Monitoring Logs and Events for Application and URL Filtering

In This Section:

Using Logs with Application and URL Filtering

Viewing Rule Logs

To see logs generated by a specified rule:

In R80 SmartConsole, go to the Security Policies view.
In the Access Control Policy or Threat Prevention Policy, select a rule.
In the bottom pane, click one of these tabs to see:
- Summary - Rule name, rule action, rule creation information, and the hit count. Add custom information about the rule.
- Details - Details per column. Select columns as necessary.
- Logs - Log entries according to specific filter criteria - Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.
- History - List of rule operations in chronological order, including the information about the rule type and the administrator that made the change.

Log Sessions

Application traffic generates a very large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the Security Gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.

To see the number of connections made during a session:

In the Logs tab of the Logs & Monitor view, see the Suppressed Logs field of the log.

To configure the session duration:

For applications or sites that are allowed in the Rule Base, the default session is three hours. You can change this in R80 SmartConsole from the Manage & Settings view, in Blades > Application and URL Filtering > Advanced Settings > General > Connection unification.
For applications or sites that are blocked in the Rule Base, a session is 30 seconds.

Application Control and URL Filtering Logs

To see logs from Application Control and URL Filtering:

Go to the Logs tab of the Logs & Monitor view, click the Favorites (star) icon, and select Predefined > Access > By Blade > Application Control or URL Filtering. The logs that you see depend on the Tracking Options that you configure in each Application Control and URL Filtering rule in the Access Control Policy Rule Base.

To see logs related to Application and URL Filtering Database updates on the Security Gateway:

Go to the Logs tab of the Logs & Monitor view, click the Favorites (star) icon, and select Predefined > Access > > System.

This also shows logs related to other system related issues, such as problems that the application detection service encounters.

To learn more about logging, see the R80 Logging and Monitoring Administration Guide.

Application Control and URL Filtering in the SmartEvent GUI

Event Analysis in the SmartEvent GUI

SmartEvent has advanced analysis tools with filtering, charts, reporting, and statistics for all events.

The administrator must have HTTPS Inspection permissions to see data in HTTPS inspected traffic.

You can filter the Application Control and URL Filtering information for fast monitoring and useful reporting on application traffic.

Real-time and historical graphs and reports of application and site traffic.
Graphical incident timelines for fast data retrieval.
Easily configured custom views to quickly view specified queries.
Incident management workflow.
Reports to data owners on a scheduled basis.

We recommend that you use SmartEvent only for these purposes:

To schedule reports
To edit the event policy settings

Use R80 SmartConsole for real-time event and log viewing.

To use SmartEvent, you must enable it on the Security Management Server or on a dedicated computer. See the R80 Logging and Monitoring Administration Guide.

Viewing Information in the SmartEvent GUI

To view Application and URL Filtering events in SmartEvent GUI:

In R80 SmartConsole, go to the Logs & Monitor view.
Click to open a New Tab, and in the External Apps section, click SmartEvent Settings & Policy.
In the window that opens, select a Security Management Server.
Click OK.
The R80 SmartEvent opens.
In SmartEvent, open the Application and URL Filtering tab view.
The default view shows these panels:
- Top High Risk Application/Site by Risk
- Timeline View - Shows High Risk Applications & Sites based on the number of events, and All Applications & Sites based on the traffic load in Megabytes
- Top Sources by Event Count
- All Events - Shows the last 200 events

You can customize the view and modify the filters as necessary. For more information, see the R80 Logging and Monitoring Administration Guide.

Administrator Permission Profiles

You can give an administrator permissions for:

Monitoring and Logging
Events and Reports

To define an administrator with these permissions:

Define an administrator or an administrator group.
Define a Permission Profile with the required permissions in R80 SmartConsole (Manage & Settings > Permission Profiles).
Assign that profile to the administrator or to the administrator group.

Creating, Changing, or removing an Administrator

Create an administrator for R80 SmartConsole or one of the R80 SmartConsole clients.

If you create an administrator account through the Check Point Configuration Tool or the First Time Configuration Wizard, the authentication credentials are a username and a password. If you create it through the R80 SmartConsole, you can choose one of these authentication methods:

Check Point Password - For each user defined on the Security Management Server, a password is stored on the Security Gateway
OS Password - User's credentials for logging in to the operating system of the gateway
SecurID - A challenge response method that uses a token device or a software token
RADIUS - Remote Authentication Dial-In User Service - External server stores user credentials and manages authentication of users to network devices
TACACS - Terminal Access Controller Access Control System - External server stores user credentials and manages authentication of users to network devices

To create an administrator account using R80 SmartConsole:

Click Manage & Settings > Permissions and Administrators.
The Administrators pane shows by default.
Click New Administrator.
The New Administrators window opens.
Enter a unique name for the administrator account.
Note - This parameter is case-sensitive.
Set the Authentication Method, or create a certificate, or the two of them.
Note - If you do not do this, the administrator will not be able to log in to R80 SmartConsole or other R80 SmartConsole clients, such as SmartEvent.

To define an Authentication Method:

Select one of the methods and follow the instructions in Configuring Authentication Methods for Administrators.
- Check Point Password
- OS Password
- SecurID
- RADIUS
- TACACS
To create a Certificate:

In the Certificate Information section, click Create, enter a password, and save the certificate to a secure location.
Select a Permissions profile for this administrator, or create a new one.
Set the account Expiration date:
- For a permanent administrator - select Never
- For a temporary administrator - select an Expire At date from the calendar
The default expiration date shows, as defined in the Default Expiration Settings. After the expiration date, the account is no longer authorized to access network resources and applications.
Optional: Configure Additional Info - Contact Details, Email and Phone Number of the administrator.
Click OK.

To change an existing administrator account:

Click Manage & Settings > Permissions and Administrators.
Double-click an administrator account.
The Administrators properties window opens.

Creating and Changing Permission Profiles

Administrators with Super User permissions can create, edit, or delete permission profiles.

To create a new permission profile:

In R80 SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
Click New Profile.
The New Profile window opens.
Enter a unique name for the profile.
Select a profile type:
- Read/Write All - Administrators can change the configuration
- Auditor (Read Only All) - Administrators can see the configuration, but cannot change it
- Customized - Configure custom settings
Click OK.

To change a permission profile:

In R80 SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
Double-click the profile to change.
In the Profile configuration window that opens, change the settings as needed.
Click Close.

To delete a permission profile:

In R80 SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
Select a profile and click Delete.
You cannot delete a profile that is assigned to an administrator. To see which administrators use a profile, in the error message, click Where Used.

If the profile is not assigned to administrators, a confirmation window opens.
Click Yes to confirm.

Permissions for Monitoring, Logging, Events, and Reports

In the Profile object, select the features and the Read or Write administrator permissions for them.

Monitoring and Logging Features

These are some of the available features:

Monitoring
Management Logs
Track Logs
Application and URL Filtering Logs

Events and Reports Features

These are the permissions for the SmartEvent GUI:

SmartEvent
- Events - The Events tab
- Policy - Events correlation on the Policy tab
- Reports - Reports tab
SmartEvent Application and URL Filtering reports only

Assigning Permission Profiles to Administrators

To assign a permission profile to an administrator:

Click Manage & Settings > Permissions and Administrators.
Double-click an administrator account.
The Administrators properties window opens.
In the Permissions section, from the drop-down menu, select a Permission Profile.
Click OK.