SMART View Tracker (SVT) :
In our next section, we are going to discuss SMART view tracker, a tool in Checkpoint used not only for logging (Traffic logs) but actually much more. We have already used this tool a couple of times in our previous series. But here we are going to look much deeper into this.
To find out what actually happened at particular time and for a particular traffic type with Source and Destination IP addresses, SMART View Tracker is a great tool.
SVT actually has three major categories : Log, Active and Audit(Management)
Logs : Actually traffic logs happened on the gateway.
Active : Currently active connections to traffic close to real time
Audit : Tells us who did what like who made the changes and at what time
To search anything we can have some predefined queries which can show us direct results or we can create some custom filters/queries as per our need.
As we know there are log entries in this tool then we have to make sure how big should be a log file before we switch to another log file.
Another thing to keep in mind : if a user is pinging a particular destination like 1000 times then how many entries you want in the system because we want the information also and don’t want to burden our system. So this also we can customize like after how much time we need another log entry so that we can have the info and we are not over burdening the system.
Log files are stored at this location : $FWDIR/log/ (On management server these log files are stored at this location : var/log/opt/CPsuite-R76/fw1) R76 because i am running my lab on Gaia version R76.
By default gateway doesn’t store logs , it send the logs to MGMT server and in above directory these files are stored. Also if we want then we can send these log files to external syslog server as well which we’ll discuss later.
Manual Block : Also we can put manual block means if a intruder is making some attack on any of the applications then from active connections we can apply a manual block and that also for a particular time if we want.
Here i have point out the Active, Management(Audit), Network and Endpoint tabs to see logs along with predefined queries and file destination is fw.log
These are the help buttons which we can use to see logs and filters
Just go over the icons and they’ll show what these can do. Eg : To automatically refresh the log file, to go up, go down, to search anything and etc.
Apply filters :
Here you can see the long red selected portions in above image. so on all these parameters we can apply the filter.
To apply a filter : Here for an example I am applying a filter on source filter. Right click on source and click on edit filter and then select the source out of given objects or if you don’t know the object then simply type IP or any other related parameter in search box and after finding it click on Add, once we’ll click on Add object will go on right side as per below snapshots and search will now show as per our applied filter.
Now here I have applied filter on service (SSH) and Source (Admin_PC).
Also don’t miss the green colour filter on the objected where we applied filter.
And on the main filter-set you can see the little red cross means at least 1 filter is applied.
Now, to remove all filters just click on little red cross sign filter given in above snapshot.
Also to check the connectivity from the MGMT server to any of the Source/destination , just right click on IP/object and click on action and ping/whois/nslookup.
Now, to check which rule is actually allowing a particular traffic :
Go to any log , right click and click on view rule in Smart dashboard (see the first snap where we click on action, this option is after that) and it will then open a new copy of the dashboard and show us the exact rule which is allowing/denying a particular traffic along with hit count on that rule.
Another way to filter anything and save the query. Again right click on any rule and follow based on particular source or destination. It will open a new window and that we can save.
Once the new window is opened , clicked on save icon and save this query, let’s say as Admin_PC and it will be shown under custom queries.
And in the left bottom, we can see the custom query. In future, if we want to see Admin_PC logs just double click on the custom query.
Similarly we can create other custom queries as per our need.
To save the current log file and create a new :
In SVT , click on Launch Menu–file–switch active file and click on Ok (Choose default log file name). A new log file will be initiated and the existing log file will be saved.
SVT can only search from a particular file we have opened (within single log file at a moment) but if we want to search from all database then Smart Log is the tool which can search all saved files.
fw.log is our current log file. Click on downside arrow to go to latest log details.
To see any detailed log entry , just double click on that and below screen will appear which will show us all details about any particular traffic.
Now. move to 2nd tab : Active means active connections :
if we have many firewalls in production then it is not a good practice to see all the active connections, SVT also shows a warning for this. But in test environment we can do this.
* Don’t miss the Active log file name: fw.vlog (given in below snapshot)
See the below snapshot and double click on any connection and it will show us all the details.
Now if we want to block any intruder, then we can do it from here (though it’s not a good practice to do it from here). We can do the same from SM(Smart monitor). We’ll see that later.
Anyway, to block from SVT : First click on any live connection which is going on (it will fetch the connection ID) then go to Launch menu–Tools–Block Intruder and as per below screen options you can block the intruder as per connection ID.
To Manually clear blocking — got to Tools and click on clear blocking.
Now, Our 3rd tab is management tab , as i already said it is used for editing and that’s why it’s log file name is fw.adtlog. See the below snap to see who did what and what time.
Also we can apply filters here like we did in Network and Endpoint tab.
Important point : If we switch the active log file then the hit count also starts from zero in Smart dashboard.
To export any log file : go to Launch Menu–File–export
To see any rule logs : Means you have defined something in dashboard policy and wants to see logs related to that rule then just right click on the rule and click on view rule logs , it will open a new window of SVT and will see the logs related to that particular rule.
Now what to log : we can defined in our rules to log the traffic or to generate alert , mail, snmptrap or not to do anything.
Now go to global setting–log and alert — and configure what you want to log as per below snap :
Go to time settings and configure below :
Excessive log grace period tells the time a second log entry will generate. eg : if user has initiated ping for 10000 packets then after 62 seconds another log entry will see. (We do this just to limit our resources). Yes we can change these values as well.
And to configure snmp server and email address, where to send the logs go to alerts under logs and alerts.
Now, see the actual manager object :
Go to logs and it will show what all gateways are configured for logs and we can enable Smart Logs here who can search across all files.
Now, we can configure when to switch the log file and generate alerts as per storage : See below snap :
To send log files to another destination : Choose below :
In Log server, choose the syslog server IP address.
and on gateway object below setting should be there : It should send it’s logs to MGMT server.
To add syslog server in GAIA 77.30 please use following link : Checkpoint has explained in a lucid manner to add a syslog server in GAIA 77.30.
As we are using GAIA R76 , so in R76 it is different than R77. So please use above link.
SMART View Monitor (SVM):
To enable SVM : enable the feature on security gateway :
What it is used for :
- How all components on the firewall are going like : Memory, CPU, Who is currently connected, What traffic is flowing through the firewall, What are my highest Source/Destination/Services are being used. And all of this information we can get through this tool : SVM
- We can set threshold and see alerts; like if my disk space is getting full on the MGMT server and we can move our log files to some other server and take other counter measures to avoid any catastrophic failure.
- We can create and View suspicious activity rules and we can impose block on any live malicious traffic.
- In SVM , we can apply suspicious activity rules on a single firewall or on a cluster and these rules are not part of the active policy rules defined in SMART Dashboard. Also we can apply these blocks on a time basis (Like allow the source IP/any service after certain time).
- Now Launch the SVM either from SMART Dashboard drop-down or press ctrl-shift-M
Now below screen will appear :
By default it shows all gateway, you can click on any of these and click on system information (Disk, Memory, CPU Utilization) and Network Activity (to see number of packets passed through firewall-Accepted/denied/rejected/logged per interface real time, Routing tables of a particular gateway) and the License info.
Also we can set up threshold here but we’ll see it later.
In lower section of the above snapshot it tells us the policy package (name and time) installed on the gateway.
Now, to see the traffic we have a long section of top services and their chart on any firewall interface and in either direction.
Just click on top services, choose the firewall name and interface and traffic direction :
and it will show the live traffic on the interface with all services which are being accessed at that time.
Also if we want to see top destinations, Top Qos rule and so on : we can go via either way :
And the output will show us : All the IP’s where the traffic is going on via any particular interface and in lower section, all traffic statistics.
In system counter, we can see all system (All given gateway’s) related info (CPU, memory or disk). Either go to system or firewall.
And if you want to see the historical values , just right click on any properties like CPU or memory and click on historic and give the time you want to see the stats.
Go to counters and select from below options :
To change the view type : select from given available options : eg : Line view
if we want to see all TABS horizontally/Vertically/cascading with different view type then do this :
We can close any chart we don’t want to see.
We can create our custom views as well by just clicking on “save view in tree” after making custom adjustments and of course we can freeze and export in any view our traffic stats.
In the left side, there is tunnel and user ID section which we’ll see later.
To Apply Threshold :
And we can customize our alerts as per given in below snapshot or we can even edit the global settings.
Make sure you have the alert daemon started in Launch Menu–Tools–Start system alert Daemon
–To see the alerts section and check all alerts and take action do this :
All alerts will be reflected here and we can take action accordingly.
To block any suspicious attacker IP or service :
To block any live traffic as I said we should not block it via SVT active connections. We can apply the blocking here :
Go to : Launch Meenu — Tools — Suspicious activy rules or click the icon on the main page given in the snapshot :
And it will show all the rules applied on any/all security gateways.
As we are pinging 184.108.40.206 from our Admin_pc and let’s say we want to block it.
go to top services/top destination and we have ICMP connection less traffic is going on :
Just right click and select Block service and below icon will be shown :
Now here based on source IP, destination IP, service type we can block any active connection.
once enforced, we saw the below result :
and to remove the rule applied : again go to suspicious activity rule and remove it.
and ping traffic will again pass through the gateway.
These rules are not related to dashboard policy rules and we apply on a temporary basis (we can define time).
To make permanent blockage , create a rule and apply policy in SMART Dashboard.
So, the right place to apply dynamic rules are through SMART Monitor and not SMART View Tracker.
And this blockage is short term remediation of any bad thing happening in the network (Probably resolving any incident 😀 )
- Checkpoint – Checkpoint Fundamentals and first time configuration Wizard – Part I
- Checkpoint – Pushing Policy, NAT , Policy Packages and database Versions – Part II
- Checkpoint – SMART View Tracker and SMART View monitor – Part III
- Checkpoint – LDAP, identity Awareness, HTTPS inspection, App control and URL Filtering – Part IV
- Checkpoint – Command line Interface and IPSEC VPN – Part V