In This Section: |
This section describes the security and system logs. It also describes various monitoring tools.
The Logs & Monitoring > Logs > Security Logs page shows the last 100 log records.
To load more records, continue scrolling down the page. The log table is automatically refreshed.
To search for a security log:
Enter your query in the Enter search query box. You can only search one field at a time (AND/OR operators are not supported).
Use this syntax:
<IP_address>
or
<column_name>:
<value>
For example:
203.0.113.64
oraction:drop
orsource port:22
For more details, click Query Syntax in the table header.
To see the security log record:
The log record opens.
To refresh the security log data:
Click the refresh icon .
To stop local logging:
When necessary, you can stop local logging for better performance. This removes the overhead of creating and maintaining logs. No new logs are generated until you set the resume option.
Storing Logs
Logs can be stored locally on the appliance's non-persistent memory or on an external SD card (persistent). Logs can also be sent to an externally managed log server (see Log Servers page).
When you insert an SD card, it mounts automatically and then local logs are saved to it. Before you eject an SD card, make sure to unmount it. Select Options > Eject SD card safely.
Note - From R77.20.85 and higher, SD cards are formatted with ext4. Older versions are formatted as FAT32. If you upgrade from a lower version to R77.20.85 or higher, the SD card will remain with FAT32 for backward compatibility.
To delete logs from local log storage:
A confirmation window opens.
The logs are deleted, and the logs grid reloads automatically.
Note - Logs are deleted from the external SD card (if inserted) or from the local logs storage. Logs are not deleted from the remote logs server.
The Logs & Monitoring > System Logs page shows up to 500 systems logs (syslogs) generated from the appliance at all levels except for the debug level. These logs should be used mainly for troubleshooting purposes and can also give the administrator notifications for events which occurred on the appliance.
These are the syslog types:
To download the full log file:
To save a snapshot of the syslogs to the flash disk:
This is an effort to keep syslogs persistent across boot, but not 100% guaranteed.
To refresh the system logs list:
Click Refresh. The list is refreshed.
To clear the log list:
The Logs & Monitoring > Log Servers page lets you configure external log servers for security and system logs for additional logging storage.
Note - You cannot configure external log servers when Cloud Services is turned on.
External Check Point Log Server
You can use an external Check Point log server that is managed by a Security Management Server for storing additional logs.
Use cases for an external Check Point Log Server:-
Do these steps before you configure an external Check Point log server from this page in the WebUI:
To configure an external Check Point log server:
The External Check Point Log Server window opens.
or
$CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0
Copy the SIC name value and paste it into the SIC name field on this page.
Important - After successful configuration of the external log server, any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartDashboard. If you do not reinitialize SIC in SmartDashboard, connectivity to the log server can fail. |
To configure a new external Check Point Log Server when the gateway is connected to SMP (Cloud):
After you initiate traffic from resources behind the gateway, open the Check Point Log Server to verify that you see the logs. For more information, see sk145614.
External Syslog Server Configuration
You can configure a gateway to send logs to multiple external syslog servers.
To configure an external syslog server:
The External Syslog Server window opens.
To configure additional syslog servers:
Click Add Syslog Server.
You can send security logs to syslog servers. The security logs show in the syslog format, not in the security logs format.
To edit the external syslog server:
Note - When more than one server is defined, the syslog servers show in a table. Select the syslog server you want to edit and click Edit.
To delete the external syslog server:
The server is deleted.
In the Infected Devices page you can see information about infected devices and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected device or server.
The Infected Devices table shows this information for each entry:
Description |
Host Icon |
Server Icon |
---|---|---|
Infected device or server - When the Anti-Bot blade detects suspicious communication between the host or server and an external Command & Control center due to a specified triggered protection. |
||
Possibly infected device or server - When the Anti-Virus blade detects an activity that may result in host or server infection. For example:
|
To filter the infected devices list:
To add a malware exception rule for a specified protection:
The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page.
To view the logs of a specified entry:
The Logs & Monitoring > Security Logs page opens and shows the logs applicable to the IP/MAC address.
Note - This page is available from the Home and Logs & Monitoring tabs.
In the VPN Tunnels page you can see current VPN tunnels opened between this gateway and remote sites. Some sites are configured so tunnels are established only when necessary and some are configured with permanent tunnels. When the appliance is managed by Cloud Services, this table also shows the tunnels for the gateways in the community.
This page is commonly used to see the permanent tunnels. The table shows each tunnel's details when there is an active VPN tunnel.
Field |
Description |
---|---|
From |
Host name or IP address of the tunnel’s source gateway. |
Site Name |
Name of the VPN site name. |
Peer Address |
Host name or IP address of the tunnel’s destination gateway. |
Community Name |
If the gateways are part of a community configured by Cloud Services, this column shows the community name with which the tunnel is associated. |
Status |
VPN tunnel status indication. |
To filter the list:
In the Type to filter box, enter the filter criteria.
The list is filtered.
To refresh the list:
Click Refresh to manually refresh this page with updated tunnel information.
Note - This page is available from the VPN and Logs & Monitoring tabs.
The Logs & Monitoring > Connections page shows a list of all active connections.
The list shows these fields:
To filter the list:
In the Type to filter box, enter the filter criteria.
The list is filtered.
To refresh the list:
Click the Refresh link.
See Viewing Reports.
See Using System Tools.
In the Logs & Monitoring > SNMP page you can configure SNMP settings for this gateway.
You can do these actions:
To turn SNMP on or off:
SNMP must be set to on to configure all SNMP settings (users, traps, and trap receivers).
To configure SNMP settings:
Click Configure.
The Configure SNMP General Settings window opens. You can enable SNMP traps, configure system location and contact details, and enable SNMP versions in addition to v3.
SNMP v3 Users
SNMP Traps Receivers
You can add, delete, or edit the properties of SNMP trap receivers.
Note - To add a new SNMP v3 trap receiver, there must be an SNMP v3 user defined for it.
SNMP Traps
You can enable or disable specified traps from the list and for some traps set a threshold value. The enabled traps are sent to the receivers.
To edit an SNMP trap: