Contents/Index/Search Download Complete PDF Send Feedback Print This Page

Previous

Next

Monitoring and Handling Alerts

Related Topics

Alert Window

Viewing Alerts

System Alert Monitoring Mechanism

Monitoring Suspicious Activity Rules

Alert Window

Alerts provide real-time information about vulnerabilities to computing systems and how they can be eliminated.

Check Point alerts users to potential threats to the security of their systems and provides information about how to avoid, minimize, or recover from the damage.

Alerts are sent by the gateways to the Security Management Server. The Security Management Server then forwards these alerts to SmartView Monitor, which is actively connected to the Security Management Server.

Alerts are sent in order to draw the administrator's attention to problematic gateways, and are displayed in SmartView Monitor. These alerts are sent:

  • If certain rules or attributes, which are set to be tracked as alerts, are matched by a passing connection,
  • If system events, also called System Alerts, are configured to trigger an alert when various predefined thresholds are surpassed.

The administrator can define alerts to be sent for different gateways. These alerts are sent under certain conditions, for example, if they have been defined for certain policies, or if they have been set for different properties. By default an alert is sent as a pop-up message to the administrator's desktop when a new alert arrives to SmartView Monitor.

Alerts can also be sent for certain predefined system events. If certain predefined conditions are set, you can get an alert for certain critical situation updates. These are called System Alerts. For example, if free disk space is less than 10%, or if a security policy has been changed. System Alerts are characterized as follows:

  • Defined per product: For instance, you may define certain System Alerts for Unified Package and other System Alerts for Check Point QoS.
  • Global or per gateway: This means that you can set global alert parameters for all gateways in the system, or you can specify a particular action to be taken on alert on the level of every Check Point gateway.
  • Displayed and viewed via the same user-friendly window.

Viewing Alerts

Alert commands are set in SmartDashboard > Global Properties > Log and Alert > Alerts page. The Alerts in this window apply only to Security Gateways.

To see alerts:

Click the Alerts icon in the toolbar. (Or in the main toolbar button sub-menu, select Tools > Alerts.)

The Alerts window opens. You can set alert attributes and delete displayed alerts.

System Alert Monitoring Mechanism

Check Point Security Management Server has a System Alert monitoring mechanism. It uses the System Alert thresholds you defined. If reached, it activates the defined action.

  • To activate this mechanism: select Tools > Start System Alert Daemon.
  • To stop the System Alert monitoring mechanism: select Tools > Stop System Alert Daemon.

Monitoring Suspicious Activity Rules

The Need for Suspicious Activity Rules

The connection of enterprise and public networks is a great information security challenge, since connections that provide access to employees and customers can also act as an open doorway for those who want to attack the network and its applications.

Modern business needs require that information be easily accessed while at the same time it remains secure and private.

The fast changing network environment demands the ability to immediately react to a security problem without having to change the entire network's Firewall rule base (for example, you want to instantly block a specific user). All inbound and outbound network activity should be inspected and identified as suspicious when necessary (for instance, when network or system activity indicates that someone is attempting to break in).

Suspicious Activity Rules

Suspicious Activity Monitoring (SAM) is a utility integrated in SmartView Monitor. It blocks activities that you see in the SmartView Monitor results and that appear to be suspicious. For example, you can block a user who tries several times to gain unauthorized access to a network or Internet resource.

A Security Gateway with SAM enabled has Firewall rules to block suspicious connections that are not restricted by the security policy. These rules are applied immediately (Install Policy not required).

Creating a Suspicious Activity Rule

SAM rules take some CPU resources, so set an expiration that gives you time to investigate but does not affect performance. Best practice is to keep only the SAM rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

To block suspicious activity based on source, destination, or service:

  1. Click the Suspicious Activity Rules button in the SmartView Monitor toolbar.

    The Enforced Suspicious Activity Rules window opens.

  2. Click Add.

    The Block Suspicious Activity window opens.

  3. In Source and in Destination, select IP or Network:
    • To block all sources or destinations that fit the other parameters, enter Any.
    • To block one suspicious source or destination, enter an IP Address and Network Mask.
  4. In Service:
    • To block all connections that fit the other parameters, enter Any.
    • To block one suspicious service or protocol, click the button and select a service from the window that opens.
  5. In Expiration, set your investigation time limit.
  6. Click Enforce.

To create a Suspicious Activity rule based on TCP or UDP usage:

  1. In the Block Suspicious Activity window > Service, click the button.

    The Select Service window opens.

  2. Click Custom Service.
  3. Select TCP or UDP.
  4. Enter the port number.
  5. Click OK.

To define SmartView Monitor actions on rule match:

  1. In the Block Suspicious Activity window, click Advanced.

    The Advanced window opens.

  2. In Action, select the Firewall action for SmartView Monitor to do on rule match:
    • Notify - Send a message about the activity, but do not block it.
    • Drop - Drop packets without sending a response. The connection will eventually time out.
    • Reject - Send an RST packet to the source and close the connection.
  3. In Track, select No Log, Log or Alert.
  4. If the action is Drop, and you want the connection to be closed immediately on rule match, select Close connections.
  5. Click OK.

Creating a Suspicious Activity Rule from Results

If you are monitoring traffic, and see a suspicious result, you can create a SAM rule immediately from the results.

Note: You can only create a Suspicious Activity rule for Traffic views with data about the Source or Destination (Top Sources, Top P2P Users, and so on).

  1. In SmartView Monitor open a Traffic view.

    The Select Gateway/Interface window opens.

  2. Select an object and click OK.
  3. In the Results, right-click the bar in the chart, or the row in the report, that represents the source, destination, service, or other traffic property that you want to block.
  4. Select Block Source.

    The Block Suspicious Activity window opens.

  5. Create the rule.
  6. Click Enforce.

For example:

Your corporate policy does not allow peer2peer file sharing, and you see it in the Traffic > Top P2P Users results. You right-click the result bar and select Block Source. The SAM rule is set up automatically with the user IP address and the P2P_File_Sharing_Applications service. Click Enforce. For the next hour, while this traffic is dropped and logged, contact the user.

Managing Suspicious Activity Rules

The Enforced Suspicious Activity Rules window shows the currently enforced rules. If you add a rule that conflicts with another rule, the conflicting rule remains hidden. For example, if you define a rule to drop http traffic, and a rule exists to reject http traffic, only the drop rule shows.

  
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print