure external log servers for security and system logs for additional logging storage.

Note - You cannot configure external log servers when Cloud Services is turned on.

External Check Point Log Server

You can use an external Check Point log server that is managed by a Security Management Server for storing additional logs.

Use cases for an external Check Point Log Server:-

Do these steps before you configure an external Check Point log server from this page in the WebUI:

To configure an external Check Point log server:

  1. Under Check Point Log Server, click Configure.

    The External Check Point Log Server window opens.

  2. Enter the Management Server IP address. This IP address is used only to establish trusted communication between the Check Point Appliance and the Security Management Server.
  3. In SIC name, enter the SIC name of the log server object defined in SmartDashboard. To get this name:
    • Connect with GuiDBedit Tool (see sk13009) to the Security Management Server - From the Tables tab, expand Table > Network Objects. In the right pane, locate the Log Server object. In the bottom pane, locate sic_name.

      or

    • Run this CLI command on the Log Server (use SSH or console connection):

      $CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0

    Copy the SIC name value and paste it into the SIC name field on this page.

  4. In Set SIC One-time Password, enter the same password that was entered for the Security Management Server and then enter it again in the Confirm SIC One-time Password field. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
  5. If the log server is not located on the Security Management Server, select Log server uses different IP address and enter the IP address.
  6. Click Apply.

    Important - After successful configuration of the external log server, any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartDashboard. If you do not reinitialize SIC in SmartDashboard, connectivity to the log server can fail.

To configure a new external Check Point Log Server when the gateway is connected to SMP (Cloud):

  1. In the WebUI, connect to Cloud Services.
  2. Go to Logs and Monitoring > External Log Server.
  3. Click New to add a new Log Server.
  4. In the Add External Log Server window, enter the IP address and the SIC name of the Log Server.
  5. Click Apply.
  6. To fetch the policy from the cloud, go to Home > Cloud Services and click Fetch now.

After you initiate traffic from resources behind the gateway, open the Check Point Log Server to verify that you see the logs. For more information, see sk145614.

External Syslog Server Configuration

You can configure a gateway to send logs to multiple external syslog servers.

To configure an external syslog server:

  1. Under Syslog Servers, click Configure.

    The External Syslog Server window opens.

  2. Enter a Name and IP address.
  3. Enter a Port.
  4. Select Enable log server.
  5. Optional - Select Show Obfuscated Fields. Obfuscated packets are shown as plain text.
  6. Select logs to forward:
    • System logs
    • Security logs
    • Both system and security logs
  7. Click Apply.

To configure additional syslog servers:

Click Add Syslog Server.

You can send security logs to syslog servers. The security logs show in the syslog format, not in the security logs format.

To edit the external syslog server:

  1. Click the Edit link next to the server's IP address.
  2. Edit the necessary information.
  3. Click Apply.

Note - When more than one server is defined, the syslog servers show in a table. Select the syslog server you want to edit and click Edit.

To delete the external syslog server:

  1. Select the syslog server.
  2. Click Delete.

    The server is deleted.

Managing Active Devices

See Managing Active Devices.

Infected Devices

In the Infected Devices page you can see information about infected devices and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected device or server.

The Infected Devices table shows this information for each entry:

To filter the infected devices list:

  1. Click Filter.
  2. Select one of the filter options:
    • Servers only - Shows only machines that were identified as servers (and not any machine/device). Servers are defined as server objects in the system from the Access Policy > Servers page.
    • Possibly infected only - Shows only devices or servers classified as possibly infected.
    • Infected only - Shows only devices or servers classified as infected.
    • High and above severity only - Shows devices and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.

To add a malware exception rule for a specified protection:

  1. Select the list entry that contains the protection for which to create an exception.
  2. Click Add Protection Exception.
  3. Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
    • Scope - Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.
      If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.
      For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.
    • Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive. See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
    • Log - Select the tracking option: None, Log, or Alert. Logs are shown on the Logs & Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs.
  4. Optional - Add a comment in the Write a comment field.
  5. Click Apply.

    The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page.

To view the logs of a specified entry:

  1. Select the list entry for which to view logs.
  2. Click Logs.

    The Logs & Monitoring > Security Logs page opens and shows the logs applicable to the IP/MAC address.

    Note - This page is available from the Home and Logs & Monitoring tabs.

VPN Tunnels

In the VPN Tunnels page you can see current VPN tunnels opened between this gateway and remote sites. Some sites are configured so tunnels are established only when necessary and some are configured with permanent tunnels. When the appliance is managed by Cloud Services, this table also shows the tunnels for the gateways in the community.

This page is commonly used to see the permanent tunnels. The table shows each tunnel's details when there is an active VPN tunnel.

Field

Description

From

Host name or IP address of the tunnel’s source gateway.

Site Name

Name of the VPN site name.

Peer Address

Host name or IP address of the tunnel’s destination gateway.

Community Name

If the gateways are part of a community configured by Cloud Services, this column shows the community name with which the tunnel is associated.

Status

VPN tunnel status indication.

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click Refresh to manually refresh this page with updated tunnel information.

Note - This page is available from the VPN and Logs & Monitoring tabs.

Connections

The Logs & Monitoring > Connections page shows a list of all active connections.

The list shows these fields:

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click the Refresh link.

Viewing Monitoring Data

See Viewing Monitoring Data.

Viewing Reports

See Viewing Reports.

Using System Tools

See Using System Tools.

SNMP

In the Logs & Monitoring > SNMP page you can configure SNMP settings for this gateway.

You can do these actions:

To turn SNMP on or off:

  1. Change the SNMP On/Off slider position to ON or OFF.
  2. Click Apply.

    SNMP must be set to on to configure all SNMP settings (users, traps, and trap receivers).

To configure SNMP settings:

Click Configure.

The Configure SNMP General Settings window opens. You can enable SNMP traps, configure system location and contact details, and enable SNMP versions in addition to v3.

SNMP v3 Users

SNMP Traps Receivers

You can add, delete, or edit the properties of SNMP trap receivers.

SNMP Traps

You can enable or disable specified traps from the list and for some traps set a threshold value. The enabled traps are sent to the receivers.

To edit an SNMP trap:

  1. Select the trap from the list and click Edit.
  2. Select the Enable trap option to enable the trap or clear it to disable the trap.
  3. If the trap contains a value, you can edit the threshold value when necessary.
  4. Click Apply.