Monitoring

Overview

The SmartDomain Manager supports monitoring and maintenance activities. It has a variety of SmartDomain Manager views that can be used by administrators to confirm that the system is running smoothly and that management activities are being successfully performed.

By default, management activities receive system confirmation within five minutes. Once confirmation has been received, Administrators can use status indicators to determine if management activities were performed successfully. The following status checks can be executed:

If a status check reveals that management activities were not successful, you can use the SmartDomain Manager views such as the Critical Notification window to yield further information for troubleshooting purposes.

It is also possible to use the SmartView Console clients (such as SmartView Tracker and SmartView Monitor) for monitoring, tracking and troubleshooting purposes.

Monitoring Components in the Multi-Domain Security Management System

The SmartDomain Manager General View provides a Domain Contents mode which lets you see at a glance all the components of the system, including Domains, Domain Management Servers and their Security Gateways.

The Domain Contents mode is divided into 2 sections or panes. The far right pane gives a statistical breakdown, or summary of the components in the system depending on what you have selected in the left pane.

For example, if you select the Multi-Domain Security Management root, a summary of Multi-Domain Security Management root Domain-related statistics is displayed: the number of Domains, Domain Management Servers, Security Gateways, Administrators and GUI Clients in the system. Another example, if you select a Domain in the left pane, Domain Properties are displayed, including: user-defined free field information (e.g. Contact Person), entered in the Properties tab of the Domain Configuration window.

The left pane provides a view of all the Domains in the system, their Domain Management Servers and Security Gateways. Information displayed in this pane includes:

• The Multi-Domain Server which contains the Domain Management Server and Domain Log Server.
• The IP addresses of all the components in the system
• Whether the component is Active or Standby (for High Availability).
• Whether the component has been enabled for global use, in this case the global name is displayed.

Exporting the List Pane's Information to an External File

You can save List Pane information to an external file (such as an Excel sheet) for future examination by selecting Manage > Export to File.

Working with the List Pane

You can change the way that the Network Objects mode List Pane looks in order to focus on specific components or networks in the system.

Filtering

To focus on a specific group of objects that share a certain common denominator (such as their IP address range, Domain name or the Multi-Domain Server they are installed on), filter any of the List pane's columns by right-clicking the column heading and selecting Column Filter... from the displayed menu. Additionally:

• To view existing filters, select View > Filter Details.
• To clear all filters, select View > Clear All.

Showing and Hiding Selected List Pane Columns

You can set the List pane to display only the columns you are interested in and hide all others. To hide a specific column, right-click its header and choose Hide Column from the menu. To hide or show more than one column at a time, select View > Show/Hide Columns.

Verifying Component Status

Make sure that all system components (Security Gateways, UTM-1 Edge appliances, Log Servers, Domain Management Servers and Multi-Domain Servers) are in the Started status. Use the SmartDomain Manager General > Network Objects view to examine how system components are working.

The Network Objects mode shows general and status information for all components in the system. This information is displayed in the upper part of the window, or the List pane.

In the Network Objects mode List Pane you can right-click or double-click on a component and execute a command. For example, you can start, stop, configure or update a selected component. Additionally you can launch any of the SmartView Console clients and take advantage of their facilities. For example, if a Domain Security Gateway is behaving sluggishly, launch SmartView Monitor and/or SmartView Tracker from the said Security Gateway to check what activities are taking place at the Security Gateway so as to determine the root of the sluggishness.

Status symbols in the List pane include:

Viewing Status Details

To get more details about a network component, select it in and choose Get Status Details... from the Manage menu. The Status Details window provides hardware, policy and/or run status details according to the selected object. Status details include:

Locating Components with Problems

The Critical Notifications Pane; which is the lower pane in the Network Objects mode, focuses on components which need critical attention. If a component stops or disconnects, this is displayed in the Critical Notifications pane.

The following types of statuses appear in the Critical Notifications Pane:

For each object, the name, status and time of status update is displayed.

Monitoring Issues for Different Components and Features

In this section you will find specific information about different Multi-Domain Security Management elements and the status issues that are raised for each one individually.

Multi-Domain Server

Multi-Domain Servers are managed using their own special view, SmartDomain Manager General View - Multi-Domain Server Contents mode, for administrator convenience. Only Multi-Domain Security Management Superuser administrator can use the Multi-Domain Server Contents mode. Other administrators can use the General > Network Objects view.

For a granular view of Multi-Domain Server activity, the Multi-Domain Security Management Superuser administrator can launch in Audit mode. In SmartView Tracker you can see:

• the management activity logs generated by the administrator
• the time the log was generated
• the GUI Client source
• the administrator performing the actions, and changes to network objects.

The Multi-Domain Security Management Superuser administrator can also start, stop, add or delete a Multi-Domain Server.

Global Policies

Domain network systems operate according to the behavior specified in their Security and Global Policy rules. To see how Global Policies have been applied to Domains in the Multi-Domain Security Management system, use the Global Policies View - Security Policies mode. This mode displays:

• the Global Policies in the system,
• the Domains and Domain Management Servers that are assigned to these policies,
• the time when the assignment took place,
• the last time that the global policy was modified,
• the status of the assignment operation (whether or not it was successful).

Domain Policies

Checking a Domain Management Server Policy

A Domain Management Server policy may or may not contain global rules, depending on whether a global policy was assigned to the Domain. Use the Global Policies View - Security Policies mode to check:

• if a Domain Management Server has been assigned a global policy,
• which Global Policy was assigned,
• the time of the assignment,
• the time that the Global Policy was last changed,
• whether the assignment operation was successful.

You can also use the SmartDomain Manager General View - Network Objects mode to see which Domain policy is assigned to a Domain Management Server.

Security Gateway Policies

Checking a Security Gateway Current Policy

To see which policy is installed on a specific Security Gateway, you can use the General View - Network Objects mode. For each Security Gateway the following information is displayed:

• the Policy Name,
• the Gateway Local Installation Time,
• the local date and time when the policy was installed.

If there are problems with the Security Gateway, they will be displayed in the Critical Notifications Pane, which focuses on components that need attention.

High Availability

Multi-Domain Security Management implements High Availability on the following levels:

• The Security Gateway level.
• The Domain Management Server level - multiple Domain Management Servers are supported, as well as an optional backup Security Management Server.
• The Multi-Domain Server level.

Domain Management Server and Multi-Domain Server High Availability are managed through the SmartDomain Manager High Availability View. The administrator can do all management activities relating to Multi-Domain Server High Availability through this view, and examine the status of these actions.

In the High Availability - Multi-Domain Server Contents mode, the following information is displayed:

• Multi-Domain Servers Active/Standby (login) status,
• Sync Status. This status displays synchronization statuses for Multi-Domain Servers and Domain Management Servers. Synchronization can take time to update the status. These are the status indicators:
  • Unknown, no information has been received about this Domain Management Server synchronization status.
  • Never synced, this Domain Management Server has never been synchronized with the other Domain Management Server.
  • Synchronized, this Domain Management Server is synchronized with the other Domain Management Server.
  • Lagging, the data of this Domain Management Server is less updated than the data of the other Domain Management Server.
  • Advanced, the data of this Domain Management Server is more updated than the data of the other Domain Management Server.
  • Collision, the data of this Domain Management Server conflicts with the data of the other Domain Management Server.

Global VPN Communities

The Global Policies - VPN Communities mode is dedicated to Global VPN Communities. This view shows which Global VPN Communities exist in the system.

After the Global VPN Communities are defined in the Global SmartDashboard, the Global Policies View - VPN Communities mode displays the configuration update status for each community, and the Domains and Security Gateways that participate in the community.

GUI Clients

To see which GUI Clients have been assigned for use, and to which Multi-Domain Servers or Domain environments they are connected, use the GUI Clients View. In this view information is displayed by default in a Domain per GUI Client hierarchy, in other words where you can see the GUI Clients and the Domains assigned to each. You can manage these entities by right-clicking on the GUI Client and selecting to assign Domains to it. This view can be toggled so that the hierarchy is reversed, in other words where you can see GUI Clients per Domain. Similarly, by right-clicking on a Domain you can select to assign GUI Clients to it.

Using SmartConsole

Log Tracking

The Multi-Domain Security Management system uses either Domain Management Servers or Log Servers to gather information about Domain Security Gateway activities. Domain Management Servers and Log Servers can gather detailed log information from Security Gateways, UTM-1 Edge appliances, and many OPSEC-certified security applications. This information can then be accessed using the SmartConsole Clients.

Tracking Logs using SmartView Tracker

All administrator activity using SmartConsole Client applications, such as SmartDashboard, is logged in audit logs. These logs can be monitored using SmartView Tracker, which can dramatically reduce the time needed to troubleshoot configuration errors.

The graphical SmartView Tracker uses the logging data on the server to provide real-time visual tracking, monitoring, and accounting information for all connections including VPN remote user sessions. Administrators can run searches or filter log records to quickly locate and track events of interest.

To use SmartView Tracker:

In the SmartDomain Manager, right-click a Domain Management Server and select Launch Application > SmartView Tracker.

If there is an attack or other suspicious network activity, administrators can use SmartView Tracker to temporarily or permanently terminate connections from specific IP addresses. To learn more about using SmartView Tracker, see the R77 SmartView Tracker Administration Guide.

Real-Time Network Monitoring with SmartView Monitor

SmartView Monitor is an easy-to-use monitoring tool that allows you to inspect network traffic and connectivity. In addition, it provides real-time information about the performance and security state of both Security Gateway and VPN operations.

Monitoring the Status of a Domain Management Server

To use SmartView Monitor, select a Domain Management Server from any view, then right click and choose Launch Application > SmartView Monitor.

If your network experiences problems such as sluggishness, loss of data or security related problems, it is important to immediately identify these phenomena. SmartView Monitor provides a real-time monitoring tool designed to help administrators find the cause of these problems, when and why they occur, and how to fix them. Use SmartView Monitor to examine traffic, requested services, and network load in the Domain network. See the R77 SmartView Monitor Administration Guide.

Check Point System Counters

SmartView Tracker uses Check Point System Counters to collect information about the status, activities, hardware and software usage of different Check Point products in real time. System Counters are used to plot graphs and to view reports of current or archived data collected by Counter Logs.

Traffic Flow and Virtual Link Monitoring

Traffic flow can be monitored per service or network object. SmartView Monitor also enables monitoring based on a variety of parameters, for example the QoS Policy rules installed on an interface, etc. Compliance to a Service Level Agreement (SLA) can be monitored, and alerts can be generated. Traffic can be monitored between two Check Point Security Gateways or two QoS Security Gateways for real time analysis of bandwidth and latency.

Blocking Suspicious Connections

Suspicious Activity rules are security rules that enable the administrator to instantly block suspicious connections not restricted by the currently enforced Security Policy.

Using Thresholds

SmartView Monitor can be used to configure predefined actions that are triggered when certain changes in status occur. For instance, a rule can be defined to send an email to a certain address if the load on a Security Gateway CPU surpasses a threshold that you set.

By default the engine responsible for triggering the events is disabled for Domain Management Servers, but it can be enabled per Domain Management Server by running the following commands from the root shell of the Multi-Domain Server machine:

1. Change to the Domain Management Server environment with the command mdsenv <Domain Management Server Name>
2. cpstat_monitor &

After running this command, thresholds are monitored until the Domain Management Server is stopped.

To permanently enable this functionality for a specific Domain Management Server, you must modify the value of the registry key that sets whether the cpstat_monitor process auto-starts whenever the Domain Management Server is started. You can do so by running the following command from the Domain Management Server environment:

cpprod_util CPPROD_SetValue mds RunCpstatMonitor 1 1 1

SmartReporter Reports

The SmartReporter delivers a user-friendly solution for auditing traffic and generating detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for events logged by Domain Management Server-managed Security Gateways that are running SmartView Monitor. SmartReporter produces reports for these Security Gateways.

See the R77 SmartReporter Administration Guide.