Logging and Monitoring

This chapter includes information that is directly related to Multi-Domain Security Management, with some general background information and basic procedures. See the R81 Logging and Monitoring Administration Guide for the full set of conceptual information and procedures.

With R80, logging, event management, reporting, and monitoring, are more tightly integrated than ever before. Security data and trends are easy to understand at a glance, with Widgets and chart templates that optimize visual display. Logs are now tightly integrated with the Policy rules so that you can access all logs associated with a specific rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. by simply clicking on that rule. Free-text search also lets you enter specific search terms to retrieve results from millions of logs in seconds.

One-click exploration makes it easy to move from high-level overview to specific event details such as type of attack, timeline, application type and source. After you investigate an event, it is easy to act on it. Depending on the severity of the event, you can choose to ignore it, act on it later, or block it immediately. You can also easily toggle over to the rules associated with the event to refine your Policy. Send reports to your manager or auditors that show only the content that is relevant to each stakeholder.

In R80.x, SmartReporter and SmartEvent functionality is integrated into SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Using rich and customizable views and reports, R80 introduces a new experience for log and event monitoring.

The new views are available from two locations:

• SmartConsole > Logs & Monitor

• SmartView Web Application. Browse to: https://<Server IP Address>/smartview/

  Where Server IP Address is IP address of the Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. or Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS..

  Note - Include the final backward slash: /

Note - When opening a Global SmartEvent object from a Domain in SmartConsole or SmartView Monitor, this error message appears: "State: Secure Internal Communication is not operation with <Name of Global SmartEvent Server object>. Verify that SIC is initialized or was not reset." This is only a cosmetic issue that does not have an effect on the functionality. Domains do not have SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. connectivity with the Global SmartEvent Server. Therefore, Domains cannot report the real SIC status of the Global SmartEvent Server. To see the real SIC status, open the Global SmartEvent Server object in SmartConsole connected to the Multi-Domain Server context.