Logs and Monitoring

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 44 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:01
hello and welcome again to check point jump start training, and this module will be examining how Checkpoint logging works, how you configure it and how you can access the log data.
00:17
So we'll start by
00:19
discussing the point, setting up blogging,
00:23
then
00:25
using the track action
00:28
in your security policy to determine
00:32
which rules that have traffic matching them should generate log data and,
00:39
however, boast that log data should be
00:44
well. Then take a look at the smart log component of
00:49
Smart Consul, which
00:51
allows you to intuitively search for and display
00:57
the detailed long data that is being generated.
01:00
We'll also look at
01:04
the functionality in both smart consul and external applications that permit you
01:11
to get on
01:14
at a glance
01:15
update
01:17
of the status of your checkpoint deployment as well as getting
01:22
MAWR. Detailed information about your checkpoint deployment.
01:27
Also the Smart View Web application, which provides
01:32
a platform independent
01:34
way of accessing log data.
01:38
You don't have to have a Windows desktop machine
01:42
with the
01:44
Checkpoint Smart Consul software installed.
01:48
You just need
01:49
a standards compliant Web browser.
01:53
It will also demonstrate this how to set up logging, configure log actions in policy and then
02:01
examine log data,
02:05
examined the status of your checkpoint deployment, and we'll take a look at this smart field Web application.
02:13
So kind of a central theme in Checkpoint is the three tier architecture where we have
02:20
security gateways that are
02:23
examining network traffic, applying your security policy to that network traffic
02:30
determining which connection should be permitted, which connections
02:35
should not be permitted, or perhaps which connections were going to allow.
02:40
But we're gonna watch with.
02:44
It's a layer seven awareness of
02:47
what is acceptable for this protocol in and what isn't
02:52
so security gateways are doing that, and as they do that they're generating long data.
02:58
The long data is sent securely using secure internal communication S I C. Sick
03:07
to a designated log server,
03:10
and by default, that's going to be your security management server.
03:15
But in a large deployment,
03:17
you may want to move that load that overhead off of your security management server and have it handled by another appliance.
03:29
And you can do that.
03:30
You can set up a dedicated long server.
03:36
Similarly, we'll take a look at the smart event component, which allows you to see event data
03:44
that is,
03:46
by default,
03:47
processed on your security management server.
03:52
That could be a lot of processing a lot of overhead so you can deploy another appliance and configure that appliance to be
04:02
where smart event processing is done.
04:09
And finally, there's the smart consul component, which again is a Windows application
04:15
that
04:16
connects to the management server or the log server or the Smart Event server
04:25
and displays the data that
04:30
is available with log files, for instance.
04:35
So
04:36
in orderto have logging worked. You need at least one log server
04:43
again by default. That's your management server in the screen. Shot
04:47
to the right shows a management server,
04:53
and you can tell that it's a management server because it has the network policy management blade enabled.
05:00
And in fact, it's
05:01
primary management server, so there's no option to turn that off. It has to be the management server
05:11
and also selected as a feature. A component of blade
05:15
is the logging and status,
05:19
and
05:21
if you deploy a dedicated log Server
05:26
one, you would configure it to be a dedicated log server using the Web user interface,
05:32
first time wizard configuration,
05:36
then you would create a checkpoint object to represent that dedicated log server,
05:44
establish sick,
05:46
that appliance
05:48
and then
05:50
in the checkpoint object that you created for that locks ever you would select logging and status and perhaps also you wanted to handle smart event processing. You can select
06:04
the smart event components
06:08
not going to get into details on that. But there are two. The smart event server, which is where the
06:14
event databases kept,
06:15
and a smart event. Correlation Unit,
06:18
which is pulling log data from various sources, primarily checkpoint log data. But we can also pull in from third parties
06:30
and analyzing to see, Do we have something here that looks like an event
06:34
that
06:35
can all be done on your management server? But that's a lot of overhead,
06:40
so you can offload it to a dedicated log server that also handles smart event. Or you can have a dedicated, just smart event.
07:00
Yeah, I think I want to go back. Okay, so cut this part out and we'll go back
07:05
and we'll start.
07:11
So, as I said, by default, your management server is the designated log server. If you change that, if you deploy a dedicated long server,
07:23
you have to make sure the dedicated long server has a checkpoint object to represent it.
07:28
Sick is established. That object has the logging and status feature enabled.
07:34
And you have to configure the security gateways
07:39
to override their default setting of sending log data
07:44
to the management server
07:46
and instead configure them to send log data
07:48
to the log server.
07:51
That's a setting in each security gateways
07:56
checkpoint object,
07:59
and I'll demonstrate that
08:01
so
08:03
longing is automatically set up for you.
08:07
You don't have to do any additional steps your management server will handle logs.
08:13
Larger deployment. You may want to change that default behavior.
08:18
Now we need long data to be generated,
08:20
and a primary source of log data is your security policy, where we have
08:28
access control policy
08:31
with firewall rules,
08:33
and each firewall rule has a track action,
08:39
a brand new rule.
08:41
The track action is set to none,
08:43
and traffic that matches that rule does not generate a log entry.
08:48
Generally, that's not what you want. That's not best practice.
08:52
So
08:54
what is best practice is to change the track action of every rule to be logged
09:03
now.
09:03
There are always exceptions. For instance,
09:07
routine
09:09
frequent
09:09
chatty protocols
09:13
such as perhaps de HCP or various router discovery protocols,
09:18
that sort of thing.
09:20
It may not want a lot of log data generated for those protocols.
09:26
You may have a rule that either allows that or
09:30
drops that,
09:31
and it's tracking. Action is none
09:35
because I'm not interested in log data
09:37
about this particular protocol,
09:41
and that's okay. But
09:43
most of your rules should have at least log as a tracking action.
09:50
And if you select log
09:54
under the MAWR menu option when you are editing the tracking action of a rule, you have the option of also selecting detailed log
10:03
and or extended lock. And
10:07
both of those
10:09
contribute log data just like a log setting does. But they have, well mawr information
10:15
information pulled from the layer seven Aware blades, such as application control. You are l filtering content awareness,
10:26
and
10:28
that could be displayed in the smart log view, which will demonstrate
10:35
there are some other options,
10:39
such as alerts.
10:41
If you select an alert option, the default is no alert.
10:48
Then,
10:48
when this rule with an alert action is matched
10:54
aside, in addition to
10:56
creating a log entry,
11:00
we can also
11:01
a synchronously alert somebody.
11:05
So
11:05
the basic alert option
11:07
well, simply give you a pop up message.
11:11
You have to be running the correct smart consul component to see that pop up message.
11:18
So what might be more useful is A S and MP Simple network management Protocol trap that is
11:26
configured to alert
11:30
whatever s and MP management solution. You have
11:33
that this asynchronous event has occurred.
11:37
We can also generate an email.
11:41
Now you want to be careful of that. I don't want to be inundated with tens of thousands of email messages, but
11:48
that might be appropriate in certain circumstances.
11:52
And finally, user defined alert, which
11:54
actually just runs a script
11:58
on the host that's generating the alert and that script conduce whatever you can
12:05
imagine and implement in ah, script,
12:09
Dia uses the limits operating system UNIX operating system provides, for instance, bash the morning and shell
12:18
and that could be used for scripting
12:20
and is extremely powerful. So weaken use a user to find alert to send for instance, both S and M P trap
12:28
and an email message and
12:31
something else like start the coffee maker
12:37
Now to view log data.
12:41
We start with Smart Consul and over on the left
12:46
that that vertical menu we select logs and monitor, and
12:52
that is a tabbed interface.
12:54
So if we don't already have a logs tab, then we will click on the new tab
13:01
and say, I would like to see logs in this tab.
13:07
So
13:07
this smart consul logs view is actually
13:11
smart Log, which
13:13
is also ah, separate smart Consul application. But it's also integrated here,
13:22
and it has a lot of different features that make it easy to tune what it's showing you
13:28
precisely what it is you want to see.
13:31
So, for instance, at at one you can have
13:35
already defined queries saved
13:39
those searches for log data that you routinely do. For instance, I want to see log data
13:48
about I PS protections that have a severity of high
13:52
or critical
13:54
that were detected but not enforced.
13:58
Or I want to see
14:01
log data for
14:03
anti bought blade log entries
14:07
that
14:09
display information about here is an internal host, which is
14:15
sending suspicious baht net related traffic.
14:18
You can also quickly
14:22
restrict the amount of logs
14:24
by a time period. So in two, you say I only want to see log data for the last hour or the last 24 hours or since midnight
14:35
today,
14:39
and you could be very granular. I want to see log data starting Tuesday at 2 a.m.
14:45
Through Wednesday at 1 p.m.
14:48
And
14:50
it will display
14:50
Onley, the log entries that are within that time period
14:56
at three. The Query search bar allows you to further restrict the logs that are shown,
15:03
and it's
15:05
natural language.
15:07
Search
15:09
syntax.
15:11
You can, for instance, say I want to see him say, I want to see
15:16
all TCP logs
15:20
from this source i p address
15:22
to this destination that are, http,
15:28
and
15:30
that will happen.
15:33
And once you have a query that's displaying the data that
15:37
you need to see if that's something you're going to be doing on a frequent basis, you can save that as a favorite query
15:45
over on the right. At four, you can see high level event statistics such as
15:52
What's the top sources of traffic of of connections? What are the most
15:58
frequently
16:00
connected to destinations? What services are we seeing the most in and so on and so forth,
16:07
and then in five? Well, that's the major part of this view. You can see the results
16:18
if you double click
16:21
or right click and select
16:22
a long entry.
16:25
It will bring up a log details window
16:27
that is packed with information. Now, what information is displayed in this log? Details window depends on
16:37
the policy that
16:38
created or the component that created this log entry.
16:44
Ah, tracking level that was designated in that rule.
16:52
And
16:52
also what happened to the traffic
16:56
traffic that has dropped? We do that with the initial connection, so we never see layer seven data for dropped connections.
17:04
Traffic that was accepted. We progressed to the Layer seven application exchange and so there may be more log data.
17:15
So in this particular screenshot note, the at the top left origin. That's the security gateway that generated contributed this log entry
17:26
and then the time of day relative to that security gateway,
17:30
the blades, the components that features that contributed to this log entry. And so, in this example, both the firewall blade, which is basic packet filtering state full inspection,
17:44
and the application control blade,
17:47
which allows you to categorise typically http and https connections
17:53
based on what sort of website is that
17:57
Whose website is that?
18:02
And product families. So is just
18:06
It was at access control policy Or was it threat prevention policy that contributed this log entry
18:14
Over on the right, you can see the source
18:18
host name if known I p address
18:21
source port, which is typically not important. That's generally randomly selected.
18:27
The security zone of the source
18:32
destination
18:33
host name If known,
18:36
I p address
18:37
the destination security zone and then the service Destination port and protocol TCP 443 is https Also the interface
18:48
in which the traffic waas
18:52
accepted The traffic was received on
18:56
And
18:57
if we have layer seven awareness that that has contributed to the log data
19:03
in this example the application control feature
19:06
and we can see additional information such as
19:11
this destination
19:14
which has thean screw sociable host name LG a 15 s, 47 etcetera etcetera
19:19
is actually part of Google services. That's the application. And so if you have application control policy, you can
19:29
make access control decisions are are you allowed to go to Google services or not?
19:36
And that's independent of the domain name.
19:40
And that frees you the security administrator up from having to research and find out currently what every Google service domain name is
19:49
and then create
19:52
policy to block or allow just those domains.
19:56
Application control knows that information.
20:00
Also, I'd like to note ah,
20:03
the matched category. This is U R L filtering.
20:07
So this
20:08
destination was categorized by U R L filtering as computer slash Internet
20:15
and an application risk level was determined to be low
20:22
back to the right. You can see the policy information. The action for this connection was except
20:30
policy package that processed this connection is the Alfa Standard.
20:37
That policy was last updated today,
20:41
and we matched Rule number six, the outgoing rule. That's from the name calm of the rule.
20:47
One final thing. You can't see much of it, but the bottom left.
20:52
This traffic was
20:56
rewritten by the network Translation network address translation
21:00
policy.
21:02
And so while the source address of the original traffic was 10.1 dot one dot to a one that
21:10
translated that source address
21:11
to be
21:12
the external I p address of in this example
21:17
Ah, plus, ter could also be just a single security gateway.
21:22
So what the Google Services
21:26
Destination received was a packet from 203.0 dot 113.1.
21:33
It's So return traffic from the Google Services host
21:37
will be addressed a 203.0 dot 113.1 and that will translate it back to the original I P.
21:48
So I mentioned that it's Ah fairly flexible natural language search,
21:53
uh,
21:55
entry search
21:56
wary system.
21:59
So, for instance, you can query log entries that
22:06
our drop or accept or something else based on the action column of the rule that matched
22:14
you can restrict your searches to
22:17
log entries that were contributed by a specific blade. Again, I want to only see anti bought related logs. You can say Blade colon, antibody
22:27
source, destination port and if you, for instance, have
22:33
identity based policy where you are determining who's the user that is originating this traffic, you can search
22:41
based on the identity.
22:44
So show me traffic from user Tom.
22:48
That is the https protocol that was accepted.
22:56
So some more examples
23:00
searching by a particular user Richard searching for an I P address or a range of I P addresses in this case, a sub net.
23:10
Show me anything in the 10.0 dot zero sub knit. You can also say, Show me anything from 10.0 dot 0.1
23:18
through 10.0 dot zero dot
23:21
149
23:23
Search for I P V six addresses
23:26
post names over on the right, searching for a range of ports.
23:33
No
23:34
note that we overflow here, so that's sort of a bug in the slide. Ah,
23:40
it was just to see if you would notice
23:42
because the maximum port number 65535
23:49
searching by
23:52
destination or source would you would profess prefects with
23:59
SRC kolinahr, DST colon to say I only want to see traffic from this source
24:04
for this destination.
24:07
You can also say I only want to see log entries where this specific fields, such as
24:14
network address, translation or
24:17
destination host name
24:18
is blank. So
24:22
DST host
24:23
Colon quote, quote
24:27
the two quotes or the empty square brackets. Designate no, no data in that field.
24:37
Another nice feature that Smart Consul provides is, ah, high level overview of the health of your checkpoint deployment.
24:48
So
24:49
this will display the health of all checkpoint devices
24:55
that have sick established to your management server as well as the management server itself.
25:03
And here we can see that there are three devices that we have sick established what two devices that we have six established two plus the management server. But
25:12
those two devices are part of a cluster,
25:15
and we're not going to get into clustering in this training. But
25:18
just briefly, When you have a cluster, the individual components of the cluster are generally not
25:27
access, not configured individually. Instead, you
25:32
configure the cluster object that contains those individual security gateways.
25:37
But
25:38
in this context, it is important to know not only the overall cluster status but the status of the components of the cluster. So
25:48
not only is the cluster object displayed here, but the individual gateway objects that
25:55
are members of that cluster are also displayed.
25:57
And note
26:00
the status column on the left
26:02
green circle with a check mark. Inside of it means everything is good.
26:07
Ah, yellow
26:08
triangle
26:11
means that
26:11
at least one component 11 portion of this checkpoint host has a warning for you.
26:22
If that status symbol is not yellow, it's red. Instead,
26:27
that means that
26:29
at least one component of that checkpoint host has a critical issue that you need to address critical issues. Could be, I can't talk to it right now
26:40
because the network is down or that device is down.
26:42
It could mean that a license has expired
26:47
would mean that it is critically overloaded.
26:51
I also want to note under recommended updates.
26:55
There are no
26:57
currently recommended updates that have not been applied to the three checkpoint hosts, the management server and the two security gateways
27:07
up to date. And that's that
27:08
CP use component,
27:11
which is a guy a level component that on that guy a host will automatically reach out to checkpoint and determine. Are there any updates that are applicability to this version of Gaia
27:26
in this role security Gateway Management Server? What have you
27:30
and so right now? No,
27:33
you can also see
27:34
CPU usage. There's other things I'd like to know about network throughput on a security gateway Memory utilization.
27:42
Ah, and you can get that information by selecting one of the
27:48
lines
27:49
your ah, a W cluster or a SMS, or an individual security gateway. And then at the bottom
27:57
mawr, information is displayed more verbose information. So we've selected a gateway cluster, and at the bottom you get details of a gateway cluster, and you can further drill into the details by clicking on either the license status OK, which is a hyperlink, or
28:17
device and license information,
28:21
and that will bring up
28:22
even mawr information about licensing or the components of the device. For instance, on the security gateway if you have
28:32
the
28:33
i PS intrusion prevention blade enable,
28:34
uh, what's the
28:37
status of the I PS played? When was that last updated with signatures and protections?
28:48
Now the smart few Web application is new in our 80
28:52
Teoh access it
28:55
by default. You goto https colon slash slash Whatever your management server is, that could be a host name. Could be an I. P. Address. Could be a fully qualified domain name
29:04
Whatever
29:07
you would not literally type
29:08
in all caps. Mgmt
29:11
H o S t
29:12
replace with the I P address or host name of your management server slash smart few
29:21
and
29:22
perhaps click through TLS warning about the certificate of this management host. Once you've clicked through, you'll be asked to authenticate
29:34
as a checkpoint administrator
29:38
and
29:40
once successfully authenticated, you will see,
29:42
uh, something sort of like the logs view of Smart Consul,
29:48
only a browser based,
29:52
and this is really handy for friends, stints, auditors or, ah, help desk
30:00
or security analysts who need to be able to see,
30:03
uh, what the current security posture of your check the checkpoint deployment is or look at long data.
30:15
So I'm gonna demonstrate
30:17
the
30:18
various logs and status views in Smart Consul.
30:23
We'll do. Some queries will also take a look at smart event.
30:30
Well,
30:30
look at the various log options as well as alert options and the smart View Web application.
30:42
But just
30:44
I want to show you how to see status and logs in Smart Consul and first status. If you
30:51
go to the gateway and servers view and left hand side menu,
30:55
you get a quick,
30:56
easy
30:59
overview of the status of your checkpoint deployment. So all checkpoint devices,
31:04
starting with the management server and then including
31:07
every checkpoint device that you have sick established with
31:11
will be displayed here and the first call in the status column. You get
31:17
a green circle with a check mark. If that device
31:19
currently has no critical issues and no warnings
31:23
if it has
31:25
at least one warning no critical issues, there'll be a yellow indicator.
31:30
If it has at least one critical issue there'll be a red indicator
31:34
and selecting one of the checkpoint devices displayed.
31:40
We'll bring up more information down at the bottom in the summary tab.
31:44
So, for instance, we can see CPU and memory utilization, whereas the top half we only see CPU.
31:52
It'll tell us if it's a security gateway or management server or something else. In this example, it's a security gateway,
32:00
and
32:02
it has the example co policy installed
32:07
that was done at this date. In time,
32:17
you can also see tasks that were performed on this checkpoint host,
32:23
and those tasks can be automated through the
32:28
application programming interface. But it could be something that an administrator kicked off manually by, for instance, right clicking on the device
32:37
and going toe actions or scripts.
32:40
So, for instance, do a back up
32:45
than any errors that have been recorded on that device. And right now there's no data
32:50
back in the status tab. If you click on device and license information, get a pop up window with additional details.
32:59
So on this particular security gateway, there are several features used to be called security blades enabled.
33:07
The firewall is basic. That's packet filtering state for inspections gotta be there. But we've also
33:13
enabled URL filtering, application control, intrusion prevention and and I bought
33:19
and
33:20
all but the firewall feature are going to require occasional updates. You are all filtering. For instance, as new websites are deployed on the Internet,
33:30
we need to know what the category of that website is.
33:35
And I bought as new command and control hosts are discovered. We didn't know their I p address
33:44
or new botnet
33:45
malware may have ah different
33:49
protocol used for command and control. We need to update our signatures to be aware that this is well botnet command and control traffic
33:58
and I ps intrusion prevention protections are updated. New ones are added as new threats are identified,
34:07
so we're gonna need those updates
34:09
now. The green check mark here means that
34:14
none of these blades are complaining. None of these features have had an issue, for instance, with fetching and update.
34:21
If
34:22
the last update did not succeed, then there may be a yellow warning. If it's been a long time since we had a successful update or we have a license issue or something like that, there may be a red critical marker.
34:37
Then we also have license status, and this is a virtual lab environment. It's using a evaluation licence, which automatically enables pretty much everything but has a time limit
34:52
and system counters and traffic really only useful on ah security gateway. This allows you to see, for instance,
35:00
system counters, CPU utilization, memory utilization, hard drive utilization
35:08
traffic allows you to see
35:10
really real time information on what kind of traffic is moving through the security gateway,
35:16
and you have other options. For instance, how large of packets are we seen
35:24
then
35:27
moving away from monitoring to more logging and status
35:34
under logs and monitor
35:36
this new tab, which, if it's not displayed, you can click the plus sign here to get the new tab offers you different views. What've you do you want displayed in this new tab?
35:46
And I've already selected the logs view in a tab.
35:52
This is the log data that is being contributed, usually by a security gateway. And this origin column here will tell you
36:01
which Checkpoint host
36:04
contributed the log entry.
36:07
So most of these log entries air coming from my security gateway, a gateway. But there have been a couple from other checkpoint hosts
36:15
typically, long data is generated. When a rule matches in your security policy, that rule has a tracking action.
36:22
There could be other reasons why you're
36:27
security Gateway or some other type of checkpoint device generated. A long entry,
36:34
including the device restarted or we have Ah, cluster and cluster member has fallen out of the cluster
36:43
or it's come back into the cluster. Perhaps it restarted or something else happened.
36:49
But by default,
36:51
the logs shown here are not updated without user interaction. I can click this
36:58
refresh icon,
37:00
and it will go out and fetch
37:01
new log data. And I currently have the view
37:05
limited to just long entries in the last hour.
37:08
You could make it last Wednesday through last Thursday if you needed to.
37:15
I also have
37:16
a query.
37:17
I'm only interested in log data
37:21
that
37:22
came from a gateway. So not
37:27
my event server, not my management server on Lee, the specific host, a gateway
37:34
and where the services https
37:37
only show me log entries that match that in the last half hour.
37:42
Our last hour, I mean,
37:44
and most of the long entries here are the result of https connections
37:50
happening in the background from from my Windows host going out to some
37:54
website on the Internet,
37:57
and I have https inspection enabled on a gateway. So
38:01
when an https connection is received on a gateway, it runs its https inspection policy.
38:09
It decides, Should I decrypt this https connection or not?
38:15
Most of the time, Yes, decrypt that shows up as an inspect log entry.
38:22
So if you double click on a long entry brings up a details window
38:29
with additional information. For instance,
38:31
this long entry was a connection out to
38:37
apparently Google g static dot com,
38:40
which is categorised by my girl
38:44
feature. You are all filtering feature as computer slash Internet.
38:49
And
38:50
again,
38:51
this connection was decrypted. The https inspection policy matched a rule whose action was inspect, so we decrypted the connection.
39:04
Some of these other views,
39:07
such as theme general, overview
39:09
you, which again you can get by
39:12
great in a new tab and selecting the general overview.
39:15
This is not
39:17
so much long entry focused as issue focused. Our event focused
39:24
so, for instance, over and kind of the right hand top. We have account of infected host, which would be contributed
39:32
mostly by the anti baht feature
39:36
the anti bought feature detects this internal host is attempting to connect out to a known command and control server, or I see traffic that matches known .net command and control
39:47
signatures.
39:49
Then that's a host you need to go look at
39:52
or
39:53
I PS or anti virus might be populating the critical attack
39:59
types.
40:01
But again, this is a fairly quiet sent lab environments. There's not a lot of data available
40:07
showing attacks or even just regular traffic.
40:12
The audit logs view
40:15
is for administrators.
40:17
So, for instance, it shows changes to your security policy
40:22
rule was created. A rule was moved to a different position. A rule was updated with this source object
40:30
and so one,
40:31
and this is useful for figuring out who changed this rule. Now there are other ways to do that. In Smart Consul, this is
40:40
one way
40:42
to go back and review. Well, how did this change that broke the Internet happened? Who did it?
40:49
What did they change?
40:51
But also you can see administrator
40:53
Loggins, log outs and other actions,
41:00
and
41:00
there are plenty of other views available, such as the compliance view. If you have the compliance feature enabled
41:07
you configure that compliance feature with list of frameworks or standards that you need toe be compliant with.
41:15
I could be, for instance, the payment card industry data security standard or
41:20
something specific to your country or something international such as I s 0 27 002
41:28
And then the compliance
41:30
feature will give you a report here
41:32
in this compliance view of
41:36
how
41:37
compliant you are
41:39
down at the bottom left under external APS,
41:44
we have a link to open a legacy smart event application that allows you to configure event policy what constitutes an event,
41:54
what doesn't
41:58
then tunnels and monitoring user monitoring That opens another legacy application
42:05
related to the monitoring
42:07
that allows you to see, for instance, with a site to site VPN between your headquarters and some branch office,
42:15
which VPN tunnels air currently active. And you can designate VPN tunnels to be permanent, have them active, even if they haven't had any traffic moving through them,
42:24
so you can see which tunnels remarked is permanent. And are there any permanent tunnels that aren't currently established?
42:32
If so, do we know why
42:35
the user monitoring part of that is mostly for remote access? VP ends where I have an individual device that initiates
42:44
an I P. Sec VPN connection
42:45
to my security gateway.
42:47
Usually to get access A to some internal
42:52
exchange server or something like that,
42:53
you can see
42:55
who authenticated over that VPN connection,
43:00
where they're coming from, what VPN client they're using and more.
43:06
This smart view is new.
43:08
It's nice, it's ah
43:12
and Web based interface into your logs. So
43:17
the URL for this is https colon slash slash i P. Address or host
43:22
of your log server. In this case, it's the management server slash Smart view,
43:29
and I'm already logged in typically would have to log in as a checkpoint administrator, just like you do with Smart Consul.
43:37
And this is where the administrator permission profiles come in handy
43:43
because
43:44
in smart console,
43:45
you can configure a checkpoint administrator permission profile
43:52
that
43:53
has limited access, limited privileges, no right access to anything,
44:00
and instead we have
44:04
read only access
44:06
to the smart view Web based
44:09
in her face
44:10
for these types of logs, and that's it.
44:15
So
44:15
you can create
44:19
a permission profiler. You could clone the existing read only permission profile and start from there.
44:24
And once you have that permission profile locked down on Lee permit what
44:30
a specific role a specific employees should be allowed to do and nothing else. And you can create
44:36
ah
44:37
checkpoint administrator user
44:42
a sign it that restricted permission profile and then give the administrator credentials to whoever.
44:49
And
44:50
when they attempt to authenticate as that checkpoint administrator, they're only allowed to access the functionality that is permitted by the permission profile, which, for instance, may be on Lee the smart few Web
45:04
interface.
45:05
Nothing else read only access. Those smart few Web interface doesn't really have a lot of opportunity for writing
45:13
and only these types of logs.
45:17
No. One other thing I wanted to talk about to show you was
45:22
in a tracking column of your security policy.
45:27
So here this this security policy is very simple. It has two rules. Rule number one,
45:32
if it's matched, its action, is not
45:36
oh except or drop its run.
45:38
Another policy layer in line. And so the name of that policy layer is cont aware
45:45
content awareness.
45:49
So if we match rule number one, we start evaluating the content awareness policy layer, and that policy layer shows up as sub rules rule 1.1, rule 1.2
46:01
and
46:02
rule 1.1 has a tracking action
46:07
that
46:08
the default for a new rule would be
46:12
none. No tracking best practice says every rule should have at least a log tracking action. This is a really good reason why you don't want this rule to generate log entries.
46:23
But if you select log than under more, you have the option to
46:30
get
46:30
detailed and extended log data, and this is
46:34
pretty much layer seven data. So if a long entries being generated by the firewall itself, that doesn't really do layer seven.
46:42
No.
46:44
If you have that
46:45
except action in a rule with an extended log tracking action, you're not really gonna get any layer seven data.
46:52
On the other hand,
46:52
if the log entry includes contributions from, say, content awareness application control, you are l filtering threat prevention, those air layer seven aware
47:05
and so if you have a detailed or extended log tracking action and you're going to get some layers. Seven. Information
47:16
also wanted to talk a little bit about alerts,
47:22
which is another type of tracking action that's available,
47:25
and there are several different types of alerts. The default is don't alert,
47:30
but you can have an alert which creates a log entry as normal, but also in cause
47:37
and alert
47:39
to appear in monitoring
47:42
What's usually chosen here is SNP Simple network management protocol.
47:49
With that, as you're alert, you can set up an S and M P trap to be sent a synchronously
47:57
from the security gateway. That
48:00
process the connection matched the rule that had the S and M P alert action
48:06
and that is sent to whatever s and MP manager. You designate
48:10
and the S and P manager can thin do whatever it does, for instance, use its own alerting functionality to tell administrators
48:20
or contribute the alert to some sort of log consolidation product,
48:25
whatever. Whatever you need the S and P Manager to do
48:29
Another alert action is male, which
48:32
sends an email message, and you can designate who the email message goes to
48:37
Subject and body can be built with information from the connection.
48:44
Now,
48:45
understand that if you choose a male alert action
48:50
every time that rule is matched, you're gonna get any mail that could be a denial of service attack in and of itself
48:57
then we have user alert 12 and three.
49:00
When you select one of those
49:01
a user alert script
49:05
on the security gateway that has this alert action
49:09
will be run.
49:12
The default scripts provided by Checkpoint don't really do a whole lot. You can edit those those air, simply bash born again shell script
49:20
and add whatever you needed to do. Something I've seen some customers do is
49:24
when
49:25
this user alert script is run. I want you to take information, passed to it about the connection and generate something called a suspicious activity monitoring rule, which is a temporary block. It's not. Policy doesn't show up here under security policies. It's somewhere else in the firewall, Colonel.
49:45
But it dynamically allows you to block a connection, and so we can have that done
49:50
via the
49:52
user alert script.
49:53
Or you could have that, um, start the coffee maker, whatever. Whatever you need done
49:59
that you can do using Bash
50:01
Shell programming and Lennox utilities
50:07
in this module, we looked at how logging and monitoring of status
50:13
are done in a checkpoint deployment.
50:15
So how do you get logging deployed? And what are your options for having logs processed
50:23
then in policy,
50:27
the track column
50:30
and the possible settings there.
50:32
The default? None, which is usually not what you want.
50:37
Log
50:37
some of the options with log and then alerts
50:42
using the log view and Smart Consul to display
50:47
the specific long data
50:50
that
50:51
you need to see using search queries.
50:55
We also looked at monitoring gateway status,
51:00
both
51:00
in the smart consul application as well as via an external application. And we demonstrated that.
51:08
So
51:09
thank you for attending this jump start training.
Up Next