Print Download PDF Send Feedback

Previous

Next

Using SmartReporter

In This Section:

Quick Start

SmartReporter Instructions

SmartReporter Policy

Quick Start

This section is a step-by-step guide that covers the basic SmartReporter operations.

Generating a Report

Note - Before you generate reports, you must start a consolidation session. Logs are available in the SmartReporter database 1 hour after you start the consolidation session.

To create a report based on a predefined template:

  1. In the Reports view, select Definitions.
  2. Select Firewall Blade - Security > Blocked Connections.
  3. Access the Period tab to determine the period over which the report will be generated and the information that should be used to generate the report.
    • Report Period - In this area select one of the following options:
    • Relative Time Frame includes the time period relative to the report generation. This time period defines a proportional interval (for example, Last Week or This Quarter).
    • Specific Dates includes the exact time period for which the report will be generated.
  4. Access the Input tab to determine the Security Gateways for which you would like to generate a report. If more than one Security Gateway is selected as your source, you can generate information per Security Gateway, or create a summary for all the selected Security Gateways.
    • Select Check Point Security Gateways - In this area select the Security Gateways that will participate in report generation:
    • Select all Security Gateways selects all the Security Gateways that are run by the Security Management Server.
    • Select specific Security Gateways enables you to select specific Security Gateways that are run by the Security Management Server, from the tree provided.
    • Add enables you to add a Security Gateway to the existing tree.
    • Show Result - In this area select one of the following options:
    • Per Security Gateway creates a report that details information for each of the selected Security Gateways.
    • Summary of all Security Gateways creates a report that summarizes the information associated with all of the selected Security Gateways.
    • Select Domains creates a report that summarizes the information associated with all of the selected Domains.
    • Generation Input - In this area select the database table that contains the information for the report you are generating. By default the CONNECTIONS table is the primary database table.
    • Sample Mode provides the information for a demo mode. This option is used when you want to see an example of the report you are creating.
    • Other Database Tables enables you to access the information on which you would like your report to be based.
  5. Click the Generate Report button to create the Blocked Connections report.
  6. Click Yes to display the results.

    A new window appears containing the results of the report generation. Scroll down this window to view the specific report output.

Scheduling a Report

To schedule report creation:

  1. In the Reports view, select Definitions.
  2. In the Standard tab, select Firewall Blade - > Security > Blocked Connections.
  3. On the Schedule tab, click the Add button to create a new schedule or the Edit button to revise an existing schedule.
    • Frequency - In this area select how often you would like the report to be generated.
    • Generate On - With this option select the date on which SmartReporter should begin to generate the report.
    • Schedule time - With this option select the time at which SmartReporter should begin to generate the report.
    • Schedule activation period - This section is available once you decide the report should be generated more than one. In this area select the date on which SmartReporter should begin to generate the report and the date on which SmartReporter should stop generating the report (if at all).

Customizing a Report

When you generate a report, you generate the selected component using its default properties, or adjust these properties to better address your current requirements. This section describes the most important properties you should examine before generating a report.

In this section you will learn how to customize a new report. For example purposes, you will learn how to create a Security report about Blocked Connections.

  1. In the Reports view, select Definitions.
  2. In the Standard tab select Firewall Blade - Security > Blocked Connections.
  3. Select the Content tab to see the sections (that is, sub-topics) associated with this report.
  4. Review the Blocked Connections sections by double-clicking a specific section. The window that appears contains information about the selected section.

    To remove a section from the Blocked Connections report, clear the check box next to the specific section name in the Content tab.

  5. Select Blocked Connections and configure the report using the tabs available.
  6. Access the Filter tab to isolate the report data by limiting the records in the database by specific filters. For each filter you select, you can specify the values, such as network objects and services, to be matched out of all values available for that filter.
  7. Click the Generate Report button to create the Blocked Connections report.

    This process may take several seconds to several hours, depending on the amount of data that is currently in the database.

  8. Click Yes to display the results.

    A new window appears containing the results of the report generation. Scroll down this window to view the specific reports output.

Viewing Report Generation Status

In this section you will learn how to follow the progress of report generation using the Reports and Management views.

To View Report Generation Schedules

The Schedules view lists all the generation schedules of all the reports in your system, as defined in the Schedule tab of each report properties. In this view, you can see a list of all the delayed reports and periodic generation schedules. In addition, you can see the time, frequency and activation period of each scheduled report generation.

To improve performance, schedule report generation when there is less traffic and fewer logs are being generated, so the log consolidator is consuming fewer resources.

To View Reports and Status

In the Reports view, select Results.

The Results page lists reports that are either already generated, being generated, distributed or are pending. This view allows you to follow the report generation progress. In addition, once the generation is complete, it is recorded on the Activity Log page.

The Results list contains the following information:

To View Server Activities

In the Management view, select Activity Queue.

The Activity Queue page lists reports and general activities that are either being generated, distributed or are pending. This view allows you to follow the report generation progress. Once the generation is complete, it is recorded in the Activity Log page.

The Activity Queue list contains the following information:

To Stop a Specific Report Generation Process

  1. In the Management view, select Activity Queue.
  2. Select the report generation (that is, a specific line in the list) that you would like to stop.
  3. Select Actions > Cancel Action.

To View the Status of Previously Generated Reports

  1. In the Reports view, select Results.

    The Results View lists the status, start and end times of previously generated reports.

  2. Double click a record to display the report results.

To Obtain Additional Information about the Status of a Previously Generated Report

  1. In the Reports view, select Results.
  2. Select the generated report (that is, a specific line in the list) that you are interested in.
  3. Click the Info button in the toolbar.

    The Action More Information window appears. This window includes detailed information about the status in the Results view. For example, if the status of a generated report is Failed, this window will tell you why it failed.

The reporting server can store a limited amount of Report-Generation status records. In order to modify the amount of information stored, go to the Tools > Options window, and select the Activity Log page. Modify the amount in Activity Log size.

When the quantity of the status reports passes the limit, the oldest status record is deleted. You can decide whether you would like the associated generated Report to be deleted as well by changing the Report output delete method setting.

Starting and Stopping the Log Consolidator Engine

Starting the Log Consolidation Engine

If the Log Consolidation Engine is not running, you can start the Engine according to the SmartReporter Policy that was last installed.

  1. To start the Log Consolidation Engine, go to the Management section of the toolbar and select the Consolidation button.
  2. Select the Consolidation session and click Restart.

Stopping the Log Consolidation Engine

  1. To stop the Log Consolidation Engine, go to the Management section of the toolbar and select the Consolidation button.
  2. Select the Consolidation session and click Stop.

    The Stop Engine window is displayed.

  3. Choose one of the following:
    • Shutdown — This option stops the Log Consolidation Engine in an orderly way. All data that has been consolidated up to this point is stored in the Database. Shutdown may take several minutes to an hour.
    • Terminate — This option stops the Log Consolidation Engine immediately. Data that has been consolidated but not yet stored in the Database is not saved.

Configuring Consolidation Settings and Sessions

To Create a Consolidation Session

When creating a Consolidation session you are determining the Domain Log Server that should be used to extract information and the database table in which the consolidated information should be stored.

By default if there is a single Domain Log Server connected to your Security Management Server, a Consolidation session will already be created to read the latest logs that are added to the log sequence.

  1. In the Management view, select Consolidation.
  2. Select the Sessions tab.
  3. Click the Create New button to create a new session. The New Consolidation Session - Select Domain Log Server window opens.
  4. Select the Domain Log Server from which logs will be collected and will be used to generate reports. In Multi-Domain Security Management, you must select a Domain before choosing the Domain Log Server.
  5. Click Next. The New Consolidation Session - Select Log Files and database for consolidation session window appears.
  6. Choose whether to use the default source logs and default database tables, or select specific source logs and specific database tables for consolidation.

    If you select Select default log files and database, click Finish to complete the process. This option indicates that the source of the reports will be preselected logs and all the information will be stored in the default database table named CONNECTIONS. The preselected logs are the sequence of log files that are generated by Check Point Software Blades. The preselected logs session will begin at the beginning of last file in the sequence or at the point the previous consolidation session was stopped.

    If you select Customize continue with the next step. This option indicates that you will select the source logs and their target table in the next window.

  7. Click Next. The New Consolidation Session - Log File window appears.
  8. Select the source logs and the database table in which the information should be stored.
    • From the Read Log Files list, select the source of the information on which your reports are founded.
      • From the beginning of the sequence - the Consolidation session begins from the beginning of the first file in the log sequence.
      • Newly created from the end of the sequence - the Consolidation session begins from the end of last file in the log sequence.
      • Continuing the sequence from the last stopped position - the Consolidation session will begin from the point at which the previous Consolidation session stopped.
      • In the sequence starting from a specific log file - the Consolidation session begins from the beginning of a specific log file in the log sequence. Select the external log file from the list provided.

      Note - In the case of each of the above four options the Consolidation session will run continuously.

      • From a specific log file outside the sequence - the Consolidation session will consolidate external log files that are not in the log sequence. When Consolidation session reaches the end of the external log file, it will be stopped.

      If the specific external log file was previously processed the following two options are activated. Select the external log file from the list provided and select one of the following two options:

      Beginning of file - the session will begin at the beginning of the selected log file.

      Last stop - the session will continue from the point at which the previous Consolidation session stopped.

      • In the Database Table area select the table in which log file information should be stored.
      • Click the Policy Rules button to select the SmartReporter Policy rule that is defined in the SmartDashboard Log Consolidator view.

      It is recommended that the Out of the Box policy be used. This option is for advanced users only, and by default the Policy Rules button should not be used.

  9. Click Finish.

    The new session is added to the Consolidation Sessions list in the Sessions tab. The session will begin automatically.

To View Detailed Information about a Specific Session

  1. In the Management view select Consolidation.
  2. Select the Sessions tab.
  3. In the Consolidation Sessions list select whose detail you would like to review.
  4. Click the More Info... button.

    The Consolidated Session More Information window appears.

Configuring Consolidation Settings

When configuring the global session settings you are specifying the values according to the logs that are collected. Once the required log values are set, the Log Consolidator Engine collects them, scans them, filters out fields defined as irrelevant, merges records defined as similar and saves them to the SmartReporter database.

To configure consolidation settings:

  1. In the Management view select Consolidation.
  2. Select the Settings tab.
  3. Click the Set button.

    The Consolidation Parameters Settings window appears.

  4. In the Resolved names - Source drop down list select whether the IP addresses in the logs source field should be resolved to a name from the Security Management database only or from the Security Management database and from DNS.
  5. In the Resolved names - Destination drop down list select whether the IP addresses in the logs destination field should be resolved to a name from the Security Management database only or from the Security Management database and from DNS.
  6. In the Maximum requests handled concurrent field enter the number of threads that should handle DNS requests. Adding additional threads can improve DNS performance at the cost of additional memory overhead.
  7. In the Refresh cached items every field enter how long it should take for a resolved IP address to expire and be removed from the cache. If set too high it may result in wrong data because DHCP may change the addresses (recommended value 24 hours).
  8. In the Commit consolidated records every field specify when the consolidator should stop consolidating records and write the records out to the SmartReporter database. By default it writes the consolidated records into the database once an hour.
  9. In the Maximum consolidation memory pool field specify how much memory is allocated for consolidated records. When the memory is exceeded the consolidator writes the records to the SmartReporter database.

    Note - The Consolidation Memory Pool is only used by the consolidation engine per consolidation session. The database service requires additional memory and is largely dependent on installation configuration and the server generator.

  10. Click the NAT translation: Source check box to indicate that the consolidation data will include real IP addresses as set in Security Management objects, or translated IP addresses as set in the SmartDashboard NAT tab for those logs where NAT translation was used.
  11. Click the NAT translation: Destination check box to indicate that the consolidation data will include real IP addresses as set in Security Management objects, or translated IP addresses as set in the SmartDashboard NAT tab for those logs where NAT translation was used.
  12. Select Save full URL in database if you would like URL records to be stored in the SmartReporter Database.

    By default the SmartReporter does not store URL information in the database. As long as this check box is disabled, some sections in the "Web activity" will give empty results (and are disabled by default).

Using the command line you can control DNS implementation Time Out requests and the number of retries. These changes will only take affect after restarting the consolidation sessions.

Exporting and Importing Database Tables

Exporting a Database Table

  1. In the Management view select Database Maintenance.
  2. Select the Tables tab.
  3. Click the Export button.
  4. Select the table from which you are exporting the selected file in the Table drop down list provided.
  5. In the Directory Location field enter the base directory where to export the table.

    When you export a table using c:/export, some files are stored in c:/export/<timestamp> and all the files will be given the table name (for example, <tablename>.tbl <tablename>.con02, etc.).
    To back up the export results save the entire content of the directory in c:/export/<timestamp>.

  6. Click the Send Request button to revoke the operation.

Importing a Database Table

  1. In the Management view select Database Maintenance.
  2. Select the Tables tab.
  3. Click the Import button.
  4. In the File Location field enter the full path of the exported .tbl file (for example, c:/export/<timestamp>/<tablename>.tbl). When this is done all the files in the same directory as the .tbl file are imported.
  5. Using the Target options select the destination table in which to import the data.
  6. Click the Send Request button to revoke the operation.

Exporting a Database Table to a Remote Machine

Exporting a table to a remote machine from a Windows platform requires the correct permissions to perform the action. In order to set the permissions, perform the following steps:

  1. Open the SmartReporter Server service by going to the Window Start Menu > Settings > Control Panel and the select Administrative Tools >Services.
  2. Double click the SmartReporter Server entry.
  3. Select the Log On tab and set user permissions to an appropriate account that has access to the network drive.

Configuring Database Maintenance Properties

The Management view enables you to create, start and stop Consolidation sessions. In this view you can also view the Database Maintenance properties and modify them

To Configure Automatic Maintenance

The Log Consolidator process continuously adds new records into the database as they are generated from the Security Gateway. Eventually, the space allocated for the database will fill up. Automatic Maintenance automatically archives or deletes older, less pertinent records from the database to provide space for the newest records.

Before configuring Automatic Maintenance you should decide whether Automatic Maintenance should only be triggered by disk space or by disk space and record age. In addition, you should determine what the minimum and maximum disk space and age of records you want to store in the database. Since the operation is resource intensive, it should be performed during a period of low activity (for example, in the middle of the night).

Typically, 80% is the High Watermark, since SmartReporter requires the extra space to perform generation optimizations.

  1. In the Management view select Database Maintenance.
  2. Select the Tables tab.
  3. In the Database Tables list, select the table whose data should be automatically archived or deleted.
  4. Click the Maintenance button.

    The Table Participating in Automatic Maintenance window appears.

  5. Activate the Participating in Automatic Database Maintenance check box and click the Send Request button.
  6. Click OK until the process is complete.

To Modify the Database Maintenance Properties

  1. In the Management view select Database Maintenance.
  2. Select the Maintenance tab.
  3. Click the Set button to modify the Database Maintenance properties.

    The Database Automatic Maintenance Setting window appears.

  4. With the Automatic Maintenance Action options determine whether to archive or delete old records from the database, when the database capacity exceeds the high-watermark.
  5. In the Time of action field, set the time at which the Automatic Maintenance action will start. This should be performed when there is a low level of activity on the server.
  6. In the Database capacity (% of the total database physical size) fields, set the high- and low-watermark (that is, the high- and low-end values of database capacity).

    When the database capacity exceeds the high-watermark, Automatic Maintenance is performed and the oldest records in the database tables are removed so that the capacity is at the low-watermark.

  7. In the Days records stored in database fields, indicate the age of records in the database.

    When a record gets to be more than a specific number of days old (for example, the High-end number), that record is removed from the database.

  8. Click OK to set the new Automatic Maintenance properties.

To Manually Archive or Delete Older, Less Pertinent Records from the Database

  1. In the Management view select Database Maintenance.
  2. Select the Maintenance tab.
  3. Click the Activate Now button.

The Activate Now button begins the process of maintaining the database according to the settings in the Database Automatic Maintenance Setting window.

SmartReporter Instructions

This section provides information on advanced or specific configuration scenarios.

To use Express Reports.

Required Security Policy Configuration

For a Security Rule to generate logs for connections that match it, the Rule Track column should be set to any value other than None (for example, Log generates a standard log, while Account generates an accounting log).

Note that in order to obtain accounting information (the number of bytes transferred and the duration of the connection), the value of the Rule Track column must be Account.

To utilize direction information ("incoming", "outgoing", "internal" or "other"), the organization topology must be configured properly.

Express Reports Configuration

This procedure configures SmartView Monitor to collect system data to generate SmartReporter Express Reports. SmartView Monitor settings are enabled through the SmartDashboard. Proceed as follows:

  1. In the SmartDashboard network objects branch, select a Security Gateway of interest. Double click the Security Gateway to open the Check Point Gateway properties window.
  2. You will need to enable the SmartView Monitor to collect data for reporting purposes through SmartDashboard.

    If you do not see SmartView Monitor in the selection to the left, enable it through the General Properties tab. Click General Properties, then in the Check Point Products scroll-down list, select SmartView Monitor. It will appear on the left.

    Select SmartView Monitor, and on the SmartView Monitor tab, enable one or all of the following options to make sure that SmartView Monitor collects necessary data for reporting purposes:

    • Check Point System Counters
    • Traffic Connections
    • Traffic Throughput

    Note - Selecting Traffic Connections and Traffic Throughput in the SmartView Monitor tab may affect the performance of the Security Gateway.

  3. To finish this procedure, in SmartDashboard select Policy > Install.

Report Output Location

Report results are saved in subdirectories of the Results subdirectory of the SmartReporter server as follows:

<Result Location>/<Report Name>/<Generation Data & Time>

For each report, a directory with the report name (for example, <Report Name>) is created in <Result Location>, with a subdirectory named with the generation date and time <Generation Date & Time>. The report is generated into this <Generation Date & Time> subdirectory.

The result location can be modified by selecting Tools > Options and specifying the desired location in the Result Location field of the Options window Generation page.

In addition to saving the result to the SmartReporter server, you can send it to any of the following:

The Mail Information page of the Options window allows you to specify both the sender Email address and the mail server to be used. It also allows you to specify the degree of message severity (Information, Warning or Error) that is to be sent to the administrator.

The Mail Information page of the Tools > Options window allows you to specify that an administrator receive warnings about errors. To enable this option, fill in the Administrator email address, and choose the severity factor for which an error message will be sent, by checking one or more of the severity levels in the Specify the severity of the administrator email notification section.

Using Accounting Information in Reports

Data Calculation Scheme

By default, report calculations are based on the number of events logged. If you have logged accounting data (done by setting the Security Rule Track column to Account), you can base the report calculations on the number of bytes transferred.

Sort Parameter

You may sort the results by one of two parameters: the number of bytes transferred and the number of events logged. Note that an event takes on different meanings, depending on its context. In most cases, the number of events refers to the number of connections. Access this through the Tools > Options menu.

The number of bytes transferred can be calculated only if the Security Rules' Track column is set to Account. The number of events logged can be calculated as long as the Track column is set to Log or Account.

If both types of information are available, they will both be displayed in the sort order you have specified. For example, a table listing the most active sources in your system can first specify the number of events each source generated and then note the number of bytes related to its activity.

Format

In several scenarios the user name appears in long format (for example, LDAP names). The manner in which the report shows the user name can be changed through the Tools menu > Options > Generation tab. By default, the Show abbreviated user name check box is selected, so that generated reports display only the user name part of the full name. To see the name with the full path, clear this box.

Additional Settings for Report Generation

The Options window allows you to specify additional settings including the name and the location of the logo to be displayed in the report header, as well as where to email reports, and report-sorting settings.

By default, the logo file is saved in the $RTDIR/bin directory.

Generating Reports using the Command Line

For your convenience, it is possible to generate reports both through the SmartReporter client and through the command line.

Generating reports using the command line GeneratorApp has the following limitations:

To generate reports through the command line, go to the $RTDIR/bin directory on the SmartReporter server and run the following command:

Usage: GeneratorApp [Directory/""] {ReportID}

For example, to generate the Peer To Peer Activity report, whose ID is {60F6FCDA-0F66-43A6-B8E6-271247207F5B}, run the following command: GeneratorApp ./reports/test {60F6FCDA-0F66-43A6-B8E6-271247207F5B}

If the directory is empty (""), <Result location>/<Report Name>/<Generation Date & Time> would be used as the directory.

For a list of all Report IDs, see Predefined Reports.

Reports based on Log Files not part of the Log File Sequence

To generate a report based on log files that are not part of the log file sequence (fw.log), you must first create a consolidation session to explicitly consolidate these log files.

To create a consolidation session, refer to Configuring Consolidation Settings and Sessions. When creating the consolidation session you should select From a specific log file outside the sequence in step 8.

So that data from the consolidation session based on an external log is not mixed with data from an internal sequence log we recommend that you use a new table for your external consolidation session.

When the consolidation session is complete generate reports based on log files that are not part of the log file sequence. To do this, refer to Generating a Report and in step 3 select the table to which the external log file was consolidated.

Generating the Same Report using Different Settings

To schedule generations of the same report using different settings, modify the original report, save it under a different name (for example, Network_Activity_NYC, Network_Activity_Paris etc.) and specify the appropriate schedule for each modified report.

How to Recover the SmartReporter Database

To recover the SmartReporter database, proceed as follows:

  1. Stop the SmartReporter by running evstop -reporter.
  2. Replace the original SmartReporter database files with your backed up SmartReporter database files. The location of database files is defined by datadir and innodb_data_file_path entries in the mysql configuration file my.ini (Windows) or my.cnf (all other platforms).
  3. Replace the database log files ib_logfile[0-N] under the log directory as specified by the innodb_log_group_home_dir parameter in the my.ini file with the backed up database log files.
  4. Start the SmartReporter database service normally.

How to Interpret Report Results whose Direction is "Other"

To interpret direction data, the network topology must be defined accurately. If the topology is not defined accurately, the traffic will be labeled with a direction of "Other."

How to View Report Results without the SmartReporter Client

You can make the report results available through an internet browser, by checking FTP Upload or Web Upload in the Output tab of the Report properties.

You can also locate the report results on the SmartReporter server. To do this select Management > Activity Log and select More Information for the relevant historical generation status to view the full path of the location.

You can email reports to specified recipients. Make sure that the outgoing mail server is correct in Tools > Options > Mail Information.

To configure the Output tab of a report to send the report by email:

  1. In File Format, select MHT.
  2. In Send Report To, select Email.
  3. In the To field, enter the recipients.

How to Upload Reports to a Web Server

In order to enable report uploads to a web server you must configure the report output properties, and configure the web server to allow uploads.

Configuring the Report Output tab

  1. Check the Web Upload check box.
  2. Fill the server properties in the fields to the right of the check box list, including the web server name or IP, the User Name and Password that SmartReporter uses to connect to the web server, and the Path of the directory in which the report results are saved.
  3. Select how the new uploaded report is saved (that is, whether in a new directory or overriding the previous report).

Configuring the Web Server

Define the Report Virtual Directory
  1. You must define a virtual directory named reports, in the web server root directory. All the Report files that are uploaded to the web server will be placed in this directory.
  2. Grant this directory PUT command permission (also known as Write permission). It is not recommended that permission for anonymous http login be granted.
Create a Directory for each Report

For the Web upload, the SmartReporter uploads Report result files to the target directory. A target directory must exist at the time of the upload. The upload uses the http:put operation, and on most web servers, permission for this operation needs to be explicitly granted for the target directory.

To make sure that target directories exist:

Manual directory creation:

On the web server, create a directory with the path <report directory root>/<optional path field>/<ReportName> before generating the report. This operation needs to be performed only once.

To avoid installing and configuring scripts create the directory manually. If you use this option, you must ensure that you select to Override Previous Report in the Report Output tab.

If the Path field is left empty in the Report Output tab, create the folder <report directory root>/<ReportName> on the web server.

Automatic directory creation:

  1. Configure the svr_webupload.pl by running the svr_webupload_config utility:
    1. On the SmartReporter server, in the $RTDIR/bin directory, run the utility svr_webupload_config using the following command structure:

      svr_webupload_config [-i perl_int_loc]
      [-p rep_dir_root]

      Where -i specifies the Perl interpreter location and -p specifies the path for the reports virtual directory which you previously configured.

    2. Copy the svr_webupload.pl file from the $RTDIR/bin directory from the SmartReporter computer to the cgi-bin directory on the web server.

    Note - Both the cgi-bin directory and the script name can be changed in the SmartReporter Client via the Tools > Options > Web Information > CGI Script Location field.

  2. Grant the svr_webupload.pl script (on the web server only) execution permission. It is not recommended that permission be granted for anonymous http login.

Uploading Reports to an FTP Server

In order to enable report uploads to an FTP server you must configure the Report output properties.

Configuring the FTP Upload

  1. Enable the FTP Upload option.
  2. Fill the server properties in the fields to the right of the option list, including the FTP server name or IP, the User Name and Password that SmartReporter uses to connect to the FTP server, and the Path of the directory in which the report results are saved.
  3. Select how the new uploaded report is saved (that is, whether in a new directory or overriding the previous report).

The FTP upload does not require any configuration on the FTP server. The root directory for all report uploads is the FTP root directory the user specified in User Name field.

Distributing Reports with a Custom Report Distribution Script

  1. Place the script in the $RTDIR/DistributionScripts directory.
  2. Make sure the name of the script matches the name given in the Output tab of the report definition. The script parameters are:
    • A path to the Report Result directory.
    • A string containing the Report name.

In the Customer Distribution script the responsibility for distribution is placed on the user. The Distribution Process input is the directory that contains the report output files. The script exit code should be 0 upon success and none 0 upon failure.

The Customized Distribution script will time-out after the number of seconds entered in the Distribution page of the Reporter options.

To Set the Time-Out Value:

  1. Go to the Tools menu and select Options.
  2. Select the Distribution page.
  3. Enter the number of seconds after which the process times out.
  4. Click OK.

For more information, see the Report output (Email, FTP Upload, Web Upload and Custom).

Improving Performance

For the most updated performance tuning information, see the R77 Release Notes.

Performance Tips

To maximize the performance of your SmartReporter server, follow the following guidelines.

Hardware Recommendations

Installation

Use a distributed Security Management configuration, dedicating one computer to Consolidation and Report generation only.

Log Consolidator

Improve the Log Consolidator Engine performance by configuring the following settings:

  1. Set the Consolidation Rules to ignore immaterial logs.
  2. Change the consolidator settings:
    1. In SmartReporter select Management > Consolidation > Settings.
    2. Click the Set button.
    3. To improve DNS resolution performance, modify the following:

      Maximum requests handled concurrently - Set to 50. This value controls the numbers of threads handling DNS requests.

      Refresh cached items every - Set to 48 hours. This value determines how long it takes for a resolved IP address to expire and be removed from the cache setting. If set too high it may result in wrong data because DHCP may change the addresses.

    4. To turn off reverse DNS resolution, change Object Database + DNS to Object Database in the drop-down lists provided.
    5. To improve consolidation, modify the maximum consolidation memory pool to 256 MB according to the memory available on the SmartReporter server.

Note -The Consolidation Memory Pool is only used by the consolidation engine per consolidation session. The database service requires additional memory and is largely dependent on installation configuration and the server generator.

Report Section Generated

  1. Do not choose unnecessary reporting elements. Clear sections that are not relevant to your report.

    The Reporter Generator uses an internal cache for SQL query results therefore not every deselected section speeds up the report generation. In general, this will result in a smaller report and reduce generation time.

  2. Table and Graph units that belong to the same section often use the same SQL, therefore clearing only one of them may not decrease the generation time. It is recommended that you clear (clear) an entire section.
  3. If you clear report sections, you should also clear the matching category in the Summary section since it usually uses the same SQL query.
  4. Every report contains a link to a file that contains details about the SQL queries that the Report Generator runs, how many queries are cached, and how long each query takes.

    To view this, scroll to Appendix A in the report result, and click View generation information at the bottom of Appendix A.

Report Filters

If you define different filters for different reporting units that share the same cached SQL, the SQL caching will no longer be viable and the report generation time will significantly increase. It is recommended that you define filters at the report level only.

Report Time Frame

When setting a user-defined time frame for the report, specify a time frame in whole days. When setting a report period, note that the following settings will slow down the report generation speed:

Report Generation Scheduling

Schedule report generation when there is less traffic and fewer logs are being generated, so that the log consolidator will consume fewer resources. Schedule reports during the night and on the weekends.

Fine Tuning SmartReporter Database

Adjust the database cache size to match your Server available memory. Place the database data and log files on different hard drives (physical disks), if available. For additional information, refer to Modifying SmartReporter Database Configuration.

Dynamically Updating Reports

To dynamically update reports, an administrator must first obtain an update file that contains all the report changes. This file is provided by Check Point.

Once the file is received and saved, perform the following:

  1. Access the SmartReporter File menu and select Import Reports....

    The Offline Update window appears.

  2. Select Browse and chose the update file received from Check Point.
  3. Click the View update info button.

    The file is opened in a browser.

  4. Review all the changes and their descriptions.
  5. Click Update Now.

    At this point the administrator will be asked to save the previous version before the changes are installed.

  6. Click Save As and specify the location in which the previous version file should be saved (for example, My Reports > Old Blocked Connections).

    At this point the SmartReporter server is updated.

Once the process is complete, the administrator will receive a file from Check Point informing him that the Predefined Reports have been updated.

Creating a Report in a Single File

When configuring a report you can select one of the following output formats:

To create a report in one file:

  1. In SmartReporter select the Predefined report for which you would like to send a report in one file.
  2. Select the Output tab.
  3. In the File Format drop-down list select MHT.

    The file created has an .mht extension.

SmartReporter Policy

Overview

The default SmartReporter Policy is sufficient for many organizations. If your organization has requirements that are included this Policy, you can add, delete or change Consolidation Rules as necessary.

To work with the SmartReporter Policy:

  1. In SmartDashboard, go to the SmartDashboard Log Consolidator view (View > Products > SmartReporter Policy).
  2. Add, delete and change the Consolidation Rules as necessary. See Customizing Predefined Consolidation Rules for additional information.
  3. Save this changed Policy with a different name (File > Save As .
  4. In SmartReporter select Management > Consolidation > Sessions to create a new consolidation session.
  5. Select the Start New button.
  6. Select the relevant Domain Log Server in which logs will be collected and will be used to generate reports and click Next.
  7. Select Customize and click Next in order to select specific source logs and specific database tables for consolidation.
  8. The New Consolidation Session - Log File window appears.
  9. Select the source logs and the database table in which the information should be stored.
    • From the Log File list select the source of the information on which your reports are founded.
    • In the Database Table area select the table in which log file information should be stored.
    • Click the Policy Rules button to select the SmartReporter Policy rule that is defined in the SmartDashboard Log Consolidator view.
    • It is recommended that the Out of the Box policy be used.
  10. Click Finish.

    The new session is added to the Consolidation Sessions list in the Sessions tab.

Specifying the Consolidation Rule Store Options

To specify whether logs matching a Consolidation Rule should be skipped or copied to the SmartReporter database, right click the Rule Action column and choose Ignore or Store (respectively).

It is recommended to place Ignore Rules at the beginning of the Rule Base, especially for services that are logged frequently but are not of interest for reports. Ignore Rules do not require Consolidation processes and, therefore, enable the Log Consolidator Engine to move quickly through the logs. The Log Consolidator Engine does not have to consolidate and store an event that matches an Ignore Rule and can quickly move to the next entry in the Log file.

The Rule order is also based on how frequently services are used. Rules regarding the most common services are defined before those addressing less common services. In this way, the Log Consolidator Engine does not have to scan a lengthy <tp-rule> in order to process most of your log data.

If you choose to store the logs, double click the Action cell to specify their storage format in the Store Options window. Choose one of the following:

By default, the Log Consolidator Engine loads the consolidated records to the SmartReporter database once an hour.

Customizing Predefined Consolidation Rules

This section provides instructions on modifying specific Out of the Box Rules to better address your specific consolidation requirements. For a detailed description of the Out of the Box Rules, see Default Policy.

If you wish to filter out all broadcast messages (both allowed and disallowed), proceed as follows:

  1. In the Security Policy, define a group of objects with broadcast IP addresses.
  2. In the Default SmartReporter Policy, activate the broadcast Rule and add the broadcast group to its Destination column.