Monitoring Threat Prevention

Log Sessions

Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.

To see the number of connections made during a session, see the Suppressed Logs field of the log in the Logs & Monitor view.

Session duration for all connections that are prevented or detected in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. is, by default, 10 hours. You can change this in the Manage & Settings view in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Blades > Threat Prevention > Advanced Settings > General > Connection Unification.

Using the Log View

Viewing Threat Prevention Rule Logs

Predefined Queries

The Logs & Monitor Logs tab provide a set of predefined queries, which are appropriate for many scenarios.

Queries are organized by combinations of event properties.

Creating Custom Queries

Queries can include one or more criteria. You can modify an existing predefined query or create a new one in the query box.

To modify a predefined query:

Click inside the query box to add search filters.

Selecting Criteria from Grid Columns

You can use the column headings in the Grid view to select query criteria. This option is not available in the Table view.

To enter more criteria, use this procedure or other procedures.

Manually Entering Query Criteria

You can enter query criteria directly in the Query search bar. You can manually create a new query or make changes to an existing query that shows in the Query search bar.

As you enter text, the Search shows recently used query criteria or full queries. To use these search suggestions, select them from the drop-down list.

Selecting Query Fields

You can enter query criteria directly from the Query search bar.

Packet Capture

You can capture network traffic. The content of the packet capture provides a greater insight into the traffic which generated the log. With this feature activated, the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. sends a packet capture file with the log to the Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs.. You can open the file, or save it to a file location to retrieve the information a later time.

For some blades, the packet capture option is activated by default in Threat Prevention Policy.

Advanced Forensics Details

From R80.30, some logs contain additional fields which can be found in the Advanced Forensics Details section in the log. These protocols are supported: DNS, FTP, SMTP, HTTP, and HTTPS. The additional information is used by the Check Point researchers to analyze attacks. The advanced forensics details also show in the gateway statistics files which are sent to the Check Point cloud.

The Advanced Forensics Details do not show if the connection closes before this information is saved. This depends on the traffic and configuration of the Software Blades.

Threat Analysis in the Logs & Monitor View

The Logs & Monitor view supplies advanced analysis tools with filtering, charts, reporting, statistics, and more, of all events that travel through enabled Security Gateways.

You can filter the Threat Prevention Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. information for fast monitoring and useful reporting on connection incidents related to them.

Views

Views window tells administrators and other stakeholders about security and network events. A View window is an interactive dashboard made up of widgets. Each widget is the output of a query. A Widget pane can show information in different formats, for example, a chart or a table.

SmartConsole comes with several predefined views. You can create new views that match your needs, or you can customize an existing view. Views are accurate to the time they were generated or refreshed.

In the Logs & Monitor view, clicking the (+) tab opens a catalog of all views and reports, predefined and customized. To open a view, double-click the view or select the applicable view and click Open from the action bar.

For more information on using and customizing reports, see the R81.10 Logging and Monitoring Administration Guide.

Reports

A report consists of multiple views and a cover page. There are several predefined reports, and you can create new reports. A report gives more details than a view. Reports can be customized, filtered, generated and scheduled. You cannot drill down into a report.

Click the (+) tab to open a catalog of all views and reports, predefined and customized. To open a report, double-click the report or select the applicable report and click Open.

For more information on using and customizing reports, see the R81.10 Logging and Monitoring Administration Guide