Searching the Logs

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. lets you quickly and easily search the logs with many predefined log queries or customized log queries. Queries can include one or more criteria. You can modify an existing predefined query or create a new one in the query search box.

To see the predefined queries:

  1. Open SmartConsole > Logs & Monitor view.

  2. Click Queries.

  3. Select the applicable pre-defined query.

To modify a predefined query:

Click inside the query box to add search filters.

To manually enter query text:

  1. In the query search bar, click Enter Search Query (Ctrl+F).

  2. Enter the search query in the search box.

  3. As you enter text, the query search box shows recently used query criteria or full queries. To use these search suggestions, select them from the drop-down list.

To manually refresh your query:

Click Refresh (F5).

To continuously refresh your query (Auto-Refresh):

Click Auto - Refresh (F6). The icon is highlighted when Auto-Refresh is enabled.

The query continues to update every five seconds while Auto-Refresh is enabled. If the number of logs exceeds 100 in a five-second period, the logs are aggregated, and the summary view shows.

Selecting Query Fields

You can enter query criteria directly from the query search bar.

To select field criteria:

  1. If you start a new query, click Clear to remove query definitions.

  2. Put the cursor in the query search bar.

  3. Click Add a search filter.

  4. Select a filter from the drop-down list.

  5. Enter the applicable criteria in the query search bar.

Using the Action Filter

One of the search filters is Action. When you select the Action filter, a list shows with all the log actions available for searching. This table lists and explains these log actions.

Action

Description

Accept

The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. allowed traffic based on the Access Control Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

Ask User

  • The user was prompted to decide if the Security Gateway must block or allow specific traffic, based on Access Control or Custom Threat Prevention Security Policies.

    Or

  • A DLP incident was captured and put in quarantine. The user was asked to decide what to do.

Bypass

Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. or Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. did not inspect a file.

Decrypt

The Security Gateway decrypted a VPN packet to reveal its content and allow further inspection.

Detect

A Threat Prevention blade detected malicious traffic but did not block it because it worked in the Detect mode.

Do not send

User decided to drop transmission that was captured by DLP. An administrator with full permissions or with the View, Release or Discard DLP messages permission can also drop these transmissions. Email notification was sent to the user.

Drop

The Security Gateway blocked traffic based on the Access Control Security Policy and did not notify the source.

Encrypt

The Security Gateway encrypted a VPN packet to secure its contents and prevent unauthorized access.

Extract

Threat Extraction extracted potentially malicious content from a file before the file entered the network.

HTTPS Bypass

The Security Gateway allowed network traffic to bypass HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

HTTPS Inspect

The Security Gateway inspected HTTPS traffic.

Inform User

  • The user was informed what the organization's policy was, based on the Access Control or Custom Threat PreventionSecurity Policies.

    Or

  • DLP transmission was detected and allowed, and the user was notified.

Inline

Traffic was sent for emulation before it was allowed to enter the internal network.

Inspect

Threat Emulation or Anti-Virus inspected a fie.

IP Changed

An association between a specific IP address and a user changed, because the IP address on the associated host changed (DHCP).

Key Install

The Security Gateway created encryption keys for VPN.

Open Shell

An administrator opened a command shell to a GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. server.

Packet Tagging

The Security Gateway shared a packet tagging key with an Identity Agent.

Prevent

The Security Gateway blocked traffic based on the DLP or Threat Prevention policy.

Run Script

An administrator executed a script on a Gaia server from SmartConsole.

Send

User decided to continue transmission after DLP capture.

An administrator with full permissions or with the View/Release/Discard DLP messages permission can also decide to continue transmission.

Email notification is sent to the user.

Update

The Security Gateway downloaded and installed the latest version or HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior..

VPN Routing

The Security Gateway directed the VPN traffic through the appropriate specific VPN tunnel or Security Gateway.

Selecting Criteria from Table Columns

You can use the column headings select query criteria.

To select query criteria from table columns:

  1. In the Results pane, right-click on a column heading.

  2. Select Add Filter.

  3. Select or enter the filter criteria.
    The criteria show in the query search box and the query runs automatically.

Saving a New Query

To save the new query in the Favorites list:

  1. Click Queries > Add to Favorites.

    The Add to Favorites window opens.

  2. Enter a name for the query.

  3. Select or create a new folder to store the query

  4. Click Add.