Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Monitoring Threat Prevention with SmartView Tracker

In This Section:

Log Sessions

Threat Prevention Logs

Viewing Logs

Viewing Packet Capture Data

Using Predefined Queries

Log Sessions

Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.

To see the number of connections made during a session, see the Suppressed Logs field of the log in SmartView Tracker.

In SmartEvent the number of connections during the session is in the Total Connections field of the Event Details.

Session duration for all connections that are prevented or detected in the Rule Base, is by default 10 hours. You can change this in SmartDashboard from the Threat Prevention tab > Advanced > Engine Settings > Session Timeout.

Threat Prevention Logs

Logs from Anti-Bot, Threat Emulation and Anti-Virus are shown in SmartView Tracker. A log is generated if you set the Track option in a Rule Base rule to Log.

Viewing Logs

To open SmartView Tracker:

  • From the Threat Prevention tab > Navigation Tree > Track Logs link
  • From the SmartDashboard menu bar, select SmartConsole > SmartView Tracker

Updating the Anti-Bot and Anti-Virus Rule Base

In some cases, after evaluating a log, it may be necessary to update a rule or rule exception in the SmartDashboard Rule Base. You can do this directly from within SmartView Tracker.

To update a rule in the Anti-Bot and Anti-Virus Rule Base:

  1. Right-click the log entry.
  2. Select Go to Rule.

    SmartDashboard opens showing the related rule in the Anti-Bot and Anti-Virus Rule Base.

  3. Make related changes.
  4. Click Install Policy to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.

To update a rule exception in the Anti-Bot and Anti-Virus Rule Base:

  1. Right-click the log entry.
  2. Select Add Exception to the Rule.

    SmartDashboard opens and shows an Add Exception window in the Threat Prevention Rule Base. These details are shown:

    • Protection - The name of the protection. Details are taken from the ThreatCloud repository or, if there is no connectivity, from the log.
    • Scope - The scope is taken from the log. If there is no related host object, an object is created automatically after you click OK. Click the plus sign to add additional objects.
    • Install On - Shows All by default. You can use the plus sign to add gateways.
  3. Select an Exception Scope option:
    • Apply Exception to rule number X - If you want the exception to apply only to the related rule.
    • Apply Exception to all rules - If you want the exception to apply to all rules. The exception is added to the Exception Groups > Global Exceptions pane.
  4. Click OK.

    The exception is added to the Rule Base. The Action is set to Detect by default. Change if necessary.

  5. Click Install Policy to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.

Accessing the Threat Wiki

You can open the Threat Wiki from within SmartView Tracker to get more information about a specified protection.

To open the Threat Wiki:

  • Click the malware protection link in the Protection Name field of a log record.

Viewing Packet Capture Data

If you set a rule with the Packet Capture track option, you can see the captures in SmartView Tracker.

To see packet captures in SmartView Tracker:

  1. Locate the log entry with the packet capture.
  2. Right-click the entry and select View packet capture.
  3. Select Internal Viewer and click OK.

    The packet is shown in the Viewer Output window.

    You can also use a third-party capture application by selecting Choose Program and entering the application in the Program Name field.

Using Predefined Queries

There are multiple predefined queries in Network and Endpoint Queries > Predefined > Network Security Blades > Anti-Bot & Anti-Virus. You can filter the queries to focus on logs of interest.

  • All - Shows all Anti-Bot and Anti-Virus traffic, including all prevented and detected connections
  • Anti-Bot - Shows Anti-Bot traffic (prevented and detected connections)
  • Anti-Virus - Shows Anti-Virus traffic (prevented and detected connections)
  • Blocked Incidents - Shows all Anti-Bot and Anti-Virus blocked (prevented) traffic
  • Threat Emulation - Shows all traffic that are sent to ThreatCloud or Emulation appliance for emulation
  • Malware Detected - Shows files that Threat Emulation identified as malware
  • System - Shows updates and installed policies for Threat Emulation
 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print