|
|
|
In This Section: |
This section is a step-by-step guide that covers the basic SmartReporter operations.
|
To create a report based on a predefined template:
A new window appears containing the results of the report generation. Scroll down this window to view the specific report output.
To schedule report creation:
When you generate a report, you generate the selected component using its default properties, or adjust these properties to better address your current requirements. This section describes the most important properties you should examine before generating a report.
In this section you will learn how to customize a new report. For example purposes, you will learn how to create a Security report about Blocked Connections.
To remove a section from the Blocked Connections report, clear the check box next to the specific section name in the Content tab.
This process may take several seconds to several hours, depending on the amount of data that is currently in the database.
A new window appears containing the results of the report generation. Scroll down this window to view the specific reports output.
In this section you will learn how to follow the progress of report generation using the Reports and Management views.
The Schedules view lists all the generation schedules of all the reports in your system, as defined in the Schedule tab of each report properties. In this view, you can see a list of all the delayed reports and periodic generation schedules. In addition, you can see the time, frequency and activation period of each scheduled report generation.
To improve performance, schedule report generation when there is less traffic and fewer logs are being generated, so the log consolidator is consuming fewer resources.
In the Reports view, select Results.
The Results page lists reports that are either already generated, being generated, distributed or are pending. This view allows you to follow the report generation progress. In addition, once the generation is complete, it is recorded on the Activity Log page.
The Results list contains the following information:
In the Management view, select Activity Queue.
The Activity Queue page lists reports and general activities that are either being generated, distributed or are pending. This view allows you to follow the report generation progress. Once the generation is complete, it is recorded in the Activity Log page.
The Activity Queue list contains the following information:
The Results View lists the status, start and end times of previously generated reports.
The Action More Information window appears. This window includes detailed information about the status in the Results view. For example, if the status of a generated report is Failed, this window will tell you why it failed.
The reporting server can store a limited amount of Report-Generation status records. In order to modify the amount of information stored, go to the Tools > Options window, and select the Activity Log page. Modify the amount in Activity Log size.
When the quantity of the status reports passes the limit, the oldest status record is deleted. You can decide whether you would like the associated generated Report to be deleted as well by changing the Report output delete method setting.
If the Log Consolidation Engine is not running, you can start the Engine according to the SmartReporter Policy that was last installed.
The Stop Engine window is displayed.
When creating a Consolidation session you are determining the Domain Log Server that should be used to extract information and the database table in which the consolidated information should be stored.
By default if there is a single Domain Log Server connected to your Security Management Server, a Consolidation session will already be created to read the latest logs that are added to the log sequence.
If you select Select default log files and database, click Finish to complete the process. This option indicates that the source of the reports will be preselected logs and all the information will be stored in the default database table named CONNECTIONS. The preselected logs are the sequence of log files that are generated by Check Point Software Blades. The preselected logs session will begin at the beginning of last file in the sequence or at the point the previous consolidation session was stopped.
If you select Customize continue with the next step. This option indicates that you will select the source logs and their target table in the next window.
Note - In the case of each of the above four options the Consolidation session will run continuously.
If the specific external log file was previously processed the following two options are activated. Select the external log file from the list provided and select one of the following two options:
Beginning of file - the session will begin at the beginning of the selected log file.
Last stop - the session will continue from the point at which the previous Consolidation session stopped.
It is recommended that the Out of the Box policy be used. This option is for advanced users only, and by default the Policy Rules button should not be used.
The new session is added to the Consolidation Sessions list in the Sessions tab. The session will begin automatically.
The Consolidated Session More Information window appears.
When configuring the global session settings you are specifying the values according to the logs that are collected. Once the required log values are set, the Log Consolidator Engine collects them, scans them, filters out fields defined as irrelevant, merges records defined as similar and saves them to the SmartReporter database.
To configure consolidation settings:
The Consolidation Parameters Settings window appears.
|
Note - The Consolidation Memory Pool is only used by the consolidation engine per consolidation session. The database service requires additional memory and is largely dependent on installation configuration and the server generator. |
By default the SmartReporter does not store URL information in the database. As long as this check box is disabled, some sections in the "Web activity" will give empty results (and are disabled by default).
Using the command line you can control DNS implementation Time Out requests and the number of retries. These changes will only take affect after restarting the consolidation sessions.
Timeout in milliseconds for one request (default is 5 seconds):
cpprod_util CPPROD_SetValue "Reporting Module" DNSRequestTimeoutMSec 4 <Parameter> 1
The following is an example for 5 seconds (5000 milliseconds):
cpprod_util CPPROD_SetValue "Reporting Module" DNSRequestTimeoutMSec 4 5000 1
Number of retries (default is 2 retries):
cpprod_util CPPROD_SetValue "Reporting Module" DNSRequestRetries 4 <Parameter> 1
The following is an example for 2 retries:
cpprod_util CPPROD_SetValue "Reporting Module" DNSRequestRetries 4 2 1
When you export a table using c:/export, some files are stored in c:/export/<timestamp> and all the files will be given the table name (for example, <tablename>.tbl <tablename>.con02, etc.).
To back up the export results save the entire content of the directory in c:/export/<timestamp>.
.tbl file (for example, c:/export/<timestamp>/<tablename>.tbl). When this is done all the files in the same directory as the .tbl file are imported.Exporting a table to a remote machine from a Windows platform requires the correct permissions to perform the action. In order to set the permissions, perform the following steps:
The Management view enables you to create, start and stop Consolidation sessions. In this view you can also view the Database Maintenance properties and modify them
The Log Consolidator process continuously adds new records into the database as they are generated from the Security Gateway. Eventually, the space allocated for the database will fill up. Automatic Maintenance automatically archives or deletes older, less pertinent records from the database to provide space for the newest records.
Before configuring Automatic Maintenance you should decide whether Automatic Maintenance should only be triggered by disk space or by disk space and record age. In addition, you should determine what the minimum and maximum disk space and age of records you want to store in the database. Since the operation is resource intensive, it should be performed during a period of low activity (for example, in the middle of the night).
Typically, 80% is the High Watermark, since SmartReporter requires the extra space to perform generation optimizations.
The Table Participating in Automatic Maintenance window appears.
The Database Automatic Maintenance Setting window appears.
When the database capacity exceeds the high-watermark, Automatic Maintenance is performed and the oldest records in the database tables are removed so that the capacity is at the low-watermark.
When a record gets to be more than a specific number of days old (for example, the High-end number), that record is removed from the database.
The Activate Now button begins the process of maintaining the database according to the settings in the Database Automatic Maintenance Setting window.
This section provides information on advanced or specific configuration scenarios.
To use Express Reports.
For a Security Rule to generate logs for connections that match it, the Rule Track column should be set to any value other than None (for example, Log generates a standard log, while Account generates an accounting log).
Note that in order to obtain accounting information (the number of bytes transferred and the duration of the connection), the value of the Rule Track column must be Account.
To utilize direction information ("incoming", "outgoing", "internal" or "other"), the organization topology must be configured properly.
This procedure configures SmartView Monitor to collect system data to generate SmartReporter Express Reports. SmartView Monitor settings are enabled through the SmartDashboard. Proceed as follows:
If you do not see SmartView Monitor in the selection to the left, enable it through the General Properties tab. Click General Properties, then in the Check Point Products scroll-down list, select SmartView Monitor. It will appear on the left.
Select SmartView Monitor, and on the SmartView Monitor tab, enable one or all of the following options to make sure that SmartView Monitor collects necessary data for reporting purposes:
|
Note - Selecting Traffic Connections and Traffic Throughput in the SmartView Monitor tab may affect the performance of the Security Gateway. |
Report results are saved in subdirectories of the Results subdirectory of the SmartReporter server as follows:
<Result Location>/<Report Name>/<Generation Data & Time>
For each report, a directory with the report name (for example, <Report Name>) is created in <Result Location>, with a subdirectory named with the generation date and time <Generation Date & Time>. The report is generated into this <Generation Date & Time> subdirectory.
The result location can be modified by selecting Tools > Options and specifying the desired location in the Result Location field of the Options window Generation page.
In addition to saving the result to the SmartReporter server, you can send it to any of the following:
The Mail Information page of the Options window allows you to specify both the sender Email address and the mail server to be used. It also allows you to specify the degree of message severity (Information, Warning or Error) that is to be sent to the administrator.
The Mail Information page of the Tools > Options window allows you to specify that an administrator receive warnings about errors. To enable this option, fill in the Administrator email address, and choose the severity factor for which an error message will be sent, by checking one or more of the severity levels in the Specify the severity of the administrator email notification section.
By default, report calculations are based on the number of events logged. If you have logged accounting data (done by setting the Security Rule Track column to Account), you can base the report calculations on the number of bytes transferred.
You may sort the results by one of two parameters: the number of bytes transferred and the number of events logged. Note that an event takes on different meanings, depending on its context. In most cases, the number of events refers to the number of connections. Access this through the Tools > Options menu.
The number of bytes transferred can be calculated only if the Security Rules' Track column is set to Account. The number of events logged can be calculated as long as the Track column is set to Log or Account.
If both types of information are available, they will both be displayed in the sort order you have specified. For example, a table listing the most active sources in your system can first specify the number of events each source generated and then note the number of bytes related to its activity.
In several scenarios the user name appears in long format (for example, LDAP names). The manner in which the report shows the user name can be changed through the Tools menu > Options > Generation tab. By default, the Show abbreviated user name check box is selected, so that generated reports display only the user name part of the full name. To see the name with the full path, clear this box.
The Options window allows you to specify additional settings including the name and the location of the logo to be displayed in the report header, as well as where to email reports, and report-sorting settings.
By default, the logo file is saved in the $RTDIR/bin directory.
For your convenience, it is possible to generate reports both through the SmartReporter client and through the command line.
Generating reports using the command line GeneratorApp has the following limitations:
To generate reports through the command line, go to the $RTDIR/bin directory on the SmartReporter server and run the following command:
Usage: GeneratorApp [Directory/""] {ReportID}
For example, to generate the Peer To Peer Activity report, whose ID is {60F6FCDA-0F66-43A6-B8E6-271247207F5B}, run the following command: GeneratorApp ./reports/test {60F6FCDA-0F66-43A6-B8E6-271247207F5B}
If the directory is empty (""), <Result location>/<Report Name>/<Generation Date & Time> would be used as the directory.
For a list of all Report IDs, see Predefined Reports.
To generate a report based on log files that are not part of the log file sequence (fw.log), you must first create a consolidation session to explicitly consolidate these log files.
To create a consolidation session, refer to Configuring Consolidation Settings and Sessions. When creating the consolidation session you should select From a specific log file outside the sequence in step 8.
So that data from the consolidation session based on an external log is not mixed with data from an internal sequence log we recommend that you use a new table for your external consolidation session.
When the consolidation session is complete generate reports based on log files that are not part of the log file sequence. To do this, refer to Generating a Report and in step 3 select the table to which the external log file was consolidated.
To schedule generations of the same report using different settings, modify the original report, save it under a different name (for example, Network_Activity_NYC, Network_Activity_Paris etc.) and specify the appropriate schedule for each modified report.
To recover the SmartReporter database, proceed as follows:
evstop -reporter.datadir and innodb_data_file_path entries in the mysql configuration file my.ini (Windows) or my.cnf (all other platforms).ib_logfile[0-N] under the log directory as specified by the innodb_log_group_home_dir parameter in the my.ini file with the backed up database log files.To interpret direction data, the network topology must be defined accurately. If the topology is not defined accurately, the traffic will be labeled with a direction of "Other."
You can make the report results available through an internet browser, by checking FTP Upload or Web Upload in the Output tab of the Report properties.
You can also locate the report results on the SmartReporter server. To do this select Management > Activity Log and select More Information for the relevant historical generation status to view the full path of the location.
You can email reports to specified recipients. Make sure that the outgoing mail server is correct in Tools > Options > Mail Information.
To configure the Output tab of a report to send the report by email:
In order to enable report uploads to a web server you must configure the report output properties, and configure the web server to allow uploads.
reports, in the web server root directory. All the Report files that are uploaded to the web server will be placed in this directory.PUT command permission (also known as Write permission). It is not recommended that permission for anonymous http login be granted.For the Web upload, the SmartReporter uploads Report result files to the target directory. A target directory must exist at the time of the upload. The upload uses the http:put operation, and on most web servers, permission for this operation needs to be explicitly granted for the target directory.
To make sure that target directories exist:
Manual directory creation:
On the web server, create a directory with the path <report directory root>/<optional path field>/<ReportName> before generating the report. This operation needs to be performed only once.
To avoid installing and configuring scripts create the directory manually. If you use this option, you must ensure that you select to Override Previous Report in the Report Output tab.
If the Path field is left empty in the Report Output tab, create the folder <report directory root>/<ReportName> on the web server.
Automatic directory creation:
svr_webupload.pl by running the svr_webupload_config utility:$RTDIR/bin directory, run the utility svr_webupload_config using the following command structure:svr_webupload_config [-i perl_int_loc] [-p rep_dir_root]
Where -i specifies the Perl interpreter location and -p specifies the path for the reports virtual directory which you previously configured.
svr_webupload.pl file from the $RTDIR/bin directory from the SmartReporter computer to the cgi-bin directory on the web server.Note - Both the cgi-bin directory and the script name can be changed in the SmartReporter Client via the Tools > Options > Web Information > CGI Script Location field.
svr_webupload.pl script (on the web server only) execution permission. It is not recommended that permission be granted for anonymous http login.In order to enable report uploads to an FTP server you must configure the Report output properties.
The FTP upload does not require any configuration on the FTP server. The root directory for all report uploads is the FTP root directory the user specified in User Name field.
$RTDIR/DistributionScripts directory.In the Customer Distribution script the responsibility for distribution is placed on the user. The Distribution Process input is the directory that contains the report output files. The script exit code should be 0 upon success and none 0 upon failure.
The Customized Distribution script will time-out after the number of seconds entered in the Distribution page of the Reporter options.
For more information, see the Report output (Email, FTP Upload, Web Upload and Custom).
For the most updated performance tuning information, see the R77 Release Notes.
To maximize the performance of your SmartReporter server, follow the following guidelines.
Use a distributed Security Management configuration, dedicating one computer to Consolidation and Report generation only.
Improve the Log Consolidator Engine performance by configuring the following settings:
Maximum requests handled concurrently - Set to 50. This value controls the numbers of threads handling DNS requests.
Refresh cached items every - Set to 48 hours. This value determines how long it takes for a resolved IP address to expire and be removed from the cache setting. If set too high it may result in wrong data because DHCP may change the addresses.
|
Note -The Consolidation Memory Pool is only used by the consolidation engine per consolidation session. The database service requires additional memory and is largely dependent on installation configuration and the server generator. |
The Reporter Generator uses an internal cache for SQL query results therefore not every deselected section speeds up the report generation. In general, this will result in a smaller report and reduce generation time.
To view this, scroll to Appendix A in the report result, and click View generation information at the bottom of Appendix A.
If you define different filters for different reporting units that share the same cached SQL, the SQL caching will no longer be viable and the report generation time will significantly increase. It is recommended that you define filters at the report level only.
When setting a user-defined time frame for the report, specify a time frame in whole days. When setting a report period, note that the following settings will slow down the report generation speed:
Schedule report generation when there is less traffic and fewer logs are being generated, so that the log consolidator will consume fewer resources. Schedule reports during the night and on the weekends.
Adjust the database cache size to match your Server available memory. Place the database data and log files on different hard drives (physical disks), if available. For additional information, refer to Modifying SmartReporter Database Configuration.
To dynamically update reports, an administrator must first obtain an update file that contains all the report changes. This file is provided by Check Point.
Once the file is received and saved, perform the following:
The Offline Update window appears.
The file is opened in a browser.
At this point the administrator will be asked to save the previous version before the changes are installed.
At this point the SmartReporter server is updated.
Once the process is complete, the administrator will receive a file from Check Point informing him that the Predefined Reports have been updated.
When configuring a report you can select one of the following output formats:
To create a report in one file:
The file created has an .mht extension.
The default SmartReporter Policy is sufficient for many organizations. If your organization has requirements that are included this Policy, you can add, delete or change Consolidation Rules as necessary.
To work with the SmartReporter Policy:
The new session is added to the Consolidation Sessions list in the Sessions tab.
To specify whether logs matching a Consolidation Rule should be skipped or copied to the SmartReporter database, right click the Rule Action column and choose Ignore or Store (respectively).
It is recommended to place Ignore Rules at the beginning of the Rule Base, especially for services that are logged frequently but are not of interest for reports. Ignore Rules do not require Consolidation processes and, therefore, enable the Log Consolidator Engine to move quickly through the logs. The Log Consolidator Engine does not have to consolidate and store an event that matches an Ignore Rule and can quickly move to the next entry in the Log file.
The Rule order is also based on how frequently services are used. Rules regarding the most common services are defined before those addressing less common services. In this way, the Log Consolidator Engine does not have to scan a lengthy <tp-rule> in order to process most of your log data.
If you choose to store the logs, double click the Action cell to specify their storage format in the Store Options window. Choose one of the following:
By default, the Log Consolidator Engine loads the consolidated records to the SmartReporter database once an hour.
This section provides instructions on modifying specific Out of the Box Rules to better address your specific consolidation requirements. For a detailed description of the Out of the Box Rules, see Default Policy.
If you wish to filter out all broadcast messages (both allowed and disallowed), proceed as follows: