sam_alert

Description

For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information received from the standard input.

For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts mechanism.

Notes:

• VSX Gateway does not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.
• You must run this command from the Expert mode.
• See fw sam and fw sam_policy.

Syntax for SAM v1

[Expert@MGMT:0]# sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter	Description
-v	Enables the verbose mode for the fw sam command.
-o	Specifies to print the input of this tool to the standard output (to use with pipes in a CLI syntax).
-s <SAM Server>	Specifies the SAM Server to be contacted. Default is localhost.
-t <Time>	Specifies the time (in seconds), during which to enforce the action. The default is forever.
-f <Security Gateway>	Specifies the Security Gateway, on which to run the operation. Important - If you do not specify the target Security Gateway explicitly, this command applies to all managed Security Gateways.
-C	Cancels the specified operation.
-n	Specifies to notify every time a connection, which matches the specified criteria, passes through the Security Gateway.
-i	Inhibits (drops or rejects) connections that match the specified criteria.
-I	Inhibits (drops or rejects) connections that match the specified criteria and closes all existing connections that match the specified criteria.
-src	Matches the source address of connections.
-dst	Matches the destination address of connections.
-any	Matches either the source or destination address of connections.
-srv	Matches specific source, destination, protocol and port.

Syntax for SAM v2

[Expert@MGMT:0]# sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r | a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter	Description
-v2	Specifies to use SAM v2.
-v	Enables the verbose mode for the fw sam command.
-O	Specifies to print the input of this tool to the standard output (to use with pipes in a CLI syntax).
-S <SAM Server>	the SAM server to be contacted. Default is localhost
-t <Time>	Specifies the time (in seconds), during which to enforce the action. The default is forever.
-f <Security Gateway>	Specifies the Security Gateway, on which to run the operation. Important - If you do not specify the target Security Gateway explicitly, this command applies to all managed Security Gateways.
-n <Name>	Specifies the name for the SAM rule. Default is empty.
-c "<Comment>"	Specifies the comment for the SAM rule. Default is empty. You must enclose the text in the double quotes or single quotes.
-o <Originator>	Specifies the originator for the SAM rule. Default is sam_alert.
-l {r | a}	Specifies the log type for connections that match the specified criteria: r - Regular a - Alert Default is None.
-a {d | r| n | b | q | i}	Specifies the action to apply on connections that match the specified criteria: d - Drop r - Reject n - Notify b - Bypass q - Quarantine i - Inspect
-C	Specifies to close all existing connections that match the criteria.
-ip	Specifies to use IP addresses as criteria parameters.
-eth	Specifies to use MAC addresses as criteria parameters.
-src	Matches the source address of connections.
-dst	Matches the destination address of connections.
-any	Matches either the source or destination address of connections.
-srv	Matches specific source, destination, protocol and port.

Example

See sk110873: How to configure Security Gateway to detect and prevent port scan.

Monitoring Suspicious Activity Rules

Suspicious Activity Monitoring (SAM) is a utility integrated in SmartView Monitor. It blocks activities that you see in the SmartView Monitor results and that appear to be suspicious. For example, you can block a user who tries several times to gain unauthorized access to a network or Internet resource.

A Security Gateway with SAM enabled has Firewall rules to block suspicious connections that are not restricted by the security policy. These rules are applied immediately (Install Policy not required).

The Need for Suspicious Activity Rules

Connections between enterprise and public networks are a security challenge as they leave the network and its applications open to attack. You must be able to inspect and identify all inbound and outbound network activity and decide if it is suspicious.

Creating a Suspicious Activity Rule

SAM rules use CPU resources. Therefore, set an expiration time so you can inspect traffic but not negatively affect performance.

If you confirm that an activity is risky, edit the Security Policy, educate users, or handle the risk.

You can block suspicious activity based on source, destination, or service.

To block an activity:

1. In the SmartView Monitor, click Suspicious Activity Rules.

   The Enforced Suspicious Activity Rules window opens.

2. Click Add.

   The Block Suspicious Activity window opens.

3. In Source and in Destination, select IP or Network:
   • To block all sources or destinations that match the other parameters, enter Any.
   • To block one suspicious source or destination, enter an IP Address and Network Mask.
4. In Service:
   • To block all connections that fit the other parameters, enter Any.
   • To block one suspicious service or protocol, click the button and select a service from the window that opens.
5. In Expiration, set a time limit.
6. Click Enforce.

To create an activity rule based on TCP or UDP use:

1. In the Block Suspicious Activity window , click Service.

   The Select Service window opens.

2. Click Custom Service.
3. Select TCP or UDP.
4. Enter the port number.
5. Click OK.

To define SmartView Monitor actions on rule match:

1. In the Block Suspicious Activity window, click Advanced.

   The Advanced window opens.

2. In Action, select the Firewall action for SmartView Monitor to do on rule match:
   • Notify - Send a message about the activity, but do not block it.
   • Drop - Drop packets, but do not send a response. The connection will time out.
   • Reject - Send an RST packet to the source and close the connection.
3. In Track, select No Log, Log or Alert.
4. If the action is Drop: To close the connection immediately on rule match, select Close connections.
5. Click OK.

Creating a Suspicious Activity Rule from Results

If you monitor traffic, and see a suspicious result, you can create an SAM rule immediately from the results.

Note - You can only create a Suspicious Activity rule for Traffic views with data about the Source or Destination (Top Sources, Top P2P Users, and so on).

To create an SAM rule:

1. In SmartView Monitor open a Traffic view.

   The Select Gateway / Interface window opens.

2. Select an object and click OK.
3. In the Results, right-click the bar in the chart (or the row in the report), that represents the source, destination, or other traffic property to block.
4. Select Block Source.

   The Block Suspicious Activity window opens.

5. Create the rule.
6. Click Enforce.

For example:

Your corporate policy does not allow to share peer2peer file, and you see it in the Traffic > Top P2P Users results.

1. Right-click the result bar and select Block Source.

   The SAM rule is set up automatically with the user IP address and the P2P_File_Sharing_Applications service.

2. Click Enforce.
3. For the next hour, while this traffic is dropped and logged, contact the user.

Managing Suspicious Activity Rules

The Enforced Suspicious Activity Rules window shows the currently enforced rules. If you add a rule that conflicts with another rule, the conflicting rule remains hidden. For example, if you define a rule to drop http traffic, and a rule exists to reject http traffic, only the drop rule shows.

How SmartView Monitor Works

Data for the status of all gateways in the system is collected by the Security Management Server and viewed in SmartView Monitor. The data shows status for:

• Check Point Security Gateways
• OPSEC gateways
• Check Point Software Blades

Gateway Status is the SmartView Monitor view which shows all component status information. A Gateway Status view shows a snapshot of all Software Blades, such as VPN and ClusterXL, and third party products (for example, OPSEC-partner gateways).

Gateway Status is similar in operation to the SNMP daemon that provides a mechanism to get data about gateways in the system.

SIC is initialized between Security Gateways (3) (local and remote), and the Security Management Server (2). The Security Management Server then gets status data from the Software Blades with the AMON (Application Monitoring) protocol. SmartView Monitor (1) gets the data from the Security Management Server.

AMON

The Security Management Server acts as an AMON client. It collects data about installed Software Blades. Each Security Gateway, or any other OPSEC gateway which runs an AMON server, acts as the AMON server itself. The gateway requests status updates from other components, such as the Firewall kernel and network servers. Requests are fetched at a defined interval.

An alternate source for status collection can be any AMON client, such as an OPSEC partner, which uses the AMON protocol.

The AMON protocol is SIC- based. It can collect data only after SIC is initialized.

Defining Status Fetch Frequency

The Security Management Server collects status data from the Security Gateways on a defined interval. The default is 60 seconds.

To set the Status Fetching Interval:

1. Open SmartConsole.
2. Open Global Properties > Log and Alert > Time Settings.
3. Enter the number of seconds in Status fetching interval.

Configuring SmartView Monitor

System Alerts and Thresholds

You can set thresholds for selected gateways. When a threshold is passed, a system alert is sent.

To set System Alert thresholds:

1. Open Gateways Status view.
2. Right-click a network object and select Configure Thresholds.

   The Threshold Settings window opens.

3. Set the thresholds for the selected object:
   • Use global settings - All objects get the same thresholds for system alerts.
   • None - The selected gateway object does not have thresholds for system alerts.
   • Custom - Change the thresholds for the selected object to be different than the global settings.

To change Global Threshold settings:

1. In the Threshold Settings window, click Edit Global Settings.

   The Global Threshold Settings window opens.

   

2. Select thresholds.
3. In Action, select:
   • none - No alert.
   • log - Sends a log entry to the database.
   • alert - Opens a pop-up window to your desktop.
   • mail - Sends a mail alert to your Inbox.
   • snmptrap - Sends an SNMP alert.
   • useralert - Runs a script. Make sure a user-defined action is available. Go to SmartConsole > Global Properties > Log and Alert > Alert Commands.

To change custom threshold settings:

1. In the Threshold Settings window, select Custom.

   The global threshold settings show.

2. Select thresholds to enable for this gateway or cluster member.
3. Set defining values.

Working with SNMP Monitoring Thresholds

You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts. You can use these thresholds to monitor many system components automatically without requesting information from each object or device. The categories of thresholds that you can configure include:

• Hardware
• High Availability
• Networking
• Resources
• Log Server Connectivity

Some categories apply only to some machines or deployments.

Note - SNMP monitoring thresholds are supported from R75.20, R71.30, and higher.

In each category there are many individual thresholds that you can set. For example, the hardware category includes alerts for the state of the RAID disk, the state of the temperature sensor, the state of the fan speed sensor, and others. For each individual threshold, you can configure:

• If it is enabled or disabled
• How frequently alerts are sent
• The severity of the alert
• The threshold point (if necessary)
• Where the alerts are sent to

You can also configure some settings globally, such as how often alerts are send and where they are sent to.

Types of Alerts

• Active alerts are sent when a threshold point is passed or the status of a monitored component is problematic.
• Clear alerts are sent when the problem is resolved and the component has returned to its normal value. Clear alerts look like active alerts but the severity is set to 0.

Configuring SNMP Monitoring

Configure the SNMP monitoring thresholds in the command line of the Security Management Server. When you install the policy on the gateways the SNMP monitoring thresholds are applied globally to all gateways.

Configuring in Multi-Domain Security Management

In a Multi-Domain Security Management environment, you can configure thresholds on the Multi-Domain Server and on each individual Domain Management Server. Thresholds that you configure on the Multi-Domain Server are for the Multi-Domain Server only. Thresholds that you configure for a Domain Management Server are for that Domain Management Server and its gateways. If a threshold applies to the Multi-Domain Server and the Domain Management Server gateways, set it on the Multi-Domain Server and Domain Management Server. But in this situation you can only get alerts from the Multi-Domain Server if the threshold passed.

For example, because the Multi-Domain Server and Domain Management Server are on the same machine, if the CPU threshold is passed, it applies to both of them. But only the Multi-Domain Server generates alerts.

You can see the Multi-Domain Security Management level for each threshold with the threshold_config utility.

• If the Multi-Domain Security Management level for a threshold is Multi-Domain Server: Alerts are generated for the Multi-Domain Server when the threshold point is passed.
• If the Multi-Domain Security Management level for a threshold is Multi-Domain Server and Domain Management Server: Alerts are generated for the Multi-Domain Server and Domain Management Servers separately when the threshold point is passed.

Configuring a Local Gateway Policy

You can configure SNMP thresholds locally on a gateway with the same procedure that you do on a Security Management Server. But each time you install a policy on the gateway, the local settings are erased and it reverts to the global SNMP threshold settings.

You can use the threshold_config utility to save the configuration file and load it again later.

On SecurePlatform and Linux, the configuration file that you can back up is: $FWDIR/conf/thresholds.conf

On Windows, the configuration file that you can back up is: %FWDIR%\conf\thresholds.conf

Configuration Procedures

There is one primary command to configure the thresholds in the command line, threshold_config. You must be in the Expert mode to run it. After you run threshold_config, follow the on-screen instructions to make selections and configure the global settings and each threshold.

When you run threshold_config, you get these options:

• Show policy name - Shows you the name configured for the threshold policy.
• Set policy name - Lets you set a name for the threshold policy.
• Save policy- Lets you save the policy.
• Save policy to file - Lets you export the policy to a file.
• Load policy from file - Lets you import a threshold policy from a file.
• Configure global alert settings - Lets you configure global settings for how frequently alerts are sent and how many alerts are sent.
• Configure alert destinations - Lets you configure a location or locations where the SNMP alerts are sent.
• View thresholds overview - Shows a list of all thresholds that you can set including: the category of the threshold, if it is active or disabled, the threshold point (if relevant), and a short description of what it monitors.
• Configure thresholds - Opens the list of threshold categories to let you select thresholds to configure.

Configure Global Alert Settings

If you select Configure global alert settings, you can configure global settings for how frequently alerts are sent and how many alerts are sent. You can configure these settings for each threshold. If a threshold does not have its own alert settings, it uses the global settings by default.

You can configure these options:

• Enter Alert Repetitions - How many alerts are sent when an active alert is triggered. If you enter 0, alerts are sent until the problem is fixed.
• Enter Alert Repetitions Delay - How long the system waits between it sends active alerts.
• Enter Clear Alert Repetitions - How many clear alerts are sent after a threshold returns to a regular value.
• Enter Clear Alert Repetitions Delay - How long the system waits between it sends clear alerts.

Configure Alert Destinations

If you select Configure Alert Destinations, you can add and remove destinations for where the alerts are sent. You can see a list of the configured destinations. A destination is usually an NMS (Network Management System) or a Check Point Log Server.

After you enter the details for a destination, the CLI asks if the destination applies to all thresholds.

• If you enter yes, alerts for all thresholds are sent to that destination, unless you remove the destination from an individual threshold.
• If you enter no, no alerts are sent to that destination by default. But for each individual threshold, you can configure the destinations and you can add destinations that were not applied to all thresholds.

For each threshold, you can choose to which of the alert destinations its alerts are sent. If you do not define alert destination settings for a threshold, it sends alerts to all of the destinations that you applied to all thresholds.

For each alert destination enter:

• Name - An identifying name.
• IP - The IP address of the destination.
• Port - Through which port it is accessed
• Ver - The version on SNMP that it uses
• Other data- Some versions of SNMP require more data. Enter the data that is supplied for that SNMP version.

Configure Thresholds

If you select Configure thresholds, you see a list of the categories of thresholds, including:

• Hardware
• High Availability
• Networking
• Resources
• Log Server Connectivity

Some categories apply only to some machines or deployments. For example, Hardware applies only to Check Point appliances and High Availability applies only to clusters or High Availability deployments.

Select a category to see the thresholds in it. Each threshold can have these options:

• Enable/Disable Threshold - If the threshold is enabled, the system sends alerts when there is a problem. If it is disabled it does not generate alerts.
• Set Severity - You can give each threshold a severity setting. The options are: Low, Medium, High, and Critical. The severity level shows in the alerts and in SmartView Monitor. It lets you know quickly how important the alert is.
• Set Repetitions - Set how frequently and how many alerts will be sent when the threshold is passed. If you do not configure this, it uses the global alert settings.
• Set Threshold Point - Enter the value that will cause active alerts when it is passed. Enter the number only, without a unit of measurement.
• Configure Alert Destinations - See all of the configured alert destinations. By default, active alerts and clear alerts are sent to the destinations. You can change this for each destination. When you select the destination you see these options:
  • Remove from destinations - If you select this, alerts for this threshold are not sent to the selected destination.
  • Add a destination - If you configured a destination in the global alert destinations but did not apply it to all thresholds, you can add it to the threshold.
  • Disable clear alerts - Cleared alerts for this threshold are not sent to the selected destination. Active alerts are sent.

Completing the Configuration

You can complete threshold configuration and activate the settings.

To complete configuration and activate the settings:

1. On the Security Management Server, install the policy on all Security Gateways.
2. For a local Security Gateway threshold policy or a Multi-Domain Security Management Multi-Domain Server environment, use the cpwd_admin utility to restart the CPD process:
   1. Run: cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
   2. Run: cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

Monitoring SNMP Thresholds

You can see an overview of the SNMP thresholds that you configure in SmartView Monitor.

To see an overview of the SNMP thresholds:

1. Open SmartView Monitor and select a Security Gateway.
2. In the summary of the Security Gateway data that open in the bottom pane, click System Information.
3. In the new pane that opens, click Thresholds.

   In the pane that opens, you can see these details:

   • General Info - A summary of the total SNMP Threshold policy.
     • Policy name- The name that you set for the policy in the CLI.
     • State - If the policy is enabled or disabled.
     • Thresholds - How many thresholds are enabled.
     • Active events - How many thresholds are currently sending alerts.
     • Generated Events - How many not active thresholds became active since the policy was installed.
   • Active Events- Details for the thresholds that are currently sending alerts.
     • Name - The name of the alert (given in the CLI).
     • Category - The category of the alert (given in the CLI), for example, Hardware or Resources.
     • MIB object - The name of the object as recorded in the MIB file.
     • MIB object value - The value of the object when the threshold became active, as recorded in the MIB file.
     • State - The status of the object: active or clearing (passed the threshold but returns to usual value).
     • Severity - The severity of that threshold, as you configured for it in the CLI.
     • Activation time - When was the alert first sent.
   • Alert Destinations - A list of the destinations that alerts are sent to.
     • Name - The name of the location.
     • Type - The type of location. For example, a Log Server or NMS.
     • State - If logs are sent from the gateway or Security Management Server to the destination machine.
     • Alert Count - How many alerts were sent to the destination from when the policy started.
   • Errors - Shows thresholds that cannot be monitored. For example, the Security Gateway cannot monitor RAID sensors on a machine that does not have RAID sensors. Therefore it shows an error for the RAID Sensor Threshold.
     • Threshold Name - The name of the threshold with an error.
     • Error - A description of the error.
     • Time of Error - When the error first occurred.

Customizing Results

You can create Custom Views, to change the fields that show in the results.

Editing a Custom View

The changes you make to a view are not automatically saved. You can use this procedure to save a predefined view as a new Custom view.

To save a new view with changes:

1. Right-click the results of the view and select Properties.

   Note - For some of the views, this option is View Properties or Query Properties.

2. Add or remove fields and other options for the view.
3. Click OK.
4. For some of the views, select the gateway.
5. In the Results toolbar, click the Save View to Tree button.
6. In the window that opens, enter a name for the new view.
7. Click Save.

Creating a Custom Gateway Status View

To create a custom Gateway status view:

1. In the Tree, right-click Custom and select New Gateways View.

   The Gateway Properties window opens.

2. In Select available fields from, select the source of the data.
3. In Available fields, double-click the data to add to SmartView Monitor.
4. Open the Filter Gateways tab to remove gateways from the results of this view.
5. Click OK.
6. Right-click the new Custom view and select Rename.
7. Enter a name for the view.

Creating a Custom Traffic View

To creating a custom traffic view:

1. In the Tree, right-click Custom and select New Traffic View.

   The Query Properties window opens.

2. Select History or Real Time.
3. If you select Real Time, select what you want to see:
   • Interfaces
   • Services
   • IPs / Network Objects
   • QoS Rules
   • Security Rules
   • Connections
   • Tunnels
   • Virtual Links
   • Packet Size Distribution
4. Select the Target gateway.
   • If you often need results for on gateway, select it in Specific Gateway.
   • If you have a small number of gateways, you can create a custom view for each one.
   • If not, select Prompt for Gateway before run.
5. Open the next tabs.

   The tabs that show depend on the Query Type you selected.

   • If you select History, the next tab is Traffic History, where you select the Time Frame and type of report.
   • If you select Real Time, the next tabs let you set services or objects to monitor, gateways or specified IP addresses to monitor, update interval, result type, and chart settings.
6. Click Save.
7. Right-click the new Custom view and select Rename.
8. Enter a name for the view.

Creating a Custom Counters View

To create a custom counters view:

1. In the Tree, right-click Custom and select New Counters View.

   The Query Properties window opens.

2. Select History or Real Time.
3. Select the Target gateway.
   • If results for one gateway are frequently necessary, select it in Specific Gateway.
   • If you have a small number of gateways, you can create a custom view for each one.
   • If not, select Prompt for Gateway before run.
4. Open the Counters tab.
5. Select a category and the counters to add.

   You can add counters from different categories to one view.

6. In the Query Type:
   • If the Query Type is History: Select the Time Frame and click Save.
   • If the Query Type is Real Time:
     1. Open the Settings tab.
     2. Set the update interval and chart type.
     3. Click Save.
7. Right-click the new Custom view and select Rename.
8. Enter a name for the view.

Creating a Custom Tunnel View

To create a custom tunnel view:

1. In the SmartView Monitor client, select File > New > Tunnels View.

   The Query Properties window shows.

2. Select Prompt on to generate a report about a specified Tunnel, Community or Gateway.

   Prompt on: When you run the view, you will be asked for the specified Tunnel, Community or Gateway on which to base your view.

   Important - Do not select Prompt on if your view is not about one of these three.

3. Select Show one record per tunnel or Show two records per tunnel.

   Show two records per tunnel shows a more accurate status because the report provides the status for the tunnels in both directions.

4. In the Show column, select the filter to be related to this view
5. In the Filter column, click the corresponding Any(*) link.
6. Select the related objects to edit the selected filters.
7. Click the Advanced button.
8. Set a limit in the Records limitation window for the number of lines that show in the report.
9. Enter a record limitation.
10. Click OK.

    A Tunnels view shows in the Custom branch of the Tree View.

11. Enter the name of the new Tunnel view.
12. Click Enter.

Creating a Custom Users View

To create a custom users view:

1. In SmartView Monitor, select File > New > Users View.

   The Query Properties window shows.

2. Select Prompt on to generate a user report about a specified user or Gateway.

   Prompt on: When you decide to run the view, you will be asked for the specified User DN or Gateway on which to base your view.

   Important - Do not select Prompt on if your view is not about one of these two.

3. In the Show column, select the filter to be related with this view.
4. In the Filter column, click the corresponding Any(*) link.
5. Select the related objects to edit the selected filters.
6. Click the Advanced button to set a limit (in the Records limitation window) to the number of lines that show in the report.
7. Enter a record limitation.
8. Click OK.

   A Users view shows in the Custom branch of the Tree View.

9. Enter a name for the new Users view.
10. Click Enter.

Custom View Example

For example purposes, we create a real-time Traffic view for Services.

To create a real-time traffic view:

1. Double-click the view to change and select the gateway for which you create the view.
2. Select the View Properties button on the view toolbar.

   The Query Properties window shows.

3. Select Real-Time.

   Real-Time provides information about currently monitored traffic or system counters.

4. Select History for information that was logged before.
5. Select the topic about which you want to create a Real-Time traffic view in the drop-down list provided. For example, for purposes select Services.

Note - The remaining tabs in the Query Properties window change according to the type of view you create and the selection you made in the Real-Time drop-down list.

1. Select the Target of this Custom Traffic view.

   Target is the gateway for which you monitor traffic.

2. Click the Monitor by Services tab.
3. Select Specific Services and the Services for which you want to create a custom Traffic view.
4. Click the Filter tab.
5. Make the necessary selections.
6. Click the Settings tab.
7. Make the necessary selections.
8. Click OK when you are done with your selections.

   The Select Gateway / Interface window shows.

9. Select the gateway or interface for which you want to create or run this new view.
10. Click the Save to Tree button on the toolbar.
11. Enter a name for the new view.
12. Click OK.

    The new view is saved in the Custom branch.

Exporting a Custom View

You can back up a custom view before you install an upgrade. You can share a custom view with other SmartView Monitor GUI clients and other users.

To export a custom view:

1. Right-click the view and select Export Properties.
2. In the window that opens, enter a pathname for the export file.
3. Click Save.

   A file with an svm_setting extension is created.

Setting Your Default View

You can set which view to see when SmartView Monitor starts.

In the Tree, right-click the view and select Run at Startup.

Refreshing Views

Results are automatically refreshed every 60 seconds.

To refresh the view earlier, right-click the view name in the Tree and select Run.

To refresh data about an object in the current view, right-click the object in the results and select Refresh.

Monitoring Gateway Status

Gateway Status

Status updates show for Security Gateways and Software Blades. The Overall status of a gateway is the most serious status of its Software Blades. For example, if all the Software Blades statuses are OK except for the SmartEvent blade, which has a Problem status, the Overall status is Problem.

Status Icon	Description
OK	The gateway and all its Software Blades work properly.
Attention	At least one Software Blade has a minor issue, but the gateway works.
Problem	At least one Software Blade reported a malfunction, or an enabled Software Blade is not installed.
Waiting	SmartView Monitor waits for the Security Management Server to send data from Security Gateways.
Disconnected	Cannot reach the Security Gateway.
Untrusted	Cannot make Secure Internal Communication between the Security Management Server and the gateway.

Displaying Gateway Data

Gateway Status data shows for each Check Point or OPSEC gateway.

To see data about a gateway, click the gateway in the Gateway Results view. Details about the gateway show in the Gateway Details pane.

System Data

• Unified Package - The version number.
• OS Information - The name, the version name/number, the build number, the service pack, and any additional information about the Operating System in use.
• CPU - The specific CPU parameters (for example, Idle, User, Kernel, and Total) for each CPU.
  Note - In the Gateways Results view the Average CPU indicates the average total CPU usage of all existing CPOS.
• Memory - The total amount of virtual memory, what percentage of this total is used. The total amount of real memory, what percentage of this total is used, and the amount of real memory available for use.
• Disk - Shows all the disk partitions and their specific details (for example, capacity, used, and free).
  Note - In the Gateways Results view the percentage/total of free space in the hard disk on which the Firewall is installed. For example, if there are two hard drives C and D and the Firewall is on C, the Disk Free percentage represents the free space in C and not D.

To view the status of Check Point applications on the local server or another appliance, the cpstat command.

Firewall

• Policy information - The name of the Security Policy installed on the gateway, and the date and time that this policy was installed.
• Packets - The number of packets accepted, dropped and logged by the gateway.
• UFP Cache performance - The hit ratio percentage and the total number of hits handled by the cache, the number of connections inspected by the UFP Server.
• Hash Kernel Memory (the memory status) and System Kernel Memory (the OS memory) - The total amount of memory allocated and used. The total amount of memory blocks used. The number of memory allocations, and those allocation operations which failed. The number of times that the memory allocation freed up, or failed to free up. The NAT Cache, including the total amount of hits and misses.

Virtual Private Networks

The Virtual Private Networks (VPN) is divided into these main statuses:

• Current represents the current number of active output.
• High Watermark represents the maximum number of current output
• Accumulative data represents the total number of the output.

This includes:

• Active Tunnels - All types of active VPN peers to which there is currently an open IPsec tunnel. This is useful to track the activity level of the VPN gateway. High Watermark includes the maximum number of VPN peers for which there was an open IPsec tunnel since the gateway was restarted.
• Remote Access - All types of Remote Access VPN users with which there is currently an open IPsec tunnel. This is useful to track the activity level and load patterns of VPN gateways that serve as a remote access server. High Watermark includes the maximum number of Remote Access VPN users with which there was an open IPsec tunnel since the gateway was restarted.
• Tunnels Establishment Negotiation - The current rate of successful Phase I IKE Negotiations (measured in Negotiations per second). This is useful to track the activity level and load patterns of a VPN gateway that serve as a remote access server. High Watermark includes the highest rate of successful Phase I IKE Negotiations since the Policy was installed (measured in Negotiations per second). Accumulative data includes the total number of successful Phase I IKE negotiations since the Policy was installed.
• Failed - The current failure rate of Phase I IKE Negotiations can be used to troubleshoot (for instance, denial of service) or for a heavy load of VPN remote access connections. High Watermark includes the highest rate of failed Phase I IKE negotiations since the Policy was installed. Accumulative is the total number of failed Phase I IKE negotiations since the Policy was installed.
• Concurrent - The current number of concurrent IKE negotiations. This is useful to track the behavior of VPN connection initiation, especially in large deployments of remote access VPN scenarios. High Watermark includes the maximum number of concurrent IKE negotiations since the Policy was installed.
• Encrypted and Decrypted throughput - The current rate of encrypted or decrypted traffic (measured in Mbps). Encrypted or decrypted throughput is useful (in conjunction with encrypted or decrypted packet rate) to track VPN usage and VPN performance of the gateway. High Watermark includes the maximum rate of encrypted or decrypted traffic (measured in Mbps) since the gateway was restarted. Accumulative includes the total encrypted or decrypted traffic since the gateway was restarted (measured in Mbps).
• Encrypted and Decrypted packets - The current rate of encrypted or decrypted packets (measured in packets per second). Encrypted or decrypted packet rate is useful (in conjunction with encrypted/decrypted throughput) to track VPN usage and VPN performance of the gateway. High Watermark includes the maximum rate of encrypted or decrypted packets since the gateway was restarted, and Accumulative, the total number of encrypted packets since the gateway was restarted.
• Encryption and Decryption errors - The current rate at which errors are encountered by the gateway (measured in errors per second). This is useful to troubleshoot VPN connectivity issues. High Watermark includes the maximum rate at which errors are encountered by the gateway (measured in errors per second) since the gateway was restarted, and the total number of errors encountered by the gateway since the gateway was restarted.
• Hardware - The name of the VPN Accelerator Vendor, and the status of the Accelerator. General errors such as the current rate at which VPN Accelerator general errors are encountered by the gateway (measured in errors per second). The High Watermark includes the maximum rate at which VPN Accelerator general errors are encountered by the gateway (measured in errors per second) since the gateway was restarted. The total number of VPN Accelerator general errors encountered by the gateway since it was restarted.
• IP Compression - Compressed/Decompressed packets statistics and errors.

QoS

• Policy information - The name of the QoS Policy and the date and time that it was installed.
• Number of interfaces - The number of interfaces on the Check Point QoS gateway. Information about the interfaces applies to both inbound and outbound traffic. This includes the maximum and average amount of bytes that pass per second, and the total number of conversations, where conversations are active connections and connections that are anticipated as a result of prior inspection. Examples are data connections in FTP, and the "second half" of UDP connections.
• Packet and Byte information - The number of packets and bytes in Check Point QoS queues.

ClusterXL

• gateway working mode - The gateway working mode as a cluster member, active or not, and its place in the priority sequence. Working modes are: ClusterXL, Load Sharing, Sync only. Running modes: active, standby, ready and down.
• Interfaces - Interfaces recognized by the gateway. The interface data includes the IP Address and status of the specified interface, if the connection that passes through the interface is verified, trusted or shared.
• Problem Notes - Descriptions of the problem notification device such as its status, priority and when the status was last verified.

OPSEC

• The version name or number, and build number of the Check Point OPSEC SDK and OPSEC product. The time it takes (in seconds) since the OPSEC gateway is up and running.
• The OPSEC vendor can add fields to their OPSEC Application gateway details.

Check Point Security Management

• The synchronization status indicates the status of the peer Security Management Servers in relation to that of the selected Security Management Server. View this status in the Management High Availability Servers window, if you are connected to the Active or Standby Security Management Server. The possible synchronization statuses are:
  • Never been synchronized - Immediately after the Secondary Security Management Server was installed, it did not undergo with the first manual synchronization. This synchronization brings it up to date with the Primary Management.
  • Synchronized - The peer is synchronized correctly and has the same database information and installed Security Policy.
  • Collision - The active Security Management Server and its peer have different installed policies and databases. The administrator must do manual synchronization and decide which of the Security Management Servers to overwrite.
• Clients - The number of connected clients on the Security Management Server, the name of the SmartConsole, the administrator that manages the SmartConsole, the name of the SmartConsole host, the name of the locked database, and the type of SmartConsole application.

SmartConsole Server

The number of users that are currently connected.

Log Server

Indicates the number of licensed users that are currently connected, and if the Security Management Server is active or not. The Log Server includes elaborate details about the named connected client, the name of the administrator, managing the selected Log Server, the host of the Log Server, and the name of the database if it is locked. The Log Server indicates the type of application that the Log Server can track.

SmartEvent Correlation Unit and the SmartEvent Server

SmartView Monitor reads statuses from the SmartEvent Correlation Unit and SmartEvent Server.

SmartEvent Correlation Unit status examples:

• Is the SmartEvent Correlation Unit active or inactive
• Is the SmartEvent Correlation Unit connected to the SmartEvent Server
• Is the SmartEvent Correlation Unit connected to the Log Server
• SmartEvent Correlation Unit and Log Server connection status
• Offline job status
• Lack of disk space status

SmartEvent Server status examples:

• Last handle event time
• Is the SmartEvent Server active or inactive
• A list of SmartEvent Correlation Unit the SmartEvent Server is connected to
• How many events arrived in a specified time period

Connect the SmartEvent Correlation Unit to the Log Server or the Log Server to let it read logs. Connect it to the SmartEvent Server to send events to it. If problems occur in the SmartEvent Correlation Unit connection to other components (for example, SIC problems) the problems are reported in the SmartEvent Correlation Unit status.

For the same reasons, the SmartEvent Server contains statuses that provide information about connections to all SmartEvent Correlation Units.

Anti-Virus and URL Filtering

SmartView Monitor can now provide statuses and counters for gateways with Anti-Virus and URL Filtering.

The statuses are divided into these categories:

• Current Status
• Update Status (for example, when was the signature update last checked)

Anti-Virus statuses are associated with signature checks and URL Filtering statuses are associated with URLs and categories.

In addition, SmartView Monitor can now run Anti-Virus and URL Filtering counters.

For example:

• Top five attacks in the last hour
• Top 10 attacks since last reset
• Top 10 http attacks in the last hour
• HTTP attacks general info

Multi-Domain Security Management

SmartView Monitor can be used to monitor Multi-Domain Servers. This information can be viewed in the Gateway Status view. In this view you can see Multi-Domain Security Management counter information (for example, CPU or Overall Status).