Friday, March 18, 2016

Check Point SmartView Tracker

SmartView Tracker is used for managing and tracking logs and alerts. It provides real-time historical and visual tracking, monitoring, and accounting information for all logged connections. Additionally, it logs administrator actions, such as changes to object definitions or rules, which can dramatically reduce the time needed to troubleshoot configuration errors. Security administrators can filter or perform searches on log records, to quickly locate and track events of interest. In the case of an attack or otherwise suspicious network activity, aecurity administrators can use SmartView Tracker to temporarily or permanently terminate connections from specific IP addresses.

1. Network and Endpoint tab - Network and Endpoint mode is the default view for SmartView Tracker. Network and Endpoint mode displays entries for security-related events for different Check Point products as well as Check Point's OPSEC partners.

2. Active tab - In the Active mode you can view connections that are currently open through the Security Gateways that are logging in the active Log file.

3. Management tab - In the Management mode you can show audit entries in the SmartView Tracker. The Management All Records Query is displayed.



There are two ways to launch SmartView Tracker: 

On Windows Task Manager click Start > All Programs > under SmartConsole.




Under SmartDashboard > SmartView Tracker.
 




To go to the latest log click on Go to Bottom (down arrow icon). In this case, log 14395 is the latest entry. To auto retrieve or refresh logs click on the Automatically refresh your view with new logs (down arrow inside a square icon). I tried to made a ping to Google DNS IP 8.8.8.8 from SmartConsole PC 10.1.1.50.






To search and display a certain type of Service, right-click on Service > Edit Filter > under Specific type the service > click Add and click OK.
 






To get the actual number of HTTP logs, click on the Get Number of Filtered Records (the calculator icon). In this case there were 2519 HTTP logs that were found out of the 14462 total logs.
 





You can perform basic troubleshooting on the selected log by doing a right-click > Actions and choose the action such Ping, Whois, Nslookup (and if allowed on the Firewall rule).
 




To view the rule for the selected log, highlight and right-click on the rule and select View rule in SmartDashboard. In this case policy rule #5 is allowing the said traffic.






To follow logs for a certain source or destination IP or network object, click on the rule > Follow and choose either the Follow the Source, Destination, Rule or Policy package. In this case I chose to Follow Source: Windows7-PC.






To save this query to be used in the future, click on Save Query As icon (beside Help icon), give it a name and it will be saved under the Custom tree (bottom).






To view the rule that’s dropping the packet, just highlight the drop log, do a right-click and choose View rule in SmartDashboard. In this case log # 14462, Telnet (TCP port 23) is dropped by policy rule #2, which is the Stealth Rule. Only SSH and HTTPS are allowed to the Security Gateway from the specified source on policy rule #1.






To start a brand new fw.log file go to Launch Menu > Switch Active File and optionally name the new log file by unchecking Default.





I generated some HTTP and ICMP traffic from 10.1.1.50 to bring up new logs.




To open the original log file go to Launch Menu > File > Open and choose the fw.log file.
 




Under Active tab, you'll see all the current active connections in real-time. When opened, it will prompt that this would have a performance impact (if there’s quite a number of Security Gateways) and should be used with caution on production network.
 






You can also perform blocking from Active Tab by highlighting the log number > go to Launch Menu > Tools > Block Intruder.  This is a very useful tool in blocking an attacker in real-time without creating a policy rule which could take some time. Best practice is to use Suspicious Activity Rules in SmartView Monitor.
 




For this case we block Facebook access from 10.1.1.50 for 5 minutes.
 






To force release the blocking rather than wait for 5 minutes, go to Launch Menu > Tools > Clear Blocking.
 







The last tab on SmartView Tracker is Management.
 




You can filter the log search by doing a right-click on Operation column (or any column of interest) > Edit Filter > select the field (or multiple fields by holding Ctrl) > click Add and click OK.
 




In this case, I want to see the Log In, Log Out and Install Policy logs.
 



You can also save and go back to the customized query by clicking on Save Query As icon and it will show under Custom folder. To go back just click on All Records under Predefined or click on the funnel with a cross mark icon.






You could also view the Rule Logs from SmartDashboard under Policy > right-click on the rule > View Rule Logs.





It will open and redirect to SmartView Tracker using a customized rule log window: Follow Rule 3.
 





To customized Log and Alert, click on Edit Global Properties icon.
 






You can further customized logging under Network Object > double-click on the Security Management Server (SMS). You can specify the size in bytes of the fw.log and specify an external syslog server IP address.
 







By default the Security Gateway is sending logs to the Security Management Server.

 



You could also simulate and practice using SmartDashboard  in Demo mode.
 




No comments:

Post a Comment