Print Download PDF Send Feedback

Previous

Next

Monitoring Traffic and Connections

In This Section:

SmartView Monitor Features

To Start the Monitoring Views

Immediate Actions

Deploying Monitoring

Monitoring and Handling Alerts

Monitoring Suspicious Activity Rules

How SmartView Monitor Works

Configuring SmartView Monitor

Monitoring Gateway Status

Monitoring Tunnels

Monitoring Traffic or System Counters

Monitoring Users

Cooperative Enforcement Solution

SmartView Monitor gives you a complete picture of network and security performance. Use it to respond quickly and efficiently to changes in gateways, tunnels, remote users and traffic flow patterns or security activities.

SmartView Monitor is a high-performance network and security analysis system. This system helps you to establish work habits based on learned system resource patterns. Based on Check Point Security Management Architecture, SmartView Monitor provides a single, central interface, to monitor network activity and performance of Check Point Software Blades.

SmartView Monitor Features

SmartView Monitor allows administrators to easily configure and monitor different aspects of network activities. You can see graphical from an integrated, intuitive interface.

Defined views include the most frequently used traffic, counter, tunnel, gateway, and remote user information. For example, Check Point System Counters collect information on the status and activities of Check Point products (for example, VPN or NAT). With custom or defined views, administrators can drill-down the status of a specified gateway and/or a segment of traffic. That way, administrators identify top bandwidth hosts that can influence network performance. If suspicious activity is detected, administrators can immediately apply a Firewall rule to the applicable Security Gateway to block that activity. These Firewall rules can be created dynamically through the graphical interface and be set to expire in a specified time period.

You can generate Real-time and historical graphical reports of monitored events. This provides a comprehensive view of gateways, tunnels, remote users, network, security, and performance over time.

The monitoring views show real-time and historical graphical views of:

In SmartView Monitor you can create customized monitoring view.

SmartView Monitor scenarios

Examples of scenarios for which SmartView Monitor can help:

To Start the Monitoring Views

To open the monitoring views in SmartConsole:

  1. From the Gateways & Servers view, select a Gateway.
  2. Click Monitor.

To open SmartView Monitor:

  1. Open SmartConsole > Logs & Monitor.
  2. Open the catalog (new tab).
  3. Click Tunnel & User Monitoring.

Immediate Actions

If the status shows an issue, you can act on that network object.

For example:

Deploying Monitoring

To monitor a Gateway in the Logs & Monitor view of SmartConsole, or in SmartView Monitor:

No other deployment steps are necessary.

Monitoring and Handling Alerts

Alerts provide real-time information about possible security threats, and how to avoid, minimize, or recover from the damage. The administrator can define alerts to be sent for different gateways and for certain policies or properties.

The gateways send alerts to the Security Management Server. The Security Management Server forwards these alerts to SmartView Monitor. By default, an alert is sent as a pop-up message to the administrator desktop when a new alert arrives to SmartView Monitor.

You can set global alert parameters for all gateways in the system, or specify an action to send an alert for a particular gateway.

Alerts are sent when:

System Alerts are sent for predefined system events or for important situation updates. For example, if free disk space is less than 10%, or if a security policy is changed. System Alerts can also be defined for each product. For example, you can define System Alerts for Unified Package and other System Alerts for Check Point QoS.

Viewing Alerts

Alert commands are set in SmartConsole > Global Properties > Log and Alert > Alerts page. The Alerts in this window apply only to Security Gateways.

To see alerts:

  1. Click the Alerts icon in the toolbar.

    The Alerts window opens.

  2. Set alert attributes and delete shown alerts.

System Alert Monitoring Mechanism

The Check Point Security Management Server System Alert monitoring mechanism uses the defined System Alert thresholds. If a threshold is reached, it activates the defined action.

To activate System Alert monitoring:

Go to Tools > Start System Alert Daemon.

To stop the System Alert monitoring:

Go to Tools > Stop System Alert Daemon.

sam_alert

Description

This tool executes SAM (Suspicious Activity Monitoring) actions according to information received through standard input. This tool is for executing SAM actions with the user defined alerts mechanism.

Syntax

sam_alert [-o] [-v] [-s <sam_server>] [-t <timeout>] [-f <fw_host1> <fw_host2>...]
[-C] [-n|-i|-I -src|-dst|-any|-srv]

Parameter

Description

-o

Prints the input of this tool to the standard output (for pipes).

-v

Turns on verbose mode of the fw sam command.

-s <sam_server>

The SAM server to be contacted. Localhost is the default.

-t <timeout>

The time period, in seconds, for which the action will be enforced. The default is forever.

-f <fw_host>

Identifies the firewalls to run the operation on. Default is all FireWalls

-C

Cancels the specified operation.

-n

Notify every time a connection that matches the specified criteria passes the Firewall.

-i

Inhibit connections that match the specified criteria.

-I

Inhibit connections that match the specified criteria and close all existing connections that match the criteria.

-src

Match the source address of connections.

-dst

Match the destination address of connections.

-any

Match either the source or destination address of the connection.

-srv

Match specific source, destination, protocol and service.

Monitoring Suspicious Activity Rules

Suspicious Activity Monitoring (SAM) is a utility integrated in SmartView Monitor. It blocks activities that you see in the SmartView Monitor results and that appear to be suspicious. For example, you can block a user who tries several times to gain unauthorized access to a network or Internet resource.

A Security Gateway with SAM enabled has Firewall rules to block suspicious connections that are not restricted by the security policy. These rules are applied immediately (Install Policy not required).

The Need for Suspicious Activity Rules

Connections between enterprise and public networks are a security challenge as they leave the network and its applications open to attack. You must be able to inspect and identify all inbound and outbound network activity and decide if it is suspicious.

Creating a Suspicious Activity Rule

SAM rules use CPU resources. Therefore, set an expiration time so you can inspect traffic but not negatively affect performance.

If you confirm that an activity is risky, edit the Security Policy, educate users, or handle the risk.

You can block suspicious activity based on source, destination, or service.

To block an activity:

  1. In the SmartView Monitor, click Suspicious Activity Rules.

    The Enforced Suspicious Activity Rules window opens.

  2. Click Add.

    The Block Suspicious Activity window opens.

  3. In Source and in Destination, select IP or Network:
    • To block all sources or destinations that match the other parameters, enter Any.
    • To block one suspicious source or destination, enter an IP Address and Network Mask.
  4. In Service:
    • To block all connections that fit the other parameters, enter Any.
    • To block one suspicious service or protocol, click the button and select a service from the window that opens.
  5. In Expiration, set a time limit.
  6. Click Enforce.

To create an activity rule based on TCP or UDP use:

  1. In the Block Suspicious Activity window , click Service.

    The Select Service window opens.

  2. Click Custom Service.
  3. Select TCP or UDP.
  4. Enter the port number.
  5. Click OK.

To define SmartView Monitor actions on rule match:

  1. In the Block Suspicious Activity window, click Advanced.

    The Advanced window opens.

  2. In Action, select the Firewall action for SmartView Monitor to do on rule match:
    • Notify - Send a message about the activity, but do not block it.
    • Drop - Drop packets, but do not send a response. The connection will time out.
    • Reject - Send an RST packet to the source and close the connection.
  3. In Track, select No Log, Log or Alert.
  4. If the action is Drop: To close the connection immediately on rule match, select Close connections.
  5. Click OK.

Creating a Suspicious Activity Rule from Results

If you monitor traffic, and see a suspicious result, you can create an SAM rule immediately from the results.

Note - You can only create a Suspicious Activity rule for Traffic views with data about the Source or Destination (Top Sources, Top P2P Users, and so on).

To create an SAM rule:

  1. In SmartView Monitor open a Traffic view.

    The Select Gateway / Interface window opens.

  2. Select an object and click OK.
  3. In the Results, right-click the bar in the chart (or the row in the report), that represents the source, destination, or other traffic property to block.
  4. Select Block Source.

    The Block Suspicious Activity window opens.

  5. Create the rule.
  6. Click Enforce.

For example:

Your corporate policy does not allow to share peer2peer file, and you see it in the Traffic > Top P2P Users results.

  1. Right-click the result bar and select Block Source.

    The SAM rule is set up automatically with the user IP address and the P2P_File_Sharing_Applications service.

  2. Click Enforce.
  3. For the next hour, while this traffic is dropped and logged, contact the user.

Managing Suspicious Activity Rules

The Enforced Suspicious Activity Rules window shows the currently enforced rules. If you add a rule that conflicts with another rule, the conflicting rule remains hidden. For example, if you define a rule to drop http traffic, and a rule exists to reject http traffic, only the drop rule shows.

How SmartView Monitor Works

Data for the status of all gateways in the system is collected by the Security Management Server and viewed in SmartView Monitor. The data shows status for:

Gateway Status is the SmartView Monitor view which shows all component status information. A Gateway Status view shows a snapshot of all Software Blades, such as VPN and ClusterXL, and third party products (for example, OPSEC-partner gateways).

Gateway Status is similar in operation to the SNMP daemon that provides a mechanism to get data about gateways in the system.

How_SmartView_Monitor_Works

SIC is initialized between Security Gateways (3) (local and remote), and the Security Management Server (2). The Security Management Server then gets status data from the Software Blades with the AMON (Application Monitoring) protocol. SmartView Monitor (1) gets the data from the Security Management Server.

AMON

The Security Management Server acts as an AMON client. It collects data about installed Software Blades. Each Security Gateway, or any other OPSEC gateway which runs an AMON server, acts as the AMON server itself. The gateway requests status updates from other components, such as the Firewall kernel and network servers. Requests are fetched at a defined interval.

An alternate source for status collection can be any AMON client, such as an OPSEC partner, which uses the AMON protocol.

The AMON protocol is SIC- based. It can collect data only after SIC is initialized.

Defining Status Fetch Frequency

The Security Management Server collects status data from the Security Gateways on a defined interval. The default is 60 seconds.

To set the Status Fetching Interval:

  1. Open SmartConsole.
  2. Open Global Properties > Log and Alert > Time Settings.
  3. Enter the number of seconds in Status fetching interval.

Configuring SmartView Monitor

System Alerts and Thresholds

You can set thresholds for selected gateways. When a threshold is passed, a system alert is sent.

To set System Alert thresholds:

  1. Open Gateways Status view.
  2. Right-click a network object and select Configure Thresholds.

    The Threshold Settings window opens.

  3. Set the thresholds for the selected object:
    • Use global settings - All objects get the same thresholds for system alerts.
    • None - The selected gateway object does not have thresholds for system alerts.
    • Custom - Change the thresholds for the selected object to be different than the global settings.

To change Global Threshold settings:

  1. In the Threshold Settings window, click Edit Global Settings.

    The Global Threshold Settings window opens.

    GlobalThresholds

  2. Select thresholds.
  3. In Action, select:
    • none - No alert.
    • log - Sends a log entry to the database.
    • alert - Opens a pop-up window to your desktop.
    • mail - Sends a mail alert to your Inbox.
    • snmptrap - Sends an SNMP alert.
    • useralert - Runs a script. Make sure a user-defined action is available. Go to SmartConsole > Global Properties > Log and Alert > Alert Commands.

To change custom threshold settings:

  1. In the Threshold Settings window, select Custom.

    The global threshold settings show.

  2. Select thresholds to enable for this gateway or cluster member.
  3. Set defining values.

Working with SNMP Monitoring Thresholds

You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts. You can use these thresholds to monitor many system components automatically without requesting information from each object or device. The categories of thresholds that you can configure include:

Some categories apply only to some machines or deployments.

Note - SNMP monitoring thresholds are supported from R75.20, R71.30, and higher.

In each category there are many individual thresholds that you can set. For example, the hardware category includes alerts for the state of the RAID disk, the state of the temperature sensor, the state of the fan speed sensor, and others. For each individual threshold, you can configure:

You can also configure some settings globally, such as how often alerts are send and where they are sent to.

Types of Alerts

Configuring SNMP Monitoring

Configure the SNMP monitoring thresholds in the command line of the Security Management Server. When you install the policy on the gateways the SNMP monitoring thresholds are applied globally to all gateways.

Configuring in Multi-Domain Security Management

In a Multi-Domain Security Management environment, you can configure thresholds on the Multi-Domain Server and on each individual Domain Server. Thresholds that you configure on the Multi-Domain Server are for the Multi-Domain Server only. Thresholds that you configure for a Domain Server are for that Domain Server and its gateways. If a threshold applies to the Multi-Domain Server and the Domain Server gateways, set it on the Multi-Domain Server and Domain Server. But in this situation you can only get alerts from the Multi-Domain Server if the threshold passed.

For example, because the Multi-Domain Server and Domain Server are on the same machine, if the CPU threshold is passed, it applies to both of them. But only the Multi-Domain Server generates alerts.

You can see the Multi-Domain Security Management level for each threshold with the threshold_config utility.

Configuring a Local Gateway Policy

You can configure SNMP thresholds locally on a gateway with the same procedure that you do on a Security Management Server. But each time you install a policy on the gateway, the local settings are erased and it reverts to the global SNMP threshold settings.

You can use the threshold_config utility to save the configuration file and load it again later.

On SecurePlatform and Linux, the configuration file that you can back up is: $FWDIR/conf/thresholds.conf

On Windows, the configuration file that you can back up is: %FWDIR%\conf\thresholds.conf

Configuration Procedures

There is one primary command to configure the thresholds in the command line, threshold_config. You must be in the Expert mode to run it. After you run threshold_config, follow the on-screen instructions to make selections and configure the global settings and each threshold.

When you run threshold_config, you get these options:

Configure Global Alert Settings

If you select Configure global alert settings, you can configure global settings for how frequently alerts are sent and how many alerts are sent. You can configure these settings for each threshold. If a threshold does not have its own alert settings, it uses the global settings by default.

You can configure these options:

Configure Alert Destinations

If you select Configure Alert Destinations, you can add and remove destinations for where the alerts are sent. You can see a list of the configured destinations. A destination is usually an NMS (Network Management System) or a Check Point Log Server.

After you enter the details for a destination, the CLI asks if the destination applies to all thresholds.

For each threshold, you can choose to which of the alert destinations its alerts are sent. If you do not define alert destination settings for a threshold, it sends alerts to all of the destinations that you applied to all thresholds.

For each alert destination enter:

Configure Thresholds

If you select Configure thresholds, you see a list of the categories of thresholds, including:

Some categories apply only to some machines or deployments. For example, Hardware applies only to Check Point appliances and High Availability applies only to clusters or High Availability deployments.

Select a category to see the thresholds in it. Each threshold can have these options:

Completing the Configuration

You can complete threshold configuration and activate the settings.

To complete configuration and activate the settings:

  1. On the Security Management Server, install the policy on all Security Gateways.
  2. For a local Security Gateway threshold policy or a Multi-Domain Security Management Multi-Domain Server environment, use the cpwd_admin utility to restart the CPD process:
    1. Run: cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
    2. Run: cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

Monitoring SNMP Thresholds

You can see an overview of the SNMP thresholds that you configure in SmartView Monitor.

To see an overview of the SNMP thresholds:

  1. Open SmartView Monitor and select a Security Gateway.
  2. In the summary of the Security Gateway data that open in the bottom pane, click System Information.
  3. In the new pane that opens, click Thresholds.

    In the pane that opens, you can see these details:

    • General Info - A summary of the total SNMP Threshold policy.
      • Policy name- The name that you set for the policy in the CLI.
      • State - If the policy is enabled or disabled.
      • Thresholds - How many thresholds are enabled.
      • Active events - How many thresholds are currently sending alerts.
      • Generated Events - How many not active thresholds became active since the policy was installed.
    • Active Events- Details for the thresholds that are currently sending alerts.
      • Name - The name of the alert (given in the CLI).
      • Category - The category of the alert (given in the CLI), for example, Hardware or Resources.
      • MIB object - The name of the object as recorded in the MIB file.
      • MIB object value - The value of the object when the threshold became active, as recorded in the MIB file.
      • State - The status of the object: active or clearing (passed the threshold but returns to usual value).
      • Severity - The severity of that threshold, as you configured for it in the CLI.
      • Activation time - When was the alert first sent.
    • Alert Destinations - A list of the destinations that alerts are sent to.
      • Name - The name of the location.
      • Type - The type of location. For example, a Log Server or NMS.
      • State - If logs are sent from the gateway or Security Management Server to the destination machine.
      • Alert Count - How many alerts were sent to the destination from when the policy started.
    • Errors - Shows thresholds that cannot be monitored. For example, the Security Gateway cannot monitor RAID sensors on a machine that does not have RAID sensors. Therefore it shows an error for the RAID Sensor Threshold.
      • Threshold Name - The name of the threshold with an error.
      • Error - A description of the error.
      • Time of Error - When the error first occurred.

Customizing Results

You can create Custom Views, to change the fields that show in the results.

Editing a Custom View

The changes you make to a view are not automatically saved. You can use this procedure to save a predefined view as a new Custom view.

To save a new view with changes:

  1. Right-click the results of the view and select Properties.

    Note - For some of the views, this option is View Properties or Query Properties.

  2. Add or remove fields and other options for the view.
  3. Click OK.
  4. For some of the views, select the gateway.
  5. In the Results toolbar, click the Save View to Tree button.
  6. In the window that opens, enter a name for the new view.
  7. Click Save.
Creating a Custom Gateway Status View

To create a custom Gateway status view:

  1. In the Tree, right-click Custom and select New Gateways View.

    The Gateway Properties window opens.

  2. In Select available fields from, select the source of the data.
  3. In Available fields, double-click the data to add to SmartView Monitor.
  4. Open the Filter Gateways tab to remove gateways from the results of this view.
  5. Click OK.
  6. Right-click the new Custom view and select Rename.
  7. Enter a name for the view.
Creating a Custom Traffic View

To creating a custom traffic view:

  1. In the Tree, right-click Custom and select New Traffic View.

    The Query Properties window opens.

  2. Select History or Real Time.
  3. If you select Real Time, select what you want to see:
    • Interfaces
    • Services
    • IPs / Network Objects
    • QoS Rules
    • Security Rules
    • Connections
    • Tunnels
    • Virtual Links
    • Packet Size Distribution
  4. Select the Target gateway.
    • If you often need results for on gateway, select it in Specific Gateway.
    • If you have a small number of gateways, you can create a custom view for each one.
    • If not, select Prompt for Gateway before run.
  5. Open the next tabs.

    The tabs that show depend on the Query Type you selected.

    • If you select History, the next tab is Traffic History, where you select the Time Frame and type of report.
    • If you select Real Time, the next tabs let you set services or objects to monitor, gateways or specified IP addresses to monitor, update interval, result type, and chart settings.
  6. Click Save.
  7. Right-click the new Custom view and select Rename.
  8. Enter a name for the view.
Creating a Custom Counters View

To create a custom counters view:

  1. In the Tree, right-click Custom and select New Counters View.

    The Query Properties window opens.

  2. Select History or Real Time.
  3. Select the Target gateway.
    • If results for one gateway are frequently necessary, select it in Specific Gateway.
    • If you have a small number of gateways, you can create a custom view for each one.
    • If not, select Prompt for Gateway before run.
  4. Open the Counters tab.
  5. Select a category and the counters to add.

    You can add counters from different categories to one view.

  6. In the Query Type:
    • If the Query Type is History: Select the Time Frame and click Save.
    • If the Query Type is Real Time:
      1. Open the Settings tab.
      2. Set the update interval and chart type.
      3. Click Save.
  7. Right-click the new Custom view and select Rename.
  8. Enter a name for the view.
Creating a Custom Tunnel View

To create a custom tunnel view:

  1. In the SmartView Monitor client, select File > New > Tunnels View.

    The Query Properties window shows.

  2. Select Prompt on to generate a report about a specified Tunnel, Community or Gateway.

    Prompt on: When you run the view, you will be asked for the specified Tunnel, Community or Gateway on which to base your view.

    Important - Do not select Prompt on if your view is not about one of these three.

  3. Select Show one record per tunnel or Show two records per tunnel.

    Show two records per tunnel shows a more accurate status because the report provides the status for the tunnels in both directions.

  4. In the Show column, select the filter to be related to this view
  5. In the Filter column, click the corresponding Any(*) link.
  6. Select the related objects to edit the selected filters.
  7. Click the Advanced button.
  8. Set a limit in the Records limitation window for the number of lines that show in the report.
  9. Enter a record limitation.
  10. Click OK.

    A Tunnels view shows in the Custom branch of the Tree View.

  11. Enter the name of the new Tunnel view.
  12. Click Enter.
Creating a Custom Users View

To create a custom users view:

  1. In SmartView Monitor, select File > New > Users View.

    The Query Properties window shows.

  2. Select Prompt on to generate a user report about a specified user or Gateway.

    Prompt on: When you decide to run the view, you will be asked for the specified User DN or Gateway on which to base your view.

    Important - Do not select Prompt on if your view is not about one of these two.

  3. In the Show column, select the filter to be related with this view.
  4. In the Filter column, click the corresponding Any(*) link.
  5. Select the related objects to edit the selected filters.
  6. Click the Advanced button to set a limit (in the Records limitation window) to the number of lines that show in the report.
  7. Enter a record limitation.
  8. Click OK.

    A Users view shows in the Custom branch of the Tree View.

  9. Enter a name for the new Users view.
  10. Click Enter.

Custom View Example

For example purposes, we create a real-time Traffic view for Services.

To create a real-time traffic view:

  1. Double-click the view to change and select the gateway for which you create the view.
  2. Select the View Properties button on the view toolbar.

    The Query Properties window shows.

  3. Select Real-Time.

    Real-Time provides information about currently monitored traffic or system counters.

  4. Select History for information that was logged before.
  5. Select the topic about which you want to create a Real-Time traffic view in the drop-down list provided. For example, for purposes select Services.

Note - The remaining tabs in the Query Properties window change according to the type of view you create and the selection you made in the Real-Time drop-down list.

  1. Select the Target of this Custom Traffic view.

    Target is the gateway for which you monitor traffic.

  2. Click the Monitor by Services tab.
  3. Select Specific Services and the Services for which you want to create a custom Traffic view.
  4. Click the Filter tab.
  5. Make the necessary selections.
  6. Click the Settings tab.
  7. Make the necessary selections.
  8. Click OK when you are done with your selections.

    The Select Gateway / Interface window shows.

  9. Select the gateway or interface for which you want to create or run this new view.
  10. Click the Save to Tree button on the toolbar.
  11. Enter a name for the new view.
  12. Click OK.

    The new view is saved in the Custom branch.

Exporting a Custom View

You can back up a custom view before you install an upgrade. You can share a custom view with other SmartView Monitor GUI clients and other users.

To export a custom view:

  1. Right-click the view and select Export Properties.
  2. In the window that opens, enter a pathname for the export file.
  3. Click Save.

    A file with an svm_setting extension is created.

Setting Your Default View

You can set which view to see when SmartView Monitor starts.

In the Tree, right-click the view and select Run at Startup.

Refreshing Views

Results are automatically refreshed every 60 seconds.

To refresh the view earlier, right-click the view name in the Tree and select Run.

To refresh data about an object in the current view, right-click the object in the results and select Refresh.

Monitoring Gateway Status

Gateway Status

Status updates show for Security Gateways and Software Blades. The Overall status of a gateway is the most serious status of its Software Blades. For example, if all the Software Blades statuses are OK except for the SmartEvent blade, which has a Problem status, the Overall status is Problem.

Status Icon

Description

OK

The gateway and all its Software Blades work properly.

Attention

At least one Software Blade has a minor issue, but the gateway works.

Problem

At least one Software Blade reported a malfunction, or an enabled Software Blade is not installed.

Waiting

SmartView Monitor waits for the Security Management Server to send data from Security Gateways.

Disconnected

Cannot reach the Security Gateway.

Untrusted

Cannot make Secure Internal Communication between the Security Management Server and the gateway.

Displaying Gateway Data

Gateway Status data shows for each Check Point or OPSEC gateway.

To see data about a gateway, click the gateway in the Gateway Results view. Details about the gateway show in the Gateway Details pane.

System Data

To view the status of Check Point applications on the local server or another appliance, the cpstat command.

Firewall

Virtual Private Networks

The Virtual Private Networks (VPN) is divided into these main statuses:

This includes:

QoS

ClusterXL

OPSEC

Check Point Security Management

SmartConsole Server

The number of users that are currently connected.

Log Server

Indicates the number of licensed users that are currently connected, and if the Security Management Server is active or not. The Log Server includes elaborate details about the named connected client, the name of the administrator, managing the selected Log Server, the host of the Log Server, and the name of the database if it is locked. The Log Server indicates the type of application that the Log Server can track.

SmartEvent Correlation Unit and the SmartEvent Server

SmartView Monitor reads statuses from the SmartEvent Correlation Unit and SmartEvent Server.

SmartEvent Correlation Unit status examples:

SmartEvent Server status examples:

Connect the SmartEvent Correlation Unit to the Log Server or the Log Server to let it read logs. Connect it to the SmartEvent Server to send events to it. If problems occur in the SmartEvent Correlation Unit connection to other components (for example, SIC problems) the problems are reported in the SmartEvent Correlation Unit status.

For the same reasons, the SmartEvent Server contains statuses that provide information about connections to all SmartEvent Correlation Units.

Anti-Virus and URL Filtering

SmartView Monitor can now provide statuses and counters for gateways with Anti-Virus and URL Filtering.

The statuses are divided into these categories:

Anti-Virus statuses are associated with signature checks and URL Filtering statuses are associated with URLs and categories.

In addition, SmartView Monitor can now run Anti-Virus and URL Filtering counters.

For example:

Multi-Domain Security Management

SmartView Monitor can be used to monitor Multi-Domain Servers. This information can be viewed in the Gateway Status view. In this view you can see Multi-Domain Security Management counter information (for example, CPU or Overall Status).

Displaying Gateway Status Using the CLI (cpstat)

Description Displays the status of Check Point applications, either on the local server or on another appliance or server, in various formats.

Syntax:

> cpstat [-h <host>][-p <port>][-s <SICname>][-f <flavor>][-o <polling>][-c <count>][-e <period>][-d] <application_flag>

Parameter

Description

-h <host>

A resolvable hostname, an IPv4 address, or a DAIP object name.

The default is localhost.

-p <port>

Port number of the AMON server.

The default is the standard AMON port 18192.

-s <SICname>

Secure Internal Communication (SIC) name of the AMON server.

-f <flavor>

The flavor of the output as it appears in the configuration file.

The default is the first flavor found in the configuration file.

-o <polling>

Polling interval in seconds, specifies the pace of the results.

The default is 0. The results are shown only once.

-c <count>

Specifies how many times the results are shown.

The default is 0. The results are repeatedly shown.

-e <period>

Specifies the interval in seconds, over which 'statistical' olds are computed.

Ignored for regular olds.

-d

Debug Mode.

<application_flag>

One of the following:

  • os - OS Status
  • persistency - Historical status values
  • thresholds - For the thresholds configured with the threshold_config command
  • ci - For the Anti-Virus blade
  • https_inspection - For the HTTPS Inspection
  • cvpn - For the Mobile Access blade
  • fw - - For the <fwcap> blade
  • vsx - For VSX
  • vpn - For the IPsec VPN blade
  • blades - Overall status of the software blades
  • identityServer - For the Identity Awareness blade
  • appi - For the Application Control blade
  • urlf - For the URL Filtering blade
  • dlp - For the Data Loss Prevention blade
  • ctnt - For the Content Awareness blade
  • antimalware - For the Threat Prevention
  • threat-emulation - For the Threat Emulation blade
  • scrub - For the Threat Extraction blade
  • gx - For the LTE / FireWall-1 GX
  • fg - For the QoS (formerly FloodGate-1)
  • ha - For the ClusterXL (High Availability)
  • polsrv - For the Policy Server for Remote Access VPN clients
  • ca - For the Certificate Authority
  • mg - For the Security Management Server
  • svr - For the SmartReporter blade
  • cpsemd - For SmartEvent blade
  • cpsead - For the SmartEvent Correlation Unit
  • ls - For the Log Server
  • uas - For the User Authority
  • PA - For the ProvisioningAgent

The following parameters (flavours) can be added to the application flags:

--------------------------------------------------------------

|Flag |Flavours |

--------------------------------------------------------------

|os |default, ifconfig, routing, routing6, |

| |memory, old_memory, cpu, disk, perf, |

| |multi_cpu, multi_disk, raidInfo, sensors, |

| |power_supply, hw_info, all, average_cpu, |

| |average_memory, statistics, updates, |

| |licensing, connectivity, vsx |

--------------------------------------------------------------

|persistency |product, TableConfig, SourceConfig |

--------------------------------------------------------------

|thresholds |default, active_thresholds, destinations, |

| |error |

--------------------------------------------------------------

|ci |default |

--------------------------------------------------------------

|https_inspection |default,all |

--------------------------------------------------------------

|cvpn |cvpnd, sysinfo, products, overall |

--------------------------------------------------------------

|fw |default, interfaces, policy, perf, hmem, |

| |kmem, inspect, cookies, chains, |

| |fragments, totals, totals64, ufp, http, |

| |ftp, telnet, rlogin, smtp, pop3, sync, |

| |log_connection, all |

--------------------------------------------------------------

|vsx |default, stat, traffic, conns, cpu, all, |

| |memory, cpu_usage_per_core |

--------------------------------------------------------------

|vpn |default, product, IKE, ipsec, traffic, |

| |compression, accelerator, nic, |

| |statistics, watermarks, all |

--------------------------------------------------------------

|blades |fw, ips, av, urlf, vpn, cvpn, aspm, dlp, |

| |appi, anti_bot, default, |

| |content_awareness, threat-emulation, |

| |default |

--------------------------------------------------------------

|identityServer |default, authentication, logins, ldap, |

| |components, adquery |

--------------------------------------------------------------

|appi |default, subscription_status, |

| |update_status, RAD_status, top_last_hour, |

| |top_last_day, top_last_week, |

| |top_last_month |

--------------------------------------------------------------

|urlf |default, subscription_status, |

| |update_status, RAD_status, top_last_hour, |

| |top_last_day, top_last_week, |

| |top_last_month |

--------------------------------------------------------------

|dlp |default, dlp, exchange_agents, fingerprint|

--------------------------------------------------------------

|ctnt |default |

--------------------------------------------------------------

|antimalware |default, scanned_hosts, scanned_mails, |

| |subscription_status, update_status, |

| |ab_prm_contracts, av_prm_contracts, |

| |ab_prm_contracts, av_prm_contracts |

--------------------------------------------------------------

|threat-emulation |default, general_statuses, update_status, |

| |scanned_files, malware_detected, |

| |scanned_on_cloud, malware_on_cloud, |

| |average_process_time, emulated_file_size, |

| |queue_size, peak_size, |

| |file_type_stat_file_scanned, |

| |file_type_stat_malware_detected, |

| |file_type_stat_cloud_scanned, |

| |file_type_stat_cloud_malware_scanned, |

| |file_type_stat_filter_by_analysis, |

| |file_type_stat_cache_hit_rate, |

| |file_type_stat_error_count, |

| |file_type_stat_no_resource_count, |

| |contract, downloads_information_current, |

| |downloading_file_information, |

| |queue_table, history_te_incidents, |

| |history_te_comp_hosts |

--------------------------------------------------------------

|scrub |default, subscription_status, |

| |threat_extraction_statistics |

--------------------------------------------------------------

|gx |default, contxt_create_info, |

| |contxt_delete_info, contxt_update_info, |

| |contxt_path_mng_info, GXSA_GPDU_info, |

| |contxt_initiate_info, gtpv2_create_info, |

| |gtpv2_delete_info, gtpv2_update_info, |

| |gtpv2_path_mng_info, gtpv2_cmd_info, all |

--------------------------------------------------------------

|fg |all |

--------------------------------------------------------------

|ha |default, all |

--------------------------------------------------------------

|asm |default, WS |

--------------------------------------------------------------

|polsrv |default, all |

--------------------------------------------------------------

|ca |default, all, cert, crl, user |

--------------------------------------------------------------

|mg |default |

--------------------------------------------------------------

|svr |default |

--------------------------------------------------------------

|cpsemd |default |

--------------------------------------------------------------

|cpsead |default |

--------------------------------------------------------------

|ls |default |

--------------------------------------------------------------

|uas |default |

--------------------------------------------------------------

|PA |default |

--------------------------------------------------------------

Example:

[Expert@MyVSX_GW:0]# cpstat -f default fw

 

Policy name: MyVSX_GW_VSX

Install time: Wed May 23 18:14:32 2018

 

 

Interface table

---------------------------------------

|Name|Dir|Total |Accept|Deny |Log|

---------------------------------------

|eth0|in | 2393126| 32589| 2360537| 52|

|eth0|out| 33016| 33016| 0| 0|

|eth1|in | 2360350| 0| 2360350| 0|

|eth1|out| 0| 0| 0| 0|

|eth2|in | 2360350| 0| 2360350| 0|

|eth2|out| 0| 0| 0| 0|

|eth3|in | 2348704| 0| 2348704| 1|

|eth3|out| 0| 0| 0| 0|

|eth4|in | 2360350| 0| 2360350| 0|

|eth4|out| 0| 0| 0| 0|

---------------------------------------

| | |11855896| 65605|11790291| 53|

---------------------------------------

 

... ... [truncated for brevity] ... ...

 

[Expert@MyVSX_GW:0]#

Starting and Stopping Cluster Members

To stop and start one member of a cluster from SmartView Monitor:

  1. Open a Gateway Status view.
  2. Right-click the cluster member and select Cluster Member > Start Member or Stop Member.

Monitoring Tunnels

Tunnels Solution

VPN Tunnels are secure links between Security Gateways. These Tunnels ensure secure connections between gateways of an organization and remote access clients.

When Tunnels are created and put to use, you can keep track of their normal function, so that possible malfunctions and connectivity problems can be accessed and solved as soon as possible.

To ensure this security level, SmartView Monitor constantly monitor and analyze the status of an organization's Tunnels to recognize malfunctions and connectivity problems. With the use of Tunnel views, you can generate fully detailed reports that include information about the Tunnels that fulfill the specific Tunnel views conditions. With this information you can monitor Tunnel status, the Community with which a Tunnel is associated, the gateways to which the Tunnel is connected, and so on. These are the Tunnel types:

This table shows the possible Tunnel states and their significance to a Permanent or Regular Tunnel.

State

Permanent Tunnel

Regular Tunnel

Up

The tunnel works and the data can flow with no problems.

IDE SA (Phase 1) and IPSEC SA (Phase 2) exist with a peer gateway.

Destroyed

The tunnel is destroyed.

The tunnel is destroyed.

Up Phase1

Irrelevant

Tunnel initialization is in process and Phase 1 is complete (that is, IKE SA exists with cookies), but there is no Phase 2.

Down

There is a tunnel failure. You cannot send and receive data to or from a remote peer.

Irrelevant.

Up Init

The tunnel is initialized.

Irrelevant.

Gateway not Responding

The gateway is not responding.

The gateway is not responding.

Tunnel View Updates

If a Tunnel is deleted from SmartConsole, the Tunnel Results View shows the deleted Tunnel for an hour after it was deleted.

If a community is edited, the Results View shows removed tunnels for an hour after they were removed from the community.

Running Tunnel Views

When a Tunnel view runs the results show in the SmartView Monitor client. A Tunnel view can run:

A Tunnels view can be created and run for:

Run a Down Tunnel View

Down Tunnel view results list all the Tunnels that are currently not active.

To run a down tunnel view:

  1. In the SmartView Monitor client, click the Tunnels branch in the Tree View.
  2. In the Tunnels branch (Custom or Predefined), double-click the Down Permanent Tunnel view.

    A list of all the Down Tunnels associated with the selected view properties shows.

Run a Permanent Tunnel View

Permanent Tunnel view results list all of the existing Permanent Tunnels and their current status.

A Permanent Tunnel is a Tunnel that is constantly kept active.

To run a permanent tunnel view:

  1. In the SmartView Monitor client, click the Tunnels branch in the Tree View.
  2. In the Tunnels branch, double-click the Custom Permanent Tunnel view that you want to run.

    A list of the Permanent Tunnels related to the selected view properties shows.

Run a Tunnels on Community View

Tunnels on Community view results list all the Tunnels related to a selected Community.

To run a tunnels on community view:

  1. In the SmartView Monitor client, click the Tunnels branch in the Tree View.
  2. In the Tunnels branch (Custom or Predefined), double-click the Tunnels on Community view.

    A list of all Communities shows.

  3. Select the Community whose Tunnels you want to monitor.
  4. Click OK.

    A list of all the Tunnels related to the selected Community shows.

Run Tunnels on Gateway View

Tunnels on Gateways view results list all of the Tunnels related to a selected Gateway.

To run tunnels on Gateway view:

  1. In the SmartView Monitor client, click the Tunnels branch in the Tree View.
  2. In the Tunnels branch (Custom or Predefined), double-click the Tunnels on Gateway view.

    A list of the gateways shows.

  3. Select the gateway whose Tunnels and their status you want to see.
  4. Click OK.

    A list of the Tunnels related to the selected gateway shows.

Monitoring Traffic or System Counters

Traffic or System Counters Solution

SmartView Monitor provides tools that enable you to know traffic related to specified network activities, server, and so on, and the status of activities, hardware and software use of different Check Point products in real-time. With this knowledge you can:

SmartView Monitor delivers a comprehensive solution to monitor and analyze network traffic and network usage. You can generate fully detailed or summarized graphs and charts for all connections intercepted and logged when you monitor traffic, and for numerous rates and figures when you count usage throughout the network.

Traffic

Traffic Monitoring provides in-depth details on network traffic and activity. As a network administrator you can generate traffic information to:

A Traffic view can be created to monitor the Traffic types listed in the following table.

Traffic Type

Explanation

Services

Shows the current status view about Services used through the selected gateway.

IPs/Network Objects

Shows the current status view about active IPs/Network Objects through the selected gateway.

Security Rules

Shows the current status view about the most frequently used Firewall rules.

The Name column in the legend states the rule number as previously configured in SmartConsole.

Interfaces

Shows the current status view about the Interfaces associated with the selected gateway.

Connections

Shows the current status view about current connections initiated through the selected gateway.

Tunnels

Shows the current status view about the Tunnels associated with the selected gateway and their usage.

Virtual Link

Shows the current traffic status view between two gateways (for example, Bandwidth, Bandwidth Loss, and Round Trip Time).

Packet Size Distribution

Shows the current status view about packets according to the size of the packets.

QoS

Shows the current traffic level for each QoS rule.

Traffic Legend Output

The values that you see in the legend depend on the Traffic view that you run.

All units in the view results show in configurable Intervals.

System Counters

Monitoring System Counters provides in-depth details about Check Point Software Blade usage and activities. As a network administrator you can generate system status information about:

Select and Run a Traffic or System Counters View

When a Traffic or System Counters view runs, the results show in the SmartView Monitor client. A Traffic or System Counter view can run:

To run a Traffic or System Counters view:

  1. In the SmartView Monitor client, select the Traffic or System Counter branch in the Tree View.
  2. Double-click the Traffic or System Counter view that you want to run.

    A list of available gateways shows.

  3. Select the gateway for which you want to run the selected Traffic or System Counter view.
  4. Click OK.

    The results of the selected view show in the SmartView Monitor client.

Recording a Traffic or Counter View

You can save a record of the Traffic or System Counter view results.

To record a traffic or counter view:

  1. Run the Traffic or System Counters view.
  2. Select the Traffic menu.
  3. Select Recording > Record.

    A Save As window shows.

  4. Name the record.
  5. Save it in the related directory.
  6. Click Save.

    The word Recording shows below the Traffic or Counter toolbar. The appearance of this word signifies that the view currently running is recorded and saved.

  7. To stop recording, open the Traffic menu and select Recording > Stop.

    A record of the view results is saved in the directory you selected in step 3 above.

Play the Results of a Recorded Traffic or Counter View

After you record a view, you can play it back. You can select Play or Fast Play, to see results change faster.

To play the results:

  1. In the SmartView Monitor client, select Traffic > Recording > Play.

    The Select Recorded File window shows.

  2. Access the directory in which the recorded file is kept and select the related record.
  3. Click Open.

    The results of the selected recorded view start to run. The word Playing shows below the toolbar.

Pause or Stop the Results of a Recorded View that is Playing

Monitoring Users

Users Solution

The User Monitor is an administrative feature. This feature lets you to keep track of Endpoint Security VPN users currently logged on to the specific Security Management Servers. The User Monitor provides you with a comprehensive set of filters which makes the view definition process user-friendly and highly efficient. It lets you to easily navigate through the obtained results.

With data on current open sessions, overlapping sessions, route traffic, connection time, and more, the User Monitor gives detailed information about connectivity experience of remote users. This SmartView Monitor feature lets you view real-time statistics about open remote access sessions.

If specific data are irrelevant for a given User, the column shows N/A for the User.

Run a Users View

When you run a Users view, the results show in the SmartView Monitor client:

A Users view can be created and run for:

Run a User View for a Specified User

To run a user view for a specified user:

  1. In SmartView Monitor > Tree View, click Users.
  2. Click Get User by Name.

    The User DN Filter window opens.

  3. Enter the specified User DN in the area provided.
  4. Click OK.

    The view results show in the Results View.

Run a User View for all Users or Mobile Access Users

To run a user view for all users or Mobile Access users:

  1. In SmartView Monitor > Tree View, click Users.
  2. Click All Users or Mobile Access Users.

    The view results show in the Results View.

Run a User View for a Specified Gateway

To run a user view for a specified Gateway:

  1. In SmartView Monitor > Tree View, click Users.
  2. Click Users by Gateway.

    The Select Gateway window shows.

  3. Select the gateway for which you want to run the view.
  4. Click OK.

    The view results show in the Results View.

Cooperative Enforcement Solution

Cooperative Enforcement works with Check Point Endpoint Security Management Servers. This feature utilizes the Endpoint Security Management Server compliance function to make sure connections that come from different hosts across the internal network.

Endpoint Security Management Server is a centrally managed, multi-layered endpoint security solution that employs policy based security enforcement for internal and remote PCs. The Endpoint Security Management Server mitigates the risk of hackers, worms, spyware, and other security threats.

Features such as policy templates and application privilege controls enable administrators to easily develop, manage, and enforce Cooperative Enforcement.

With Cooperative Enforcement, a host that initiates a connection through a gateway is tested for compliance. This increases the integrity of the network because it prevents hosts with malicious software components to access the network.

Cooperative Enforcement acts as a middle-man between hosts managed by an Endpoint Security Management Server and the Endpoint Security Management Server itself. It relies on the Endpoint Security Management Server compliance feature. It defines if a host is secure and can block connections that do not meet the defined prerequisites of software components.

Non-Compliant_Hosts

Unauthorized

 

Authorized

 

  1. The Endpoint Security client (A) in the internal network (B) opens a connection to the Internet (C) through a Security Gateway (D).
  2. Cooperative Enforcement starts to work on the first server's reply to the client.
  3. The Security Gateway sees the client's compliance in its tables and queries the Endpoint Security server (E).
  4. When a reply is received, a connection from a compliant host to the Internet is allowed.

    If the client is non-compliant and Cooperative Enforcement is not in Monitor-only mode, the connection is closed.

NAT Environments

Cooperative Enforcement is not supported by all the NAT configurations.

For Cooperative Enforcement to work in a NAT environment, the gateway and the Endpoint Security Server must recognize the same IP address of a client. If NAT causes the IP address received by gateway to be different than the IP address received by the Endpoint Security Server, Cooperative Enforcement will not work.

Configuring Cooperative Enforcement

To configure Cooperative Enforcement:

From the gateway Cooperative Enforcement page, click Authorize clients using Endpoint Security Server to enable Cooperative Enforcement.

Non-Compliant Hosts by Gateway View

The Non-Compliant Hosts by Gateway view lets you to see Host IPs by Endpoint Security Management Server compliance: