Exceptions

Exceptions allow an event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. to be independently configured for the sources, destination, service and other parameters depending on the event type.

For example, if the event Scans > Port Scan from Internal Network is set to detect an event when 30 port scans occur within 60 seconds, you can also define that two port scans detected from host A within 10 seconds of each other is also an event.

To add an exception:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the left navigation panel, click the Logs & Monitor view.

2. At the top, click + to open a new tab.

3. In the bottom section External Apps, click SmartEvent Settings & Policy.

4. In the section Apply the following exceptions to the event definition, click Add (on the right side, move the scrollbar down to see this section).

5. In the section Exception match:

   1. In the Source field:

      1. Select the checkbox.

      2. On the right side, click [...].

      3. Select the required object.

         Note - If you do not see the host object listed, you may need to create it in SmartEvent (see System Administration).

      4. Click OK.

   2. In the Destination field:

      1. Select the checkbox.

      2. On the right side, click [...].

      3. Select the required object.

         Note - If you do not see the host object listed, you may need to create it in SmartEvent (see System Administration).

      4. Click OK.

   3. In the Connection occurred at least field, enter the relevant number of times.

   4. In the times over a period of field, enter the relevant number of seconds.

6. In the section Severity and Reactions:

   1. In the Severity field, select the required level.

   2. In the Reactions section, select the application option:

      • Default.

      • Specific > click [...] > select or add the relevant Automatic Reactions > click OK (see Automatic Reactions).

   3. Optional: In the Comment field, enter a significant text.

7. Click OK.

8. Click Menu > File > Save.

9. Click Menu > Actions > Install Event Policy.