4 hours 44 minutes
hello and welcome again to check point jump start training, and this module will be examining how Checkpoint logging works, how you configure it and how you can access the log data.
So we'll start by
discussing the point, setting up blogging,
using the track action
in your security policy to determine
which rules that have traffic matching them should generate log data and,
however, boast that log data should be
well. Then take a look at the smart log component of
Smart Consul, which
allows you to intuitively search for and display
the detailed long data that is being generated.
We'll also look at
the functionality in both smart consul and external applications that permit you
to get on
at a glance
of the status of your checkpoint deployment as well as getting
MAWR. Detailed information about your checkpoint deployment.
Also the Smart View Web application, which provides
a platform independent
way of accessing log data.
You don't have to have a Windows desktop machine
Checkpoint Smart Consul software installed.
You just need
a standards compliant Web browser.
It will also demonstrate this how to set up logging, configure log actions in policy and then
examine log data,
examined the status of your checkpoint deployment, and we'll take a look at this smart field Web application.
So kind of a central theme in Checkpoint is the three tier architecture where we have
security gateways that are
examining network traffic, applying your security policy to that network traffic
determining which connection should be permitted, which connections
should not be permitted, or perhaps which connections were going to allow.
But we're gonna watch with.
It's a layer seven awareness of
what is acceptable for this protocol in and what isn't
so security gateways are doing that, and as they do that they're generating long data.
The long data is sent securely using secure internal communication S I C. Sick
to a designated log server,
and by default, that's going to be your security management server.
But in a large deployment,
you may want to move that load that overhead off of your security management server and have it handled by another appliance.
And you can do that.
You can set up a dedicated long server.
Similarly, we'll take a look at the smart event component, which allows you to see event data
processed on your security management server.
That could be a lot of processing a lot of overhead so you can deploy another appliance and configure that appliance to be
where smart event processing is done.
And finally, there's the smart consul component, which again is a Windows application
connects to the management server or the log server or the Smart Event server
and displays the data that
is available with log files, for instance.
in orderto have logging worked. You need at least one log server
again by default. That's your management server in the screen. Shot
to the right shows a management server,
and you can tell that it's a management server because it has the network policy management blade enabled.
And in fact, it's
primary management server, so there's no option to turn that off. It has to be the management server
and also selected as a feature. A component of blade
is the logging and status,
if you deploy a dedicated log Server
one, you would configure it to be a dedicated log server using the Web user interface,
first time wizard configuration,
then you would create a checkpoint object to represent that dedicated log server,
in the checkpoint object that you created for that locks ever you would select logging and status and perhaps also you wanted to handle smart event processing. You can select
the smart event components
not going to get into details on that. But there are two. The smart event server, which is where the
event databases kept,
and a smart event. Correlation Unit,
which is pulling log data from various sources, primarily checkpoint log data. But we can also pull in from third parties
and analyzing to see, Do we have something here that looks like an event
can all be done on your management server? But that's a lot of overhead,
so you can offload it to a dedicated log server that also handles smart event. Or you can have a dedicated, just smart event.
Yeah, I think I want to go back. Okay, so cut this part out and we'll go back
and we'll start.
So, as I said, by default, your management server is the designated log server. If you change that, if you deploy a dedicated long server,
you have to make sure the dedicated long server has a checkpoint object to represent it.
Sick is established. That object has the logging and status feature enabled.
And you have to configure the security gateways
to override their default setting of sending log data
to the management server
and instead configure them to send log data
to the log server.
That's a setting in each security gateways
and I'll demonstrate that
longing is automatically set up for you.
You don't have to do any additional steps your management server will handle logs.
Larger deployment. You may want to change that default behavior.
Now we need long data to be generated,
and a primary source of log data is your security policy, where we have
access control policy
with firewall rules,
and each firewall rule has a track action,
a brand new rule.
The track action is set to none,
and traffic that matches that rule does not generate a log entry.
Generally, that's not what you want. That's not best practice.
what is best practice is to change the track action of every rule to be logged
There are always exceptions. For instance,
such as perhaps de HCP or various router discovery protocols,
that sort of thing.
It may not want a lot of log data generated for those protocols.
You may have a rule that either allows that or
and it's tracking. Action is none
because I'm not interested in log data
about this particular protocol,
and that's okay. But
most of your rules should have at least log as a tracking action.
And if you select log
under the MAWR menu option when you are editing the tracking action of a rule, you have the option of also selecting detailed log
and or extended lock. And
both of those
contribute log data just like a log setting does. But they have, well mawr information
information pulled from the layer seven Aware blades, such as application control. You are l filtering content awareness,
that could be displayed in the smart log view, which will demonstrate
there are some other options,
such as alerts.
If you select an alert option, the default is no alert.
when this rule with an alert action is matched
aside, in addition to
creating a log entry,
we can also
a synchronously alert somebody.
the basic alert option
well, simply give you a pop up message.
You have to be running the correct smart consul component to see that pop up message.
So what might be more useful is A S and MP Simple network management Protocol trap that is
configured to alert
whatever s and MP management solution. You have
that this asynchronous event has occurred.
We can also generate an email.
Now you want to be careful of that. I don't want to be inundated with tens of thousands of email messages, but
that might be appropriate in certain circumstances.
And finally, user defined alert, which
actually just runs a script
on the host that's generating the alert and that script conduce whatever you can
imagine and implement in ah, script,
Dia uses the limits operating system UNIX operating system provides, for instance, bash the morning and shell
and that could be used for scripting
and is extremely powerful. So weaken use a user to find alert to send for instance, both S and M P trap
and an email message and
something else like start the coffee maker
Now to view log data.
We start with Smart Consul and over on the left
that that vertical menu we select logs and monitor, and
that is a tabbed interface.
So if we don't already have a logs tab, then we will click on the new tab
and say, I would like to see logs in this tab.
this smart consul logs view is actually
smart Log, which
is also ah, separate smart Consul application. But it's also integrated here,
and it has a lot of different features that make it easy to tune what it's showing you
precisely what it is you want to see.
So, for instance, at at one you can have
already defined queries saved
those searches for log data that you routinely do. For instance, I want to see log data
about I PS protections that have a severity of high
that were detected but not enforced.
Or I want to see
log data for
anti bought blade log entries
display information about here is an internal host, which is
sending suspicious baht net related traffic.
You can also quickly
restrict the amount of logs
by a time period. So in two, you say I only want to see log data for the last hour or the last 24 hours or since midnight
and you could be very granular. I want to see log data starting Tuesday at 2 a.m.
Through Wednesday at 1 p.m.
it will display
Onley, the log entries that are within that time period
at three. The Query search bar allows you to further restrict the logs that are shown,
You can, for instance, say I want to see him say, I want to see
all TCP logs
from this source i p address
to this destination that are, http,
that will happen.
And once you have a query that's displaying the data that
you need to see if that's something you're going to be doing on a frequent basis, you can save that as a favorite query
over on the right. At four, you can see high level event statistics such as
What's the top sources of traffic of of connections? What are the most
connected to destinations? What services are we seeing the most in and so on and so forth,
and then in five? Well, that's the major part of this view. You can see the results
if you double click
or right click and select
a long entry.
It will bring up a log details window
that is packed with information. Now, what information is displayed in this log? Details window depends on
the policy that
created or the component that created this log entry.
Ah, tracking level that was designated in that rule.
also what happened to the traffic
traffic that has dropped? We do that with the initial connection, so we never see layer seven data for dropped connections.
Traffic that was accepted. We progressed to the Layer seven application exchange and so there may be more log data.
So in this particular screenshot note, the at the top left origin. That's the security gateway that generated contributed this log entry
and then the time of day relative to that security gateway,
the blades, the components that features that contributed to this log entry. And so, in this example, both the firewall blade, which is basic packet filtering state full inspection,
and the application control blade,
which allows you to categorise typically http and https connections
based on what sort of website is that
Whose website is that?
And product families. So is just
It was at access control policy Or was it threat prevention policy that contributed this log entry
Over on the right, you can see the source
host name if known I p address
source port, which is typically not important. That's generally randomly selected.
The security zone of the source
host name If known,
I p address
the destination security zone and then the service Destination port and protocol TCP 443 is https Also the interface
in which the traffic waas
accepted The traffic was received on
if we have layer seven awareness that that has contributed to the log data
in this example the application control feature
and we can see additional information such as
which has thean screw sociable host name LG a 15 s, 47 etcetera etcetera
is actually part of Google services. That's the application. And so if you have application control policy, you can
make access control decisions are are you allowed to go to Google services or not?
And that's independent of the domain name.
And that frees you the security administrator up from having to research and find out currently what every Google service domain name is
and then create
policy to block or allow just those domains.
Application control knows that information.
Also, I'd like to note ah,
the matched category. This is U R L filtering.
destination was categorized by U R L filtering as computer slash Internet
and an application risk level was determined to be low
back to the right. You can see the policy information. The action for this connection was except
policy package that processed this connection is the Alfa Standard.
That policy was last updated today,
and we matched Rule number six, the outgoing rule. That's from the name calm of the rule.
One final thing. You can't see much of it, but the bottom left.
This traffic was
rewritten by the network Translation network address translation
And so while the source address of the original traffic was 10.1 dot one dot to a one that
translated that source address
the external I p address of in this example
Ah, plus, ter could also be just a single security gateway.
So what the Google Services
Destination received was a packet from 203.0 dot 113.1.
It's So return traffic from the Google Services host
will be addressed a 203.0 dot 113.1 and that will translate it back to the original I P.
So I mentioned that it's Ah fairly flexible natural language search,
So, for instance, you can query log entries that
our drop or accept or something else based on the action column of the rule that matched
you can restrict your searches to
log entries that were contributed by a specific blade. Again, I want to only see anti bought related logs. You can say Blade colon, antibody
source, destination port and if you, for instance, have
identity based policy where you are determining who's the user that is originating this traffic, you can search
based on the identity.
So show me traffic from user Tom.
That is the https protocol that was accepted.
So some more examples
searching by a particular user Richard searching for an I P address or a range of I P addresses in this case, a sub net.
Show me anything in the 10.0 dot zero sub knit. You can also say, Show me anything from 10.0 dot 0.1
through 10.0 dot zero dot
Search for I P V six addresses
post names over on the right, searching for a range of ports.
note that we overflow here, so that's sort of a bug in the slide. Ah,
it was just to see if you would notice
because the maximum port number 65535
destination or source would you would profess prefects with
SRC kolinahr, DST colon to say I only want to see traffic from this source
for this destination.
You can also say I only want to see log entries where this specific fields, such as
network address, translation or
destination host name
is blank. So
Colon quote, quote
the two quotes or the empty square brackets. Designate no, no data in that field.
Another nice feature that Smart Consul provides is, ah, high level overview of the health of your checkpoint deployment.
this will display the health of all checkpoint devices
that have sick established to your management server as well as the management server itself.
And here we can see that there are three devices that we have sick established what two devices that we have six established two plus the management server. But
those two devices are part of a cluster,
and we're not going to get into clustering in this training. But
just briefly, When you have a cluster, the individual components of the cluster are generally not
access, not configured individually. Instead, you
configure the cluster object that contains those individual security gateways.
in this context, it is important to know not only the overall cluster status but the status of the components of the cluster. So
not only is the cluster object displayed here, but the individual gateway objects that
are members of that cluster are also displayed.
the status column on the left
green circle with a check mark. Inside of it means everything is good.
at least one component 11 portion of this checkpoint host has a warning for you.
If that status symbol is not yellow, it's red. Instead,
that means that
at least one component of that checkpoint host has a critical issue that you need to address critical issues. Could be, I can't talk to it right now
because the network is down or that device is down.
It could mean that a license has expired
would mean that it is critically overloaded.
I also want to note under recommended updates.
There are no
currently recommended updates that have not been applied to the three checkpoint hosts, the management server and the two security gateways
up to date. And that's that
CP use component,
which is a guy a level component that on that guy a host will automatically reach out to checkpoint and determine. Are there any updates that are applicability to this version of Gaia
in this role security Gateway Management Server? What have you
and so right now? No,
you can also see
CPU usage. There's other things I'd like to know about network throughput on a security gateway Memory utilization.
Ah, and you can get that information by selecting one of the
your ah, a W cluster or a SMS, or an individual security gateway. And then at the bottom
mawr, information is displayed more verbose information. So we've selected a gateway cluster, and at the bottom you get details of a gateway cluster, and you can further drill into the details by clicking on either the license status OK, which is a hyperlink, or
device and license information,
and that will bring up
even mawr information about licensing or the components of the device. For instance, on the security gateway if you have
i PS intrusion prevention blade enable,
uh, what's the
status of the I PS played? When was that last updated with signatures and protections?
Now the smart few Web application is new in our 80
Teoh access it
by default. You goto https colon slash slash Whatever your management server is, that could be a host name. Could be an I. P. Address. Could be a fully qualified domain name
you would not literally type
in all caps. Mgmt
H o S t
replace with the I P address or host name of your management server slash smart few
perhaps click through TLS warning about the certificate of this management host. Once you've clicked through, you'll be asked to authenticate
as a checkpoint administrator
once successfully authenticated, you will see,
uh, something sort of like the logs view of Smart Consul,
only a browser based,
and this is really handy for friends, stints, auditors or, ah, help desk
or security analysts who need to be able to see,
uh, what the current security posture of your check the checkpoint deployment is or look at long data.
So I'm gonna demonstrate
various logs and status views in Smart Consul.
We'll do. Some queries will also take a look at smart event.
look at the various log options as well as alert options and the smart View Web application.
I want to show you how to see status and logs in Smart Consul and first status. If you
go to the gateway and servers view and left hand side menu,
you get a quick,
overview of the status of your checkpoint deployment. So all checkpoint devices,
starting with the management server and then including
every checkpoint device that you have sick established with
will be displayed here and the first call in the status column. You get
a green circle with a check mark. If that device
currently has no critical issues and no warnings
if it has
at least one warning no critical issues, there'll be a yellow indicator.
If it has at least one critical issue there'll be a red indicator
and selecting one of the checkpoint devices displayed.
We'll bring up more information down at the bottom in the summary tab.
So, for instance, we can see CPU and memory utilization, whereas the top half we only see CPU.
It'll tell us if it's a security gateway or management server or something else. In this example, it's a security gateway,
it has the example co policy installed
that was done at this date. In time,
you can also see tasks that were performed on this checkpoint host,
and those tasks can be automated through the
application programming interface. But it could be something that an administrator kicked off manually by, for instance, right clicking on the device
and going toe actions or scripts.
So, for instance, do a back up
than any errors that have been recorded on that device. And right now there's no data
back in the status tab. If you click on device and license information, get a pop up window with additional details.
So on this particular security gateway, there are several features used to be called security blades enabled.
The firewall is basic. That's packet filtering state for inspections gotta be there. But we've also
enabled URL filtering, application control, intrusion prevention and and I bought
all but the firewall feature are going to require occasional updates. You are all filtering. For instance, as new websites are deployed on the Internet,
we need to know what the category of that website is.
And I bought as new command and control hosts are discovered. We didn't know their I p address
or new botnet
malware may have ah different
protocol used for command and control. We need to update our signatures to be aware that this is well botnet command and control traffic
and I ps intrusion prevention protections are updated. New ones are added as new threats are identified,
so we're gonna need those updates
now. The green check mark here means that
none of these blades are complaining. None of these features have had an issue, for instance, with fetching and update.
the last update did not succeed, then there may be a yellow warning. If it's been a long time since we had a successful update or we have a license issue or something like that, there may be a red critical marker.
Then we also have license status, and this is a virtual lab environment. It's using a evaluation licence, which automatically enables pretty much everything but has a time limit
and system counters and traffic really only useful on ah security gateway. This allows you to see, for instance,
system counters, CPU utilization, memory utilization, hard drive utilization
traffic allows you to see
really real time information on what kind of traffic is moving through the security gateway,
and you have other options. For instance, how large of packets are we seen
moving away from monitoring to more logging and status
under logs and monitor
this new tab, which, if it's not displayed, you can click the plus sign here to get the new tab offers you different views. What've you do you want displayed in this new tab?
And I've already selected the logs view in a tab.
This is the log data that is being contributed, usually by a security gateway. And this origin column here will tell you
which Checkpoint host
contributed the log entry.
So most of these log entries air coming from my security gateway, a gateway. But there have been a couple from other checkpoint hosts
typically, long data is generated. When a rule matches in your security policy, that rule has a tracking action.
There could be other reasons why you're
security Gateway or some other type of checkpoint device generated. A long entry,
including the device restarted or we have Ah, cluster and cluster member has fallen out of the cluster
or it's come back into the cluster. Perhaps it restarted or something else happened.
But by default,
the logs shown here are not updated without user interaction. I can click this
and it will go out and fetch
new log data. And I currently have the view
limited to just long entries in the last hour.
You could make it last Wednesday through last Thursday if you needed to.
I also have
I'm only interested in log data
came from a gateway. So not
my event server, not my management server on Lee, the specific host, a gateway
and where the services https
only show me log entries that match that in the last half hour.
Our last hour, I mean,
and most of the long entries here are the result of https connections
happening in the background from from my Windows host going out to some
website on the Internet,
and I have https inspection enabled on a gateway. So
when an https connection is received on a gateway, it runs its https inspection policy.
It decides, Should I decrypt this https connection or not?
Most of the time, Yes, decrypt that shows up as an inspect log entry.
So if you double click on a long entry brings up a details window
with additional information. For instance,
this long entry was a connection out to
apparently Google g static dot com,
which is categorised by my girl
feature. You are all filtering feature as computer slash Internet.
this connection was decrypted. The https inspection policy matched a rule whose action was inspect, so we decrypted the connection.
Some of these other views,
such as theme general, overview
you, which again you can get by
great in a new tab and selecting the general overview.
This is not
so much long entry focused as issue focused. Our event focused
so, for instance, over and kind of the right hand top. We have account of infected host, which would be contributed
mostly by the anti baht feature
the anti bought feature detects this internal host is attempting to connect out to a known command and control server, or I see traffic that matches known .net command and control
Then that's a host you need to go look at
I PS or anti virus might be populating the critical attack
But again, this is a fairly quiet sent lab environments. There's not a lot of data available
showing attacks or even just regular traffic.
The audit logs view
is for administrators.
So, for instance, it shows changes to your security policy
rule was created. A rule was moved to a different position. A rule was updated with this source object
and so one,
and this is useful for figuring out who changed this rule. Now there are other ways to do that. In Smart Consul, this is
to go back and review. Well, how did this change that broke the Internet happened? Who did it?
What did they change?
But also you can see administrator
Loggins, log outs and other actions,
there are plenty of other views available, such as the compliance view. If you have the compliance feature enabled
you configure that compliance feature with list of frameworks or standards that you need toe be compliant with.
I could be, for instance, the payment card industry data security standard or
something specific to your country or something international such as I s 0 27 002
And then the compliance
feature will give you a report here
in this compliance view of
compliant you are
down at the bottom left under external APS,
we have a link to open a legacy smart event application that allows you to configure event policy what constitutes an event,
then tunnels and monitoring user monitoring That opens another legacy application
related to the monitoring
that allows you to see, for instance, with a site to site VPN between your headquarters and some branch office,
which VPN tunnels air currently active. And you can designate VPN tunnels to be permanent, have them active, even if they haven't had any traffic moving through them,
so you can see which tunnels remarked is permanent. And are there any permanent tunnels that aren't currently established?
If so, do we know why
the user monitoring part of that is mostly for remote access? VP ends where I have an individual device that initiates
an I P. Sec VPN connection
to my security gateway.
Usually to get access A to some internal
exchange server or something like that,
you can see
who authenticated over that VPN connection,
where they're coming from, what VPN client they're using and more.
This smart view is new.
It's nice, it's ah
and Web based interface into your logs. So
the URL for this is https colon slash slash i P. Address or host
of your log server. In this case, it's the management server slash Smart view,
and I'm already logged in typically would have to log in as a checkpoint administrator, just like you do with Smart Consul.
And this is where the administrator permission profiles come in handy
in smart console,
you can configure a checkpoint administrator permission profile
has limited access, limited privileges, no right access to anything,
and instead we have
read only access
to the smart view Web based
in her face
for these types of logs, and that's it.
you can create
a permission profiler. You could clone the existing read only permission profile and start from there.
And once you have that permission profile locked down on Lee permit what
a specific role a specific employees should be allowed to do and nothing else. And you can create
checkpoint administrator user
a sign it that restricted permission profile and then give the administrator credentials to whoever.
when they attempt to authenticate as that checkpoint administrator, they're only allowed to access the functionality that is permitted by the permission profile, which, for instance, may be on Lee the smart few Web
Nothing else read only access. Those smart few Web interface doesn't really have a lot of opportunity for writing
and only these types of logs.
No. One other thing I wanted to talk about to show you was
in a tracking column of your security policy.
So here this this security policy is very simple. It has two rules. Rule number one,
if it's matched, its action, is not
oh except or drop its run.
Another policy layer in line. And so the name of that policy layer is cont aware
So if we match rule number one, we start evaluating the content awareness policy layer, and that policy layer shows up as sub rules rule 1.1, rule 1.2
rule 1.1 has a tracking action
the default for a new rule would be
none. No tracking best practice says every rule should have at least a log tracking action. This is a really good reason why you don't want this rule to generate log entries.
But if you select log than under more, you have the option to
detailed and extended log data, and this is
pretty much layer seven data. So if a long entries being generated by the firewall itself, that doesn't really do layer seven.
If you have that
except action in a rule with an extended log tracking action, you're not really gonna get any layer seven data.
On the other hand,
if the log entry includes contributions from, say, content awareness application control, you are l filtering threat prevention, those air layer seven aware
and so if you have a detailed or extended log tracking action and you're going to get some layers. Seven. Information
also wanted to talk a little bit about alerts,
which is another type of tracking action that's available,
and there are several different types of alerts. The default is don't alert,
but you can have an alert which creates a log entry as normal, but also in cause
to appear in monitoring
What's usually chosen here is SNP Simple network management protocol.
With that, as you're alert, you can set up an S and M P trap to be sent a synchronously
from the security gateway. That
process the connection matched the rule that had the S and M P alert action
and that is sent to whatever s and MP manager. You designate
and the S and P manager can thin do whatever it does, for instance, use its own alerting functionality to tell administrators
or contribute the alert to some sort of log consolidation product,
whatever. Whatever you need the S and P Manager to do
Another alert action is male, which
sends an email message, and you can designate who the email message goes to
Subject and body can be built with information from the connection.
understand that if you choose a male alert action
every time that rule is matched, you're gonna get any mail that could be a denial of service attack in and of itself
then we have user alert 12 and three.
When you select one of those
a user alert script
on the security gateway that has this alert action
will be run.
The default scripts provided by Checkpoint don't really do a whole lot. You can edit those those air, simply bash born again shell script
and add whatever you needed to do. Something I've seen some customers do is
this user alert script is run. I want you to take information, passed to it about the connection and generate something called a suspicious activity monitoring rule, which is a temporary block. It's not. Policy doesn't show up here under security policies. It's somewhere else in the firewall, Colonel.
But it dynamically allows you to block a connection, and so we can have that done
user alert script.
Or you could have that, um, start the coffee maker, whatever. Whatever you need done
that you can do using Bash
Shell programming and Lennox utilities
in this module, we looked at how logging and monitoring of status
are done in a checkpoint deployment.
So how do you get logging deployed? And what are your options for having logs processed
then in policy,
the track column
and the possible settings there.
The default? None, which is usually not what you want.
some of the options with log and then alerts
using the log view and Smart Consul to display
the specific long data
you need to see using search queries.
We also looked at monitoring gateway status,
in the smart consul application as well as via an external application. And we demonstrated that.
thank you for attending this jump start training.