Smart viewreporter

SmartView Reporter

NG with Application Intelligence (R55)

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at

http://support.checkpoint.com/kb/

See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_r55.html

Part No.: 700727October 2003

http://support.checkpoint.com/kb/

http://www.checkpoint.com/support/technical/documents/docs_r55.html

© 2002-2004 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartView Tracker, SmartConsole, TurboCard, Application Intelligence, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners.The products described in this document are protected by U.S. Patent No. 6,496,935, 5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, or pending applications.

THIRD PARTIES:Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.Copyright 1997 by Carnegie Mellon University. All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY

CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

Table Of Contents

Chapter 1 Getting Started Installing SmartView Reporter 5

Overview 5Standalone Installation 6Distributed Installation 9

Starting SmartView Reporter 21

Chapter 2 SmartView Reporter The Need for Reports 27SmartView Reporter Solution 28

SmartView Reporter — Overview 28Log Consolidation Process 30SmartView Reporter Standard Reports 32SmartView Reporter Express Reports 33Predefined Reports 33

SmartView Reporter Considerations 35Standalone vs. Distributed Deployment 35Log Availability vs. Log Storage and Processing 36Log Consolidation Phase Considerations 36Report Generation Phase Considerations 37

SmartView Reporter Configuration 38Basic Configuration Scenario 38Required Security Policy Configuration 39Express Reports Configuration 40Report Generation Configuration 40Consolidation Policy Configuration 45SmartView Reporter Database Management 49

Chapter 3 How To SmartView Reporter Instructions 55

How to re-consolidate logs according to a different Consolidation Policy 55How to generate reports based on data unavailable in the Database 56How to include URL information in web activity reports 56How to retain log fields not listed in the Store Properties window 57How to adapt reports to your specific needs 57How to schedule generations of the same report using different settings (a different output or

style) 58How to recover the SmartView Reporter Database 58How to interpret report results whose direction is “other” 58How to view report results without the SmartView Reporter Client 58How to upload reports to a web server 59

Table of Contents 3

How to upload reports to an FTP server 60How to improve performance 61

Appendix A Out_of_the_box Consolidation Policy Overview 65Out_of_the_box Consolidation Rules 66

Appendix B Predefined Reports Executive Reports 69Network Activity Reports 71Security Reports 74VPN-1 Reports 74User Activity Reports 75System Information Reports 76My Reports 76

Index 77

4

CHAPTER 1

Getting Started

In This Chapter

Installing SmartView Reporter

In This Section

Overview

SmartView Reporter can be installed in either a “Standalone” installation, or a “Distributed” installation:

• Standalone installation — SmartView Reporter is installed on the SmartCenter Server machine.

• Distributed installation — SmartView Reporter is installed on a machine dedicated to reporting purposes. In addition, SmartView Reporter Add-on is installed on the SmartCenter Server machine. The add-on contains both data files (with report definitions) and a component that allows SmartDashboard to connect to SmartView Reporter Server.A distributed installation requires establishing Secure Internal Communication (SIC) between the two machines. The distributed installation is recommended, since it provides better performance.

Installing SmartView Reporter page 5

Starting SmartView Reporter page 21

Overview page 5

Standalone Installation page 6

Distributed Installation page 9

5


Performance Tips

To maximize the performance of your SmartView Reporter Server, follow these guidelines:

Hardware Recommendations

• Use a computer that matches the minimum hardware requirements, as specified in the Release Notes at:http://www.checkpoint.com/techsupport/installation/ng/release_notes.html

• Configure the network connection between the SmartView Reporter Server machine and the SmartCenter, or the Log server, to the optimal speed.

• Use the fastest disk available with the highest RPM (Revolutions per Minute).

• Increase computer memory. It significantly improves performance.

Installation

Choose a distributed configuration, dedicating a computer to Consolidation and Report generation operations only.

Supported Platforms

Windows and Solaris platforms support both standalone and distributed installations.

Linux and Nokia platforms support only SmartView Reporter Add-on Installation in a distributed configuration. Linux and Nokia platforms do not support a Standalone Installation or a SmartView Reporter server in a distributed configuration.

Standalone Installation

In This Section

Windows Platform

1 In order to begin the installation, login as an Administrator and launch the Wrapper by double-clicking on the setup executable.

2 Select the products that you would like to install. The following components represent the minimum standalone component requirements for SmartView Reporter:

Windows Platform page 6

Solaris Platform page 9

6

http://www.checkpoint.com/techsupport/installation/ng/release_notes.html

Standalone Installation

• SmartCenter

• SmartConsole

• SmartView ReporterFIGURE 1-1 Standalone Deployment - for Windows

Depending on the components that you have chosen to install, you may need to take additional steps before reaching step 3.

3 Verify the default directory, or browse to new location in which SmartView Reporter will be installed.

4 Select Local SmartView Reporter Installation in order to install SmartView Reporter on the local machine.

5 Verify the default directory, or browse to new location in which the output files created by SmartView Reporter’s output will be generated.

Click Next and reboot the machine in order to complete the installation of the SmartView Reporter and to continue with the next phase of the installation.

6 Launch SmartDashboard.

7 Edit the host properties for the SmartView Reporter machine.

Chapter 1 Getting Started 7


FIGURE 1-2 Edit the Host properties

8 Deselect and reselect the SmartView Reporter checkbox. Without explicitly selecting this field, the SmartView Reporter will not function. To end off, click OK.

FIGURE 1-3 Select SmartView Reporter in the listbox

8

Distributed Installation

9 After activating the SmartView Reporter host, install the Security Policy, (Policy>Install) or install the database (Policy>Install Database) in order to make the SmartView Reporter fully functional.

Solaris Platform

1 In order to begin the installation, mount the CD on the relevant subdirectory and launch the wrapper as follows:

2 In the mounted directory, run the script: UnixInstallScript.

3 Read and if you accept the End-User License Agreement (EULA), click Yes.

4 Select whether you would like to perform an upgrade or create a new installation.

5 Continue from step 2 on page 6 in order to complete the process.FIGURE 1-4 Standalone Deployment - for Solaris


In a distributed installation, SmartView Reporter is installed on a different machine to that of the SmartCenter server.



In This Section

Windows Platform

This installation process consists of three phases:

• Install SmartView Reporter

• Install SmartCenter and the SmartView Reporter Add-On

• Prepare SmartView Reporter in SmartCenter

Phase 1 - Installing the SmartView Reporter

1 Select SmartView Reporter and SmartConsole (optionally) for installation.

FIGURE 1-5 Distributed deployment - for Windows

Windows Platform page 10

Solaris Platform page 14

Linux page 16

Nokia IPSO page 17

Note - Although SmartConsole does not have to be installed on this machine, if it is, you have direct UI access to the SmartCenter server from this machine, thereby simplifying the final installation steps.

10


Depending on the components that you have chosen to install, you may need to take additional steps (such as installing other components and/or license management) before reaching step 2.

2 Verify the default directory, or browse to new location in which SmartView Reporter will be installed.

3 Select a folder in which the output files created by SmartView Reporter’s output will be generated.


4 Enter the Activation Key in the specified fields. Remember the key; you will need to enter it at a later stage.

Click Finish in order to complete the installation of the SmartView Reporter.FIGURE 1-6 SIC activation

Phase 2 – Installing SmartCenter and the SmartView Reporter Add-On

SmartCenter installation is described in the Getting Started guide. Only the portion that is related to SmartView reporter is discussed in this section.



5 Install the SmartCenter server on a separate machine by selecting SmartCenter and select SmartView Reporter, so that the SmartView Reporter Add-on is also installed during the SmartCenter installation.

FIGURE 1-7 Installing SmartCenter and the SmartView Reporter Add-On on a Windows Platform

6 During the SmartCenter installation a window is displayed in which you will be prompted to select the SmartView Reporter Setup Type. Select SmartView Reporter

SmartCenter Add-on so that SmartCenter can connect to the distributed SmartView Reporter.

7 Reboot the machine in order to complete the installation.

Phase 3 – Preparing SmartView Reporter in SmartCenter

8 Launch SmartDashboard. (SmartDashboard is installed during the SmartConsole installation).

9 Create a new host for the SmartView Reporter machine.

12


FIGURE 1-8 Create New SmartView Reporter Host

10 In the General Properties window, select SmartView Reporter. Then click the Communication button.

FIGURE 1-9 Initialize SIC

11 Enter the Activation Key that was created in step 4 during the SmartView Reporter installation.

12 After activating the SmartView Reporter host, install the Security Policy, (Policy>Install) or install the database (Policy>Install Database) in order to make the SmartView Reporter fully functional.



FIGURE 1-10Enter the Activation Key

Solaris Platform

This installation process consists of three phases:

• Install the SmartView Reporter

• Install SmartCenter and the SmartView Reporter Add-On

• Preparing SmartView Reporter in SmartCenter

Phase 1 – Installing the SmartView Reporter

1 Select SmartView Reporter and SmartConsole (optionally) for installation. FIGURE 1-11Standalone Deployment - for Solaris

14



2 Select a folder in which the output files created by SmartView Reporter’s output will be generated.

FIGURE 1-12Solaris - default directory


3 Enter the Activation Key in the specified fields. Remember the key; you will need to enter it at a later stage.

Click Finish to complete the installation of the SmartView Reporter.



FIGURE 1-13Solaris Activation Key

4 In order to complete the installation, continue from “Phase 2 – Installing SmartCenter and the SmartView Reporter Add-On” on page 11.

Linux

The SmartView Reporter machine can be installed either on Solaris or Windows. For details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing the SmartView Reporter” on page 10 for installation instructions.

Installing the SmartCenter Machine and the SmartView Reporter Add-On

SmartCenter installation is described in its own document. Only the portion that is related to SmartView reporter is discussed here.

1 When installing SmartCenter select SmartView Reporter, so that the SmartView Reporter Add-on can be installed during as part of the SmartCenter installation.

Note - Although the interface is different, the installation process performed on a Windows platform is the same as the installation process performed on a Solaris platform.

16


FIGURE 1-14Install SmartView Reporter on Linux

2 SmartView Reporter installation type will be automatically set as SmartView

Reporter SmartCenter Add-on, so that SmartCenter can connect to the distributed SmartView Reporter.

3 In order to complete the installation, continue from “Phase 3 – Preparing SmartView Reporter in SmartCenter” on page 12.

Nokia IPSO

The SmartView Reporter machine can be installed either on Solaris or Windows. For details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing the SmartView Reporter” on page 10 for installation instructions.

Installing the SmartCenter Machine and the SmartView Reporter Add-On

SmartCenter installation is described in its own document. Only the portion that is related to SmartView reporter is discussed here.

1 After installing Check Point IPSO packages, reboot the machine and run cpconfig.



FIGURE 1-15Installing Check Point IPSO Packages

2 Login into IPSO Voyager from a web browser.FIGURE 1-16Login to Voyager

3 Select Config to enter the Voyager Configuration screen.

18


FIGURE 1-17Click Config to enter the Configuration screen.

4 In the Configuration screen, select Manage Installed Packages.



FIGURE 1-18Select Manage Installed Packages

5 Make sure that SmartView Reporter NG with Application Intelligence R55 (and any other relevant packages) are set to On and click Apply.

20


FIGURE 1-19Activate SmartView Reporter and other relevant packages

6 After clicking Apply, click Save.

7 From a command line terminal to the IPSO machine:

• Logout and then login to the system.

• Run rmdstart.

8 Reboot the machine.

9 In order to complete the installation, continue from “Phase 3 – Preparing SmartView Reporter in SmartCenter” on page 12.

Starting SmartView ReporterTo start using SmartView Reporter, proceed as follows:

1 Launch the SmartView Reporter Client (FIGURE 1-20).


Starting SmartView Reporter

FIGURE 1-20SmartView Reporter Client — Main window

2 Display the Management Selection Bar view and verify that logs are indeed being consolidated and saved to the SmartView Reporter Database.

22


FIGURE 1-21SmartView Reporter Client — Management Selection Bar view

3 Go back to the Reports Selection Bar view (FIGURE 1-20 on page 22) and ensure that you select the database tables for which to generate the report, as well as a report time frame. Then generate the Standard Network Activity report by selecting it in the Report Tree pane and clicking in the toolbar.

4 To follow the progress of the report generation, display the Report Generation

Selection Bar view (FIGURE 1-22).



FIGURE 1-22SmartView Reporter Client — Report Generation Selection Bar view

After a brief delay, the Standard Network Activity report result is displayed through your browser (FIGURE 1-23 on page 25).

24


FIGURE 1-23Example Standard Network Activity Report Result

5 Click a section title to view the results in question. The section’s results are displayed in either a graph unit, a table unit or both types of units.

FIGURE 1-24 on page 26 shows example results of section 2, Network Activity by

Date, in both a graph unit and a table unit.

Report Time Frame, Log Sources & Generation Time

ReportTitle

Sections(Hyperlinks)

ReportDescription



FIGURE 1-24Example Standard Network Activity by Date Section — Graph and Table Formats

SectionTitle

SectionDescription

UnitTitle

Unit Results:Graph Format

UnitDescription

UnitTerminology

UnitTitle

UnitDescription

UnitLegend

Unit Results:Table Format

26

CHAPTER 2

SmartView Reporter

In This Chapter

The Need for ReportsTo manage your network effectively and to make informed decisions, you need to gather information on the network’s traffic patterns. There is a wide range of issues you may need to address, depending on your organization’s specific needs:

• As a Check Point customer, you may wish to check if your expectations of the products are indeed met.

• From a security point of view, you may be looking for suspicious activities, illegal services, blocked connections or events that generated alerts.

• As a system administrator, you may wish to sort the Security Policy based on how often each Rule is matched, and delete obsolete Rules that are never matched.

• You may be looking for general network activity information, for purposes such as capacity planning.

• From the corporate identity and values perspective, you may want to ensure your employees’ surfing patterns comply with your company’s policy, in terms of their surfing patterns (such as the web sites they access).

• From a sales and marketing point of view, you may wish to identify the most and the least visited pages on your website or your most and least active customers.

To address these issues, you need an efficient tool for gathering the relevant information and displaying it in a clear, accurate format.

The Need for Reports page 27

SmartView Reporter Solution page 28

SmartView Reporter Configuration page 38

27

SmartView Reporter Solution


In This Section

SmartView Reporter — Overview

Check Point SmartView Reporter delivers a user-friendly solution for monitoring and auditing traffic. You can generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Pro, SecureClient and SmartDefense.

SmartView Reporter implements a Consolidation Policy, which goes over your original, “raw” log file, it identifies events of interest and copies their relevant details into a special, report-specific database (the SmartView Reporter Database). This smart, succinct database enables quick and efficient generation of a wide range of reports. The SmartView Reporter solution provides the optimal balance between keeping the smallest report database possible and retaining the most vital information.

A Consolidation Policy is similar to a Security Policy in terms of its structure and management. For example, both Rule Bases are defined through the SmartDashboard’s Rules menu and use the same network objects. In addition, just as Security Rules determine whether to allow or deny the connections that match them, Consolidation Rules determine whether to store or ignore the logs that match them. The key difference is that a Consolidation Policy is based on logs, as opposed to connections, and has no bearing on security issues.

FIGURE 2-1 illustrates the Consolidation process, defined by the Consolidation Policy. After the VPN-1 Pro Modules send their logs to the SmartCenter Server, the Log Consolidator Engine collects them, scans them, filters out fields defined as irrelevant, merges records defined as similar and saves them to the SmartView Reporter Database.

SmartView Reporter — Overview page 28

Log Consolidation Process page 30

SmartView Reporter Standard Reports page 32

Predefined Reports page 33

28

SmartView Reporter — Overview

FIGURE 2-1 Log Consolidation Process

The SmartView Reporter Server can then extract the consolidated records matching a specific report definition from the SmartView Reporter Database and present them in a report layout (FIGURE 2-2):FIGURE 2-2 Report Generation Process

Two types of reports can be created: Standard Reports and Express Reports. The Standard Reports are generated from information in log files through the Consolidation process to yield relevant analysis of activity. Express Reports are generated from SmartView Monitor history files and are produced much more quickly. Express Reports also support Provider-1 setups.

SmartView Reporter Standard Reports are supported by two Clients:

• SmartDashboard Log Consolidator — manages the Log Consolidator Engine and the SmartView Reporter Database via the SmartCenter Server. This Client is displayed by launching SmartDashboard and selecting View > Products > Log Consolidator.

• SmartView Reporter Client — generates and manages reports.

FIGURE 2-3 illustrates the SmartView Reporter architecture for Standard Reports:

Chapter 2 SmartView Reporter 29


FIGURE 2-3 SmartView Reporter Standard Report Architecture

The interaction between the SmartView Reporter Client and Server components applies both to a distributed installation (as shown in FIGURE 2-3), where the SmartCenter Server and SmartView Reporter’s server components are installed on two different machines, and to a standalone installation, in which these products are installed on the same machine.

Log Consolidation Process

It is recommended to use the SmartView Log Consolidator’s predefined Consolidation Policy, the out_of_the_box Policy, designed to filter out irrelevant logs (such as control messages) and store the most commonly requested ones (such as blocked connection, alert or web activity logs). The Log Consolidator Engine scans the Consolidation Rules sequentially and processes each log according to the first Rule it matches.

FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a log matches a Consolidation Rule, it is either ignored or stored. If it is ignored, no record of this log is saved in the SmartView Reporter system, so its data is not available for report generation. If it is stored, it is either saved as is (so all log fields can later be represented in reports), or consolidated to the level specified by the Rule.

30

Log Consolidation Process

FIGURE 2-4 Log Process Chart

The Consolidation is performed on two levels: the interval at which the log was created and the log fields whose original values should be retained. When several logs matching a specific Rule are recorded within a predefined interval, the values of their relevant fields are saved “as is”, while the values of their irrelevant fields are merged (i.e. “consolidated”) together.

TABLE 2-1 provides a Consolidation example, where three logs of approved NTP connections match the same Consolidation Rule (NTP is a time protocol that provides access over the Internet to systems with precise clocks).

The Rule’s store options specify that logs generated within a one hour interval should be consolidated into a single record, as long as they share the same values for four fields of interest: destination, interface, Rule name and QoS class. The values of all other fields are either integrated into their shared value (e.g. the shared Rule Number value, 1), or replaced with the term “consolidated” (e.g. the different Source values). The consolidated record includes a connection number column, noting how many logs it represents (in this case, 3).

TABLE 2-1 Consolidation ExampleRecord

Time

Source Dest. I-face

Rule Name

Rule No.

Class

Conn No.

Log 1 10:00

10.1.3.29

172.0.0.1

hme0

NYC 1 Gold



How to interpret User names in DHCP enabled networks

In DHCP address mapping is used, assuming the DNS knows how to resolve dynamic addresses, the information you see in the report reflects the correct resolving results for the time the reported log events have been processed by the SmartDashboard Log Consolidator and inserted into the database.

Because of the dynamic nature of DHCP address distribution, there is no guaranty that consolidation of old log files will produce correct address name resolving.

When DHCP is in use, consolidating log files close to the time of their creation will improve address-resolving accuracy.

SmartView Reporter Standard Reports

The Log Consolidation process results in a database of the most useful, relevant records, known as the SmartView Reporter Database. The information is consolidated to an optimal level, balancing the need for data availability with the need for fast and efficient report generation.

Reports are generated based on a single database table, specified in the Reports Selection Bar view > Standard Reports > Report tab. By default, all consolidated records are saved to the CONNECTIONS table and all reports use it as their data source. However, each time you install and start the Consolidation Policy, you have the option of storing records in a different table. You can further organize these tables by moving records between them as needed and deleting outdated records.

Dividing the consolidated records between different tables allows you to set the SmartView Reporter Client to use the table most relevant to your query, thereby improving the SmartView Reporter Server’s performance. In addition, dividing records between tables facilitates managing the SmartView Reporter Database: you can delete outdated tables, export tables you are not currently using to a location outside of the SmartView Reporter Database and import them back when you need them.

Log 2 10:25

10.15.2.52

172.0.0.1

hme0

NYC 1 Gold

Log 3 10:59

10.56.60.4

172.0.0.1

hme0

NYC 1 Gold

Cons. Record

10:00

Consolidated

172.0.0.1

hme0

NYC 1 Gold

3

TABLE 2-1 Consolidation ExampleRecord

Time

Source Dest. I-face

Rule Name

Rule No.

Class

Conn No.

32

SmartView Reporter Express Reports

SmartView Reporter Express Reports

Express Reports are based on data collected by Check Point system counters and SmartView Monitor history files. Standard Reports, in contrast, are based on Log Consolidator logs. Because Express Reports present historical data, they can be generated more quickly.

SmartView Reporter Express Reports are supported by one Client, the SmartView Reporter. To configure your system to generate Express Reports, see “Express Reports Configuration” on page 40.

FIGURE 2-4 illustrates the SmartView Reporter architecture for Express Network Reports:FIGURE 2-5 SmartView Reporter Express Report Architecture

Predefined Reports

The SmartView Reporter Client offers a wide selection of predefined reports for both Standard and Express reporting, designed to cover the most common network queries from a variety of perspectives.

Report Subjects

The reports are grouped by the following subjects, allowing you to easily locate the one you need:

• Network Activity (Standard, Express) — this subject includes reports that enable you to analyze the most popular activities in your network. You can examine your network activity as a whole or focus on a specific direction (incoming, outgoing or internal) or activity type (web, ftp or Email). For example, to study network traffic inside your organization, you can investigate how your web servers, mail servers and firewalled gateways handle the network load; see which services use most of the available bandwidth; and find out what are the most popular web sites. You can



detect illegal network traffic, such as connections to banned web sites or use of prohibited services. To examine the network usage by external sources, you can explore which sources access the corporate web site, how often and for how long.

A report dedicated to FireWall-1 activity allows you to identify its top services, sources and destinations. The records are organized both by their direction and by the action taken by the firewall. In addition, you can follow the firewall activity’s distribution over various time frames (your working hours, week days and the selected date range).

• Security (Standard, Express) — this subject includes reports that allow you to focus on all security-related traffic in your network. For example, you can inspect connections whose origin or destination is the FireWall-1 machine, monitor security attacks detected by SmartDefense, or analyze blocked connections and FireWall-1 alerts.

In addition, you can detect Policy Installations and analyze the Rule Base order on a specific gateway. Identifying the top matched rules versus the least matched rules allows you to sort the Security Policy in the most efficient way.

• User Activity (Standard) — this subject includes reports that provide you with information on how users inside your organization, as well as remote, SecureClient users, utilize your network resources. You can identify peak activity patterns, in terms of the most active users, the most commonly used services, the most active working hours or week days etc.

• VPN-1 (Standard, Express) — this subject includes reports that allow you to analyze various aspects of your encrypted traffic, such as its distribution over time, the top services or sources etc. You can examine your VPN-1 activity as a whole, or focus on a specific VPN Tunnel or VPN Community.

• Executive (Standard, Express) — offers a selection of reports from various subjects that are of special interest to executives, such as the Network Activity or User Activity reports.

• System Info (Express) — this subject includes reports that allow you to analyze various aspects of system load and operational activity, including CPU usage, kernel usage, and memory usage.

• My Reports (Standard, Express) — select predefined reports and customize to your needs.

For descriptions of each predefined report available, see Appendix B, “Predefined Reports”.

34

Standalone vs. Distributed Deployment

Report Structure

Each report consists of a collection of sub-topics known as sections, which cover various aspects of the report. For example, the User Activity report consists of sections such as User Activity by Date, Top Users, Top User Activity Services etc.

Each section consists of units, which display the same results in different formats, for your convenience. For example, the User Activity by Date section displays the same data in two units: a graph and a table.

Customizing Predefined Reports

In case you have a specific query that is not directly addressed by the predefined reports, you can easily customize the report that is closest to your needs (by changing its date range, filters etc.) to provide the desired information. You can save the customized report under a different name in the report subject dedicated to user-defined reports, My Reports.

SmartView Reporter Considerations

In This Section

SmartView Reporter’s default options have been designed to address the most common reporting needs. However, to maximize the product’s benefits, it is recommended that you adapt it to your specific profile. This section describes the considerations you should take into account before starting to use SmartView Reporter.

Standalone vs. Distributed Deployment

In a standalone deployment, all SmartView Reporter server components (the Log Consolidator Engine, the SmartView Reporter Database and the SmartView Reporter Server) are installed on the Check Point SmartCenter Server machine. In a distributed deployment, the SmartView Reporter server components and the SmartCenter Server are installed on two different machines and communicate through a special Log Consolidator Add-on installed on the SmartCenter Server.

Standalone vs. Distributed Deployment page 35

Log Availability vs. Log Storage and Processing page 36

Log Consolidation Phase Considerations page 36

Report Generation Phase Considerations page 37


SmartView Reporter Considerations

The standalone deployment saves relegating a dedicated machine for the SmartView Reporter, but the distributed deployment significantly improves your system’s performance.

Log Availability vs. Log Storage and Processing

Since all SmartView Reporter operations are performed on the logs you have saved, the extent to which you can benefit from this product depends on the quality of the available logs. Therefore, you must ensure your Security Policy is indeed tracking (logging) all events you may later wish to see in your reports.

In addition, you should consider how accurately your logs represent your network activity. If only some of your Rules are tracking events that match them, the events’ proportion in your reports will be distorted. For example, if only the blocked connections Rule is generating logs, the reports will give you the false impression that 100% of the activity in your network consisted of blocked connections.

On the other hand, tracking multiple connections results in an inflated log file, which not only requires more storage space and additional management operations, but significantly slows down the Consolidation process.

Log Consolidation Phase Considerations

Record Availability vs. Database Size

Reports are a direct reflection of the records stored in the SmartView Reporter Database. To generate detailed, wide-ranging and accurate reports, the corresponding data must be available in the Database.

However, effective database management requires keeping the database size under 20 GB. As the consolidated records accumulate in the Database, the tables where they are saved may become quite large. The data gradually approaches the disk space limit, using more and more memory and slowing down the SmartView Reporter processes (especially the data retrieval for report generation).

Carefully consider which logs you wish to store, and to what extent you wish to consolidate them.

Saving Consolidated Records to One vs. Multiple Database Tables

A report is generated based on a single table. If you save all consolidated records to the same table, all the data is readily accessible and you are saved the trouble of moving records between tables and selecting the appropriate source table for each report you wish to generate.

36

Report Generation Phase Considerations

Dividing the records between different tables reduces the report generation time and allows you to maintain a useful Database size by exporting tables you are not currently using to an external location.

Report Generation Phase Considerations

Adapting the Report’s Detail Level to your Needs

When a report is very detailed, it may become difficult to sort out the most significant results and understand network’s status. To achieve the optimal balance between getting all the information you need and excluding excessive records, closely examine the report’s date range, filters (source, destination, service etc.) and filter values, and adjust them to pinpoint details.

Generating only selected sections and units

By default, all report sections and their unit are included in the report generation. However, to get results faster and improve your machine’s performance, you can generate only selected sections and units (by unchecking all others in the Report Tree pane).

Scheduling reports

The Schedule feature allows you to set both delayed and periodic report generations.

If you wish to produce a detailed and lengthy report, you should consider postponing its generation and scheduling it so that it does not interfere with your employees’ working hours or with times of peak network activity, since such a report generation might slow down your system.

In addition, it is useful to identify the reports you require on a regular basis (e.g. a daily alerts report or a monthly user activity report) and schedule their periodic generations.

Report output (display, Email, file, printer etc.).

All predefined report results are displayed on your screen and saved to the SmartView Reporter Server.


SmartView Reporter Configuration

By default, the report is saved in HTML output in an index.htm file; and in CSV (Comma Separated Values) format in a tables.csv file. The HTML file includes descriptions and graphs, but the CSV file contains only the report table units, without a table of contents, descriptions or graphs. The tables.csv is provided in order to enable convenient table import to applications like Excel.

Before generating a report, determine whether you want it to be saved or sent to additional or different targets. For example, when you generate a user activity-related report, you may wish to make it available to all managers in your organization by sending them the output via Email or by placing it on your intranet.


In This Section

Basic Configuration Scenario

The following procedure allows you to create the most basic SmartView Reporter configuration. Proceed as follows:

1 In the SmartDashboard, set the relevant Security Policy Rules to track connections of interest (set each Rule’s Track column to either Log or Account).

TABLE 2-2 Report Files and FormatsFile Format HTML CSV

File Name index.htm tables.csv

Includes Table of contents, tables, descriptions, graphs.

Data only. Cell values separated by commas. Rows and tables separated by lines.

Basic Configuration Scenario page 38

Express Reports Configuration page 40

Required Security Policy Configuration page 39

Report Generation Configuration page 40

Consolidation Policy Configuration page 45

SmartView Reporter Database Management page 49

38

Required Security Policy Configuration

2 Launch the SmartView Reporter Client and display the selection bar’s Management view, to verify that consolidated records have been loaded to the SmartView Reporter Database.

3 Display the Reports view, select the database tables to be examined and the time frame for the report, choose the report type, then generate the report.

This general procedure can be used to provide you with any report you are interested in. For example, to generate a report on illegal attempts to connect to your network, proceed as follows:

1 In the SmartDashboard, add the following Rule (TABLE 2-3) at the bottom of your Rule Base:

2 Launch the SmartView Reporter Client and display the selection bar’s Management view, to verify that consolidated records have been loaded to the SmartView Reporter Database.

3 Display the Reports view and generate the Blocked Connections by Date report.

Required Security Policy Configuration

For a Security Rule to generate logs for connections that match it, the Rule’s Track column should be set to any value other than None (for example, Log generates a standard log, while Account generates an accounting log).

Note that in order to obtain accounting information (the number of bytes transferred and the duration of the connection), the value of the Rule’s Track column must be Account.

To utilize direction information (“incoming”, “outgoing”, “internal” or “other”), the organization’s topology must be configured properly. If this is the case, “other” can be used as a security tool, indicating there were connections whose destination was the firewall itself.

TABLE 2-3 Security Rule Tracking Illegal Attempts to Connect to the Local NetworkSource

Destination

VPN

Service

Action

Track

Install On

Time

Comment

Any Company_network

Any

Any Drop Log Policy Targets

Any A rule tracking illegal attempts to connect to the local network



Express Reports Configuration

The following procedure sets the SmartView Monitor to collect complete system data in order to produce SmartView Reporter Express Reports. SmartView Monitor settings are enabled through the SmartDashboard. Proceed as follows:

1 In the SmartDashboard network objects tab of the object tree, select a gateway of interest. Double click the gateway to open the Check Point Gateway properties window.

2 You will need to enable the SmartView Monitor to collect data for reporting purposes through the SmartDashboard.

[If you do not see SmartView Monitor in the selection to the left, enable it through the General Properties tab. Click General Properties, then in the scroll-down window of Check Point Products, click Smart View Monitor. It will appear at left.]

Select Smart View Monitor, and in the Smart View Monitor tab, click all the checkboxes to ensure that SmartView Monitor is collecting every type of data for reporting purposes.

3 To finish this procedure, in SmartDashboard select Policy > Install Database.

Report Generation Configuration

In This Section

Adapting the Report Properties to your Needs — Overview page 41

SmartView Reporter Database Table page 41

Report Period page 41

Report Filters page 41

Result Calculation and Resolution page 42

Input location page 43

Output location page 43

Scheduling page 44

Preview page 44

Monitoring the Report Status page 44

Displaying Generated Reports page 45

Additional Settings page 45

Report Generation Command Line page 45

40


Adapting the Report Properties to your Needs — Overview

When you generate a report, you can either use the report as a whole or run a specific section or a unit.

You can generate the selected component using its default properties, or adjust these properties to better address your current requirements. This section describes the most important properties you should examine before generating a report.

SmartView Reporter Database Table

By default, consolidated records are retrieved from the SmartView Reporter Database’s CONNECTIONS table. If you have divided your records between several tables, choose the table containing the records you require, e.g. a special table dedicated to records originating from a specific log server, or a table covering the time frame you are interested in. To see which table contains the relevant records, display the Management Selection Bar view.

Select the relevant tables through the Standard Reports view’s Reports tab, by selecting the tables in the Other Database Tables drop-down list.

Report Period

All predefined reports are set to cover a default time range for a week to a month. You must change this period to reflect the data’s actual dates and times, and the time period that you wish to examine.

Tuning Report Time Frame

To improve SmartView Reporter Server performance, when setting a user-defined time frame for the report, specify a time frame in whole days. When setting a report period, note that the following settings will slow down the report generation speed:

• Relative Time Frame: Today, Yesterday, Last X hours, This week.

• Specific dates: Limit by hour checkbox.

• Reports for short time periods are generated faster than reports for long time periods. A weekly report will be generated much faster than a monthly report.

Report Filters

Reports are based on records of the most commonly required filters (e.g. Source, Destination etc.). Specifying the appropriate filter settings is the key to extracting the information you are looking for.



For each filter you choose, specify the values (e.g. network objects, services etc.) to be matched out of all values available for that filter. The available values are taken from the SmartCenter Server and are refreshed on a regular basis. If you cannot see a value you have added through SmartDashboard in the available values list, refresh the list by selecting a different filter and then return to the previous one.

The SmartView Reporter Client also allows you to include additional objects, by manually adding them to the matched values list.

Filters and their values can be specified both on the report level and on its unit level. The report level settings are enforced on the unit level as well (for example, if you choose to include specific sources in the report, these sources will also be included in its units). If you set a specific unit-level filter and then choose a different report-level filter, the latter overrides the former.

Tuning Report Filters

If you define different filters for different units that share the same cached SQL, the SQL caching will no longer be viable and the report generation time will significantly increase. It is recommended that you define filters at the report level only.

Result Calculation and Resolution

Data Calculation Scheme

By default, report calculations are based on the number of events logged. If you have logged accounting data (done by setting the Security Rule’s Track column to Account), you can base the report calculations on the number of bytes transferred.

Sort Parameter

You may sort the results by one of two parameters: the number of bytes transferred and the number of events logged. Note that an event takes on different meanings, depending on its context. In most cases, the number of events refers to the number of connections. Access this through the Tools > Options menu.

The number of bytes transferred can be calculated only if the Security Rules’ Track column is set to Account. The number of events logged can be calculated as long as the Track column is set to Log or Account.

If both types of information are available, they will both be displayed in the sort order you have specified. For example, a table listing the most active sources in your system can first specify the number of events each source generated and then note the number of bytes related to its activity.

In addition, The unit’s Unit tab allows you to select the resolution type (byte or time) and its level.

42


Format

If user names are stored in an LDAP server, the names will include the full LDAP path in the FireWall-1 log files. The way the report shows the user name can be changed through the Tools menu > Options >General tab. By default, the Show abbreviated LDAP

user name check box is selected, so that generated reports display only the user name part of the full LDAP name. To see the name with full LDAP path, uncheck this box.

Input location

The modules from which you collect data can modified by using the report’s Input tab to let you select the following:

• the module or modules of origin

• whether to collect data per module or as a group, if you have selected more than one module

Output location

Report results are saved in subdirectories of the Results subdirectory of the SmartView Reporter Server as follows:

Result\NG_AI\bin\<Report Name>\<Generation Date & Time>

For each report, a directory with the report’s name “\<Report Name>” is created in \bin, with a subdirectory named with the generation date and time “\<Generation Date & Time>.” The report is generated into this “\<Generation Date & Time>” subdirectory.

The Result location can modified by selecting Tools > Options from the menu and specifying the desired location in the Result Location field of the Options window’s Generation page.

In addition to saving the result to the SmartView Reporter Server, you can send it to any of the following:

• The Client’s display (the default setting).

• Email recipients.

• An ftp or a web server. See “How to upload reports to an FTP server” on page 60.

The Mail Information page of the Options window allows you to specify both the sender’s Email address and the mail server to be used. It also allows you to specify the degree of message severity (Information, Warning or Error) that is to be sent to the administrator.



The Mail Information page of the Tools > Options window allows you to specify that an administrator receive warnings about errors. To enable this option, fill in the Administrator email address, and choose the severity factor for which an error message will be sent, by checking one or more of the severity levels in the Specify the severity

of the administrator email notification section.

Scheduling

Schedules are managed through the Report’s Schedule tab. All schedules of all reports defined in the system can be viewed through the Schedules option of the Selection Bar’s Management view.

To improve performance, schedule report generation when there is less traffic and fewer logs are being generated, so the log consolidator is consuming fewer resources. For example, schedule reports on nights and weekends.

History

The reporting server can store a limited amount of Report-generation status records. In order to modify the amount of information stored, go to the Tools > Options window, and select the History page. Modify the amount in Report history size.

When the quantity of the status reports passes the limit, the oldest status record is deleted. You can decide whether you would like the associated generated Report to be deleted as well by changing the Report output delete method setting.

In addition, you can also specify the maximum number of Consolidation Status records that are displayed in the Management view, by modifying the Consolidation history size.

Preview

If the report you wish to generate covers a wide time frame (e.g. a quarterly network activity report), its generation may be time consuming. To verify you choose the appropriate settings, you can test the output by generating a partial preview of the report (select Actions > Preview Report from the menu).

The Preview option (set by selecting Tools > Options... from the menu) specifies the percentage (1 to 20) of the report time frame to be included in the preview. For example, if the report period covers 30 days and you set the preview to 10%, it will only show records logged during the first three days of that time frame.

Monitoring the Report Status

The Selection Bar’s Report Generation view’s Currently Active option allows you to follow the report generation progress. Once the generation is complete, it is recorded in the view’s History option.

44

Consolidation Policy Configuration

Displaying Generated Reports

The Selection Bar’s Report Generation view’s History option lists all past report generations. Double click any generation record to display the report it describes.

Additional Settings

The Options window allows you to specify additional settings including the name and the location of the logo to be displayed in the report header, as well as where to Email reports, and report-sorting settings.

By default, the logo file is saved in the SmartViewReporter\NG\bin directory.

Report Generation Command Line

For your convenience, it is possible to generate reports both through the SmartView Reporter Client and through the command line.

Generating reports using the command line GeneratorApp has the following limitations:

• No report status updates in the Report Generation view’s Currently Active window.

• No distribution of the report result.

To generate reports through the command line, go to the SmartViewReporter\NG\bin directory on the SmartView Reporter Server machine and run the following command:

Usage: GeneratorApp.exe [Directory/""] {ReportID}For example, to generate the Security report, whose ID is

{475AD890-2AC0-11d6-A330-0002B3321334}, run the following command:

GeneratorApp.exe c:\reports\Security {475AD890-2AC0-11d6-A330-0002B3321334}If the directory is empty (""), <Result directory>\<Report Name>\<Generation Date & Time> would be used as the directory. The default location is:

c:\Program Files\CheckPoint\SmartViewReporter\NG\ResultsFor a list of all Report IDs, see Appendix B, “Predefined Reports.”




In This Section

Overview

The out_of_the_box Consolidation Policy has been designed to address the most common Consolidation needs. However, in case you have specific Consolidation needs that are not covered by this Policy, the Consolidation Rules can be modified as needed.

To modify the Consolidation settings, proceed as follows:

1 Display the SmartDashboard’s Log Consolidator View, by selecting View > Products > Log Consolidator from the menu.

2 Modify the out_of_the_box Policy’s Consolidation Rules as needed.

3 Save the modified Policy under a different name (select File > Save As from the menu and specify the modified Policy’s name).

4 Install the modified Consolidation Policy and start the SmartDashboard Log Consolidator (by selecting Policy > Install and Start... from the menu), using the following default settings:

• Fetch logs from the Primary SmartCenter Server.

• Continue the Consolidation from its last run (which in this case is the beginning of the fw.log file).

• Save the consolidated records to the default table (CONNECTIONS).

Starting and Stopping the Log Consolidator Engine

Starting the Log Consolidation Engine

If the Log Consolidation Engine is not running, you can start the Engine according to the Consolidation Policy that was last installed.

To start the Log Consolidation Engine, choose Start from the Engine menu. The Log Consolidation Engine begins running according to the most recently installed Consolidation Policy.

Overview page 46

Customizing Predefined Consolidation Rules page 48

Setting the Log Consolidator Engine to Scan Specific Logs page 48

Committing Consolidated Logs to a Specific Database Table page 49

Configuring the Log Consolidator Engine’s DNS Settings page 49

Monitoring the Log Consolidator Engine and Database Statuses page 49

46


Stopping the Log Consolidation Engine

To stop the Log Consolidation Engine, choose Stop from the Engine menu, or click

in the toolbar. The Stop Engine window is displayed.

Choose one of the following:

• Shutdown — This option stops the Log Consolidation Engine in an orderly way. All data that has been consolidated up to this point is stored in the Database. Shutdown may take several minutes to an hour.

• Terminate — This option stops the Log Consolidation Engine immediately. Data that has been consolidated but not yet stored in the Database is not saved.

Specifying the Consolidation Rule’s Store Options

To specify whether logs matching a Consolidation Rule should be skipped or copied to the SmartView Reporter Database, right click the Rule’s Action column and choose Ignore or Store (respectively).

In general, it is recommended to place “Ignore” Rules at the beginning of the Rule Bases, especially for services that are logged frequently but are not of interest for reports. “Ignore” Rules do not require Consolidation processes and, therefore, enable the Log Consolidator Engine to move quickly through the logs. The Log Consolidator Engine does not have to consolidate and store an event that matches an “Ignore” Rule and can quickly move to the next entry in the Log file.

The Rule order is also based on how frequently services are used. Rules regarding the most common services are defined before those addressing less common services. In this way, the Log Consolidator Engine does not have to scan a lengthy Rule Base in order to process most of your log data.

If you choose to store the logs, double click the Action cell to specify their storage format in the Store Options window. Choose one of the following:

• As Is — all log fields will be stored in the SmartView Reporter Database and will be available for report generation. This is the default storage option.

• Consolidated — specify the following Consolidation parameters:

• The interval at which logs matching this Rule are consolidated (e.g. all logs generated within a 10 minute interval). Hourly intervals are measured.

• The log fields whose original values are retained (in addition to the Product, Origin, Date and Customer log fields, whose values are always saved). The other fields’ values are merged (consolidated) with the corresponding values of the logs included in this interval (see “Log Consolidation Process” on page 30).



If you wish to save all stored connections as is, you can disable the Consolidation settings of the entire Policy by selecting Policy > Global Properties... from the menu, displaying the Advanced settings tab of the Log Consolidator Policy Properties window and unchecking Consolidate log entries.

By default, the Log Consolidator Engine loads the consolidated records to the SmartView Reporter Database once an hour. Display the Advanced Settings tab of the Log Consolidator Policy Properties window and choose a different value from the Stop

consolidation and commit work to database every drop-down list.

Customizing Predefined Consolidation Rules

This section provides instructions on modifying specific out_of_the_box Rules to better address your specific consolidation requirements. For a detailed description of the out_of_the_box Rules, see Appendix A, “Out_of_the_box Consolidation Policy.”

If you wish to filter out all broadcast messages (both allowed and disallowed), proceed as follows:

1 In the Security Policy, define a group of objects with broadcast IP addresses.

2 In the out_of_the_box Consolidation Policy, activate the broadcast Rule and add the broadcast group to its Destination column.

If your network uses a mail server group, you can split the SMTP Rule into the following two Rules that collect data on how mail resources are used:

• A Rule consolidating connections from the mail server group.

Records consolidated by this Rule can be used for reports on how mail connections are balanced between the servers. This Rule’s Store Options retain the original values of the Authenticated User, Destination, and Service log fields.

• A Rule consolidating connections to the mail server group.

Records consolidated by this Rule can be used for reports on how local users access the mail servers. This Rule’s Store Options retain the original values for the Authenticated User, Source, and Service log fields.

Setting the Log Consolidator Engine to Scan Specific Logs

The Consolidation Policy is installed and started through the Install and Start window (FIGURE 1-7), accessed by selecting Policy > Install and Start...

To set the Log Consolidator Engine to scan specific logs, specify the following parameters:

1 Log Server — select the log server providing the logs for Consolidation from the drop-down list and click Fetch data from log server.

48

SmartView Reporter Database Management

2 Log File — choose the log file to be scanned. If you have copied log files from other log servers to the SmartCenter Server, these external log files will be available.

3 Log Entry — the specific log entry within the selected log file, from which the Log Consolidator Engine starts running.

Committing Consolidated Logs to a Specific Database Table

In the above Install and Start window, select the SmartView Reporter Database table to which the consolidated logs are to be saved from the Target Table options.

Configuring the Log Consolidator Engine’s DNS Settings

Resolving the source and destination names slows down the Consolidation process. You can balance the need for name availability in your consolidated records with the need for a satisfactory performance level, by adapting the Log Consolidator Engine’s DNS setting to your specific needs: select Policy > Global Properties... from the menu and specify the appropriate settings in the DNS settings tab of the Log Consolidator

SmartDashboard window. This setting will come into effect after a Log Consolidator policy is installed, or even if the Log Consolidator Engine is stopped and started.

Monitoring the Log Consolidator Engine and Database Statuses

The Log Consolidator Engine and SmartView Reporter Database statuses can be monitored through either one of the SmartView Reporter clients.

The SmartView Log Consolidator provides a detailed account of these statuses (as well as DNS statistics) through the Engine and Database status window, displayed by selecting Engine and Database status from the SmartView Log Consolidator’s Status menu. If this information cannot be obtained, the window specifies the reason for the problem (for example: the Log Consolidation Engine service is not started).

The SmartView Reporter Client offers more basic Consolidation information (such as the names of the log file scanned and the target SmartView Reporter Database table) through its Management view.

It is recommended to check these statuses before you begin generating reports, to verify that the Log Consolidator Engine is indeed processing logs and that it had already saved the consolidated records to the SmartView Reporter Database.


All database management operations are performed through the SmartView Log Consolidator’s Database menu.



Tuning the SmartView Reporter Database

To improve performance, adjust the database cache size to match the computer’s available memory. Place the database data and log files on different hard drives (physical disks), if available.

Modifying SmartView Reporter Database Configuration

It is possible to change the SmartView Reporter Database settings by editing the solid.ini file, located in the CheckPoint\SmartViewReporter\NG_AI\Database directory. Note that before editing the solid.ini file, you must:

1 Stop all SmartView Reporter services (such as the Log Consolidator, Reporter Database and Reporter Server services) by running rmdstop.

2 Back up the solid.ini file before modifying it.

When editing a value in solid.ini file, do not add any spaces or tabs before or after the '=' sign on each row.

After completing your editing, ensure that you restart SmartView Reporter services by running rmdstart.

Changing the SmartView Reporter Database Cache Size

To change the Database cache size, modify the CacheSize value in the solid.ini file. CacheSize represents the size of the memory cache in bytes, and is always a multiple of 1024. Ensure that you do not set the cache size too large to fit into the computer’s available memory.

Increasing the SmartView Reporter Database Size

The default size of the database is 20 GB, allocated in 10 separate files of 2 GB each. You can increase the allocated size of the database by adding more files. To increase the Reporting Database size limit, proceed as follows:

Note - Although it is possible to give the file(s) any name, the naming convention cannot be changed. The file name must contain a *.db extension.

Warning - Make sure all the SmartView Reporter services are stopped before editing solid.ini.

50


1 In the IndexFile section of the solid.ini file, add lines with FileSpec_#.

Each of these lines enlarges the Database size limit by 2 GB, which is the maximum byte size per line.

For example, the following default configuration amounts to a 20 GB limit:

Adding the following line will enlarge the database size limit to 22 GB:

2 Restart the SmartView Reporter services.

Changing the SmartView Reporter Database Data and Log Files Location

Disk contention occurs when multiple processes try to access the same disk simultaneously. To avoid this, move files from heavily accessed disks to less active disks until they all have roughly the same amount of load. To improve performance, use a separate disk for Database Log files. To distribute the SmartView Reporter database files between different physical disks, proceed as follows:

Warning - Do not change the size of an existing database file in order to increase database space.

[IndexFile]...FileSpec_1=./Database/RT_Database.db 2147483647FileSpec_2=./Database/RT_Database2.db 2147483647FileSpec_3=./Database/RT_Database3.db 2147483647………………FileSpec_10=./Database/RT_Database4.db 2147483647CacheSize=33554432

FileSpec_11=./Database/RT_Database11.db 2147483647



1 Use a separate disk for Database Log files:

Under the [Logging]section in the solid.ini file, specify the new location of the log files by modifying the line:

For example:

Do not change the original log file name, and ensure that the specified folder (e.g. W:/ReporterLogs) exists.

2 Divide Database files between several disks:

Under the [IndexFile] section, specify a new location for Database files by modifying the relevant Database file line (e.g. FileSpec_1, FileSpec_2 etc.).

For example:

You must then physically move these files to their new locations.

3 Use a separate disk for the Sort folder:

Under the [Sorter] section, specify the new location of the Sort folder by modifying the line:

For example:

Make sure the specified location (e.g. D:/Sort) exists.

Backing Up the SmartView Reporter Database

The SmartView Reporter Database system consists of a set of files that can be copied, compressed or backed up like any other file. Backup files require the same disk space as the original files. It is highly recommended to save backup copies of the SmartView Reporter Database files, which can later be used to recover from an unexpected database corruption. Proceed as follows:

1 Stop the SmartView Reporter services:

• Windows — in the Services window (accessed from the Start menu, by selecting Settings > Control Panel > Services), select the Check Point Reporting Database Server service and click Stop.

This automatically stops the Check Point SmartView Log Consolidator and the Check Point Reporting Database Server services as well.

• Solaris — use rmdstop.

FileNameTemplate=./Log/sol#####.log

FileNameTemplate=F:/ReporterLogs/sol#####.log

FileSpec_1=E:/RT_Database.db 2147483647

TmpDir_1=./Sort

TmpDir_1=D:/Sort

52


2 From the SmartView Reporter Database directories, copy RT_Database.db through RT_Database10.db to the backup location (you may compress them to save disk space).

3 Restart the SmartView Reporter services, starting with the Check Point Reporting Database Server service.



54

CHAPTER 3

How To

SmartView Reporter Instructions

In This Chapter

This chapter provides information on advanced or specific configuration scenarios.

For standard configuration instructions, see “SmartView Reporter Configuration” on page 38.

For Express Report configuration, see “Express Reports Configuration” on page 40.

How to re-consolidate logs according to a different Consolidation Policy

How to re-consolidate logs according to a different Consolidation Policy page 55

How to generate reports based on data unavailable in the Database page 56

How to include URL information in web activity reports page 56

How to retain log fields not listed in the Store Properties window page 57

How to adapt reports to your specific needs page 57

How to schedule generations of the same report using different settings (a different output or style) page 58

How to recover the SmartView Reporter Database page 58

How to interpret report results whose direction is “other” page 58

How to view report results without the SmartView Reporter Client page 58

How to upload reports to an FTP server page 60

How to improve performance page 61

55


To re-scan and re-consolidate the same log files the Log Consolidator Engine has already processed according to a different Consolidation Policy, you must undo (“Roll Back”) the installation of the current Consolidation Policy. In addition to removing the current Consolidation Policy, the Log Consolidator Engine deletes all consolidated records loaded to the SmartView Reporter Database since the last time this Policy was installed. The records that are deleted from the Database cannot be retrieved and are no longer available for report generation.

To undo the installation of the current Policy, choose Roll Back Installation from the Database menu. The process begins immediately and you can follow its progress by selecting Roll Back Installation Status from the Status menu.

If you wish to rescan logs without deleting their current consolidated records, install and start the Consolidation Policy using the Install and Start window’s Manual option, select the relevant logs and save the consolidated records to a special target table. For more information on scanning specific logs, see “Setting the Log Consolidator Engine to Scan Specific Logs” on page 48.

How to generate reports based on data unavailable in the Database

To generate a report based on information that is not currently available in the SmartView Reporter Database, you must consolidate the relevant logs and save them to the Database. To consolidate a log file, make sure it is saved to the Management Server (if it is on a different log server, copy it to the Check Point Management Server) and proceed as follows:

1 Reinstall and start the Consolidation Policy. The Install and Start window is displayed.

2 Select the machine providing the logs for consolidation from the drop-down list and click Fetch data from log server to start retrieving the logs.

The Start section’s options become available.

3 Choose Manual.

You can now select the log file to be scanned (and later specify the log entry from which the Engine will start running).

4 The Log file drop-down list includes specific file names of any log files copied from other log servers to the management server. Choose the log file you wish to consolidate and click OK.

How to include URL information in web activity reports

56

How to retain log fields not listed in the Store Properties window

To view URL data in your reports, you must set your Security Policy to log this information. URL information is logged using URI or FTP resources, which are defined through the URI Resource Properties and FTP Resource Properties windows (respectively). Because processing the detailed URL information inside the logs consumes a lot of resources, default this processing is disabled. Note that you must also change the default settings if you want to use extended URLs and file extensions, as they are not available by default.

To enable URL processing, run the following commands on your SmartView Reporter Server computer:

1 cpstop

2 log_consolidator -K true

3 cpstartThe next step is to open the SmartView Reporter Client Reports Selection Bar, Standard Reports view, then select the FTP and Web Activity report sections, and ensure that the following sections are checked (selected):

• Top Pages

• Top Pages and their top sources

• Top Files

• Top file types.

To disable detailed URL processing, run:

1 cpstop

2 log_consolidator -K false

3 cpstart

How to retain log fields not listed in the Store Properties window

The Store Properties window has been designed to facilitate specifying the Consolidation settings, by narrowing down the log fields list to the fields most commonly required for reports. If this list does not include a specific field you are interested in, you can still retain its original values by choosing the As Is Store Option.

How to adapt reports to your specific needs

Chapter 3 How To 57


The predefined reports have been specifically designed to cover the most common reporting needs. In addition, they can be easily customized to further address your specific query. If you cannot find a report that matches your exact query, choose the one that is closest to your needs, customize it (change its date range, filters etc.) and save it under a different name.

Filtering is a powerful tool for extracting new meanings out of existing reports. For example, if you filter the List of All Connections report by specifying your gateway as the destination, this Network Activity report becomes a Security report.

How to schedule generations of the same report using different settings (a different output or style)

To schedule generations of the same report using different settings, modify the original report, save it under a different name (e.g. Network_Activity_NYC, Network_Activity_Paris etc.) and specify the appropriate schedule for each modified report.

How to recover the SmartView Reporter Database

To recover the SmartView Reporter Database, proceed as follows:

1 Stop the SmartView Reporter Database service:

• Windows — go to the Services window, choose the Check Point SmartView

Reporter Database service and select Stop.

• Solaris — run the command rmdstop.

2 Replace the original SmartView Reporter Database files with your backed up SmartView Reporter Database files in <SmartView Reporter directory>/NG_AI/database.

3 Delete the contents of the <SmartView Reporter directory>/NG_AI/database/Log directory.

4 Start the SmartView Reporter Database service normally.

How to interpret report results whose direction is “other”

To interpret direction data, the network’s topology must be defined accurately. If this is the case, connections whose direction is “Other” should be interpreted as attempts to connect to the FireWall itself.

How to view report results without the SmartView Reporter Client

58

How to upload reports to a web server

You can make the report results available through an internet browser, by checking FTP Upload or Web Upload in the Output tab of the Report Properties.

How to upload reports to a web server

In order to enable report uploads to a web server you must configure the Report's output properties, and configure the web server to allow uploads.

Configuring the Report Output tab

1 Check the Web Upload checkbox

2 Fill the server properties in the fields to the right of the checkbox list including the web server’s name or IP, the User Name and Password that SmartView Reporter uses to connect to the web server, and the Path of the directory in which the report results are saved.

3 Select how the new uploaded report is saved, whether in a new directory or overriding the previous report.

Configuring the web server

Define the Report’s virtual directory

1 You must define a virtual directory named reports, in the web server’s root directory. All the Report files that are uploaded to the web server will be placed in this directory.

2 Grant this directory PUT command permission (also known as Write permission). It is not recommended that permission for anonymous http login be granted.

Create a directory for each Report

For the Web upload, the SmartView Reporter uploads Report result files to the target directory. A target directory must exist at the time of the upload. The upload uses the http:put operation, and on most web servers, permission for this operation needs to be explicitly granted for the target directory.

There are 2 ways to ensure that target directories exist:

Chapter 3 How To 59


1 Manual directory creation:

On the web server, create a directory with the path <report's directory root>/<optional path field>/<ReportName> before generating the report. This operation needs to be done only once.

Those who prefer to avoid installing and configuring scripts may prefer to create a directory manually. If you use this option, you must ensure that you select to Override Previous Report in the Report's Output tab.

If you leave the Path field empty in the Report's output tab, then you need to create the folder <report's directory root>/<ReportName> on the web server.

2 Automatic directory creation:

A Configure the svr_webupload.pl by running the svr_webupload_config utility:

i On the SmartView Reporter server, in the RTDIR/bin directory, run the utility svr_webupload_config using the following command structure:

where -i specifies the Perl interpreter location and -p specifies the path for the reports virtual directory which you previously configured. An example of the command is:

ii Copy the svr_webupload.pl file from the RTDIR/bin directory from the SmartView Reporter computer to the cgi-bin directory on the web server.

Note that both the cgi-bin directory and the script name can be changed in the SmartView Reporter Client via Tools > Options > Web Information > CGI

Script Location field.

B Grant the svr_webupload.pl script (on the web server only) execution permission. It is not recommended that permission be granted for anonymous http login.

How to upload reports to an FTP server

In order to enable report uploads to an FTP server you must configure the Report's output properties.

svr_webupload_config [-i perl_int_loc] [-p rep_dir_root]

svr_webupload_config -i c:\perl\bin\perl.exe -p c:\Inetpub\wwwroot\reports

60

How to improve performance

Configuring the FTP upload

1 Check the FTP Upload checkbox

2 Fill the server properties in the fields to the right of the checkbox list including the FTP server’s name or IP, the User Name and Password that SmartView Reporter uses to connect to the FTP server, and the Path of the directory in which the report results are saved.

3 Select how the new uploaded report is saved, whether in a new directory or overriding the previous report.

4 The FTP upload does not require any configuration on the FTP server. The root directory for all report uploads is the FTP root directory of the user specified in User Name field.


For the most updated performance tuning information, see Release Notes for the SmartView Reporter at:


Performance Tips

To maximize the performance of your SmartView Reporter Server, follow these guidelines:

Hardware Recommendations

• Use a computer that matches the minimum hardware requirements, as specified in the Release Notes.

• Configure the network connection between the SmartView Reporter Server machine and the SmartCenter, or the Log server, to the optimal speed.

• Use the fastest disk available with the highest RPM (Revolutions per Minute).

• Increase computer memory. It significantly improves performance.

• Increase the database and log disk size (for example, several gigabytes) to enable the SmartView Reporter to cache information for better report generation performance. Allocating database and log disk size so that it is twice the space that the database currently occupies will improve report generation performance even more. If a report requires additional space for caching, it will be noted in the report’s Generation Information section. The Generation Information section can be found in Appendix A > View generation information of the report result.

Chapter 3 How To 61



Installation

Choose a distributed configuration, dedicating a computer to Consolidation and Report generation operations only.

Windows and Solaris platforms support both standalone and distributed installations. Linux and Nokia platforms support only distributed installations.

Log Consolidator

Improve the Log Consolidator Engine's performance by configuring the following settings:

1 Set the Consolidation Rules to ignore immaterial logs.

2 Change the DNS resolution settings:Open the Policy menu in SmartDashboard, select Global properties and change the settings in the DNS settings tab:

A To improve DNS resolution performance, modify the following:

• Maximum requests handled concurrently - Set to 50. This value controls the numbers of threads handling DNS requests.

• Maximum cache items - Set to 65536. This value defines the maximum number of resolved IP addresses in the cache.

• Refresh cached items every - Set to 24 hours. This value determines how long it takes for a resolved IP address to expire and be removed from the cache. setting. If set too high it may result in wrong data because DHCP may change the addresses.

B To turn off reverse DNS resolution, uncheck the resolve source and destination names checkbox.

3 Increase the Log Consolidator memory pool. To do this:

Open the Policy menu in SmartDashboard, select Global properties, then select the Advanced settings tab. Modify the maximum consolidation memory pool to 256 MB or 1 GB according to the memory available on the Log Consolidator computer.

Report Units Generated

• Do not choose unnecessary reporting elements. Uncheck units and sections that are not relevant to your report. The Reporter Generator uses an internal cache for SQL query results, so not every unit you uncheck speeds up the report generation. But in general this will result in a smaller report and reduce generation time.

• Table and Graph units that belong to the same section often use the same SQL, so unchecking only one of them may not decrease the generation time. It is recommended that you deselect (uncheck) an entire section.

62


• If you uncheck report units, you should also uncheck the matching category in the Summary unit, since it usually uses the same SQL query. Every report contains a link to a file with the details of the SQL queries that the Report Generator runs, how many queries are cached and how long each query takes. To view this, scroll to Appendix A in the report result, and click View

generation information at the bottom of Appendix A.

Report Filters

If you define different filters for different reporting units that share the same cached SQL, the SQL caching will no longer be viable and the report generation time will significantly increase. It is recommended that you define filters at the report level only.

Report Time Frame

When setting a user-defined time frame for the report, specify a time frame in whole days. When setting a report period, note that the following settings will slow down the report generation speed:

• Relative Time Frame: Today, Yesterday, Last X hours, This week.

• Specific dates: Limit by hour checkbox.

• Reports for short time periods are generated faster than reports for long time periods. A weekly report will be generated much faster than a monthly report.

Report Generation Scheduling

Schedule report generation when there is less traffic and fewer logs are being generated, so the log consolidator is consuming less resources. Schedule reports on nights and weekends.

Tuning SmartView Reporter Database

Adjust the database cache size to match your Server’s available memory. Place the database data and log files on different hard drives (physical disks), if available.

Chapter 3 How To 63


64

Appendix A

Out_of_the_box Consolidation Policy

In This Appendix

OverviewThe predefined, out_of_the_box Consolidation Policy consists of fifteen Consolidation Rules. Each Rule addresses a certain type of log (e.g. alerts, blocked or broadcast logs) and specifies whether to ignore it or store it.

If a log is to be stored, the Rule specifies its Store Properties:

• As Is — all log fields are stored in the SmartView Reporter Database and will be available for report generation. This is the default storage option.

• Consolidated — specify the following Consolidation parameters:

• Consolidation Interval — the interval at which logs matching this Rule are consolidated (e.g. all logs generated within a 10 minute interval). Hourly intervals are measured.

• Original Values Retained — the log fields whose original values are retained (in addition to the Product, Origin, Date and Customer log fields, whose values are always saved). The other fields’ values are merged (consolidated) with the corresponding values of the logs included in this interval.

Overview page 65

Out_of_the_box Consolidation Rules page 66

65

Out_of_the_box Consolidation RulesTABLE A-1 describes the function of each Rule and specifies its Store Properties.

TABLE A-1 Out_of_the_box Consolidation RulesRule No.

Description Cons. Interval

Original Values Retained

1 Consolidate and store alert logs. 10 minutes URL (full path), Action, Service, Source, Destination, User, Interface and Rule Number.

2 Consolidate and store blocked (rejected or dropped) connection logs

none All (store as is).

3 Consolidate and store approved HTTP connections logs

10 minutes URL (full path), Action, Service, Source, Destination, User, Interface and Rule Number.

4 Consolidate all SMTP logs. 1 hour Action, Service, Source, Destination, User, Interface and Rule Number.

5 Consolidate and store approved FTP logs

10 minutes URL (full path), Action, Service, Source, Destination, User, Interface and Rule Number.

6 Ignore all message logs.Placing this Rule first enables the Engine to scan the logs quickly and efficiently.


7 By default, this Rule is inactive. If activated, it filters out all broadcast message logs.

none None (ignored).

8 Ignore both approved and blocked bootp (Bootstrap Protocol, used to boot diskless systems) packet logs.


9 Ignore both approved and blocked nbdatagram logs.


10 Ignore all NBT logs. NBT are NetBios services.


66

11 Ignore both approved and blocked nbsession logs.


12 Ignore both approved and blocked DNS logs

none None.

13 Consolidate and store approved POP-3 logs

1 hour Action, Service, Source, Destination, User, Interface and Rule Number.

14 Consolidate and store NTP logs. NTP is a time protocol that provides access over the Internet to systems with precise clocks.

1 hour Action, Service, Source, Destination, User, Interface and Rule Number.

15 Consolidate and store connections that do not match any of the previous Rules

1 hour URL (full path), Action, Service, Source, Destination, User, Interface and Rule Number.

TABLE A-1 Out_of_the_box Consolidation RulesRule No.

Description Cons. Interval

Original Values Retained

Appendix A 67

68

Appendix B

Predefined Reports

In This Appendix

This appendix describes the predefined reports available under each subject and specifies the report ID required for command line generations.

Executive ReportsThis subject includes a collection of reports from other subjects, that are of special interest to executives.

Standard Reports• Most Interesting — presents an overview of network activity handled through

FireWall-1 according to the sources selected as being of greatest interest for tracking purposes.Report ID — 3C522E32-843E-43D4-8CB7-9436632CC85D.

• Network Activity — presents the network traffic that FireWall-1 accepted. It includes data on the total traffic load, specific services load, traffic source, destination and direction data. The report presents data for all connections that were accepted, encrypted and decrypted by FireWall-1.Report ID — F9D9020E-95E0-4104-A1F4-9E1B1B0DA00D.

Executive Reports page 69

Network Activity Reports page 71

Security Reports page 74

VPN-1 Reports page 74

User Activity Reports page 75

My Reports page 76

69

• Web Activity — this report presents data on the web traffic through FireWall-1. It includes data on total web traffic load and distribution of web traffic by time period and direction.Report ID — 696B6E03-DE24-4BBC-A098-B4BF390BB5C5.

• Incoming Network Activity — provides an overview of the incoming network activity handled by FireWall-1. It includes data on the incoming traffic load, specific services load, distribution by source and destination.Report ID — F0732D17-8C89-4603-8A74-2AEAE917A2A1.

• Outgoing Network Activity — provides an overview of the outgoing network activity handled by FireWall-1. It includes data on the outgoing traffic load, specific services load, distribution by source and destination.Report ID — 4D73AE89-D5BA-47C5-A9F9-0CA3DF6E0178.

• Internal Network Activity — provides an overview of the internal network activity handled by FireWall-1. It includes data on the internal traffic load, specific services load, distribution by source and destination.Report ID — F53C3DF6-FEB5-4576-8A92-C3231F920C54.

• Smart Defense Attacks — This report presents the security attacks detected by Smart Defense. It includes the distribution of alerts by source, destination, service, date and time.Report ID — B389979B-016E-4B22-BA70-3345FCF270EF.

• User Activity — presents the network traffic produced by authenticated users. It includes data on authenticated users producing both the total and service-specific traffic load.Report ID — AAEC6832-BEAD-4A78-BA2D-00C909D67199.

• Encrypted Network Activity — presents the network traffic that FireWall-1 encrypted. It includes data on total encrypted traffic load, as well as the distribution of encrypted traffic by services and by traffic direction.Report ID — D530FB3F-DB49-4EB7-8AF2-299F7079082E.

• Rule Based Activity for a Specific Gateway — presents an analysis of FireWall-1 rule base for a specific gateway. It includes data on the most and least matched rules, as well as the distribution of rules matched by services, sources and destinations. The report is designed for analysis of any single gateway. Using this report to study multiple gateways may produce misleading results.Report ID — 436681BE-176E-4F8E-B503-7C4566E4EE4F.

Express Reports• Network Activity — presents the network traffic that FireWall-1 accepted. It includes

data on the total traffic load, specific services load, traffic source, destination and direction data. The report presents data for all connections that were accepted, encrypted and decrypted by FireWall-1.Report ID — B483F96A-E911-4F45-940C-A3F5E0AAD2FA.

70

• Smart Defense Attacks — presents the security attacks detected by Smart Defense. It includes the distribution of alerts by source, destination, service, date and time.Report ID — 6E21A9BC-AA05-457F-A0C4-9CBD153F6370

• VPN-1 Activity — presents an overview of the traffic handled by VPN-1 modules. It includes data on traffic encrypted and decrypted by VPN-1 modules.Report ID — 03906744-8656-4B44-BE05-E2D58BA8D80C

• VPN-1 Tunnels — presents data regarding processes involved in tunnel creation by VPN-1 modules. It includes data on VPN-1 and remote access tunnels, as well as on IKE negotiations.Report ID — 96B5F28C-3AAE-4C4D-BDF6-6998C3241E20

• System Information — provides data on system status, including CPU, memory and disk space usage.Report ID — 51A6F08C-FC0E-48B8-9057-007C26C980D2

Network Activity Reports

Standard Reports• Network Activity — presents the network traffic that FireWall-1 accepted, encrypted

and decrypted. It includes data on the total traffic load, specific services load, traffic source, destination and direction data.Report ID — 0A4E3BB9-55C0-11d6-A342-0002B3321334.

• Web Activity — presents the web traffic handled by FireWall-1. It includes data on the total web traffic load and on its distribution by direction.Report ID — 7B12F481-5DF0-11d6-A343-0002B3321334.

• FTP Activity — presents the FTP traffic handled by FireWall-1. It includes data on the total FTP traffic load and on and on its distribution by direction.Report ID — 7B12F482-5DF0-11d6-A343-0002B3321334.

• SMTP Activity — presents the SMTP handled by FireWall-1. It includes SMTP traffic load and distribution by top sources, by date, day of the week, hour of the day, sources, servers and direction.Report ID — 7B12F483-5DF0-11D6-A343-0002B3321334.

• POP3 Activity — presents the POP3 activity handled by FireWall-1. It includes POP3 activity and distribution by top sources, by date, day of the week, hour of the day, sources, servers and direction.Report ID — 70D7A36F-B3E1-45B7-BDC9-165E35653538.

• Incoming Network Activity — provides an overview of the incoming network activity handled by FireWall-1. It includes data on the incoming traffic load, specific services load, distribution by source and destination.Report ID — 7C607EC1-3A78-11d6-A33C-0002B3321334.

Appendix B 71

• Incoming Web Activity — presents the incoming web traffic. It includes data on the most visited sites, pages and files, as well as the sources outside the organization exploring your web site.Report ID — 7C607EC2-3A78-11d6-A33C-0002B3321334.

• Incoming FTP Activity — presents the incoming FTP traffic. It includes data on the most visited FTP servers, the most downloaded files and the sources outside the organization downloading these files.Report ID — 7C607EC3-3A78-11d6-A33C-0002B3321334.

• Incoming SMTP Activity — presents the incoming Email traffic. It includes activity and distribution by top senders, top recipients, top sources, by date, day of the week, and hour of the day.Report ID — 7C607EC4-3A78-11d6-A33C-0002B3321334.

• Outgoing Network Activity — provides an overview of the outgoing network activity handled by FireWall-1. It includes data on the outgoing traffic load, specific services load, distribution by source and destination.Report ID —1375AD84-49F1-11d6-A340-0002B3321334.

• Outgoing Web Activity — presents the outgoing web traffic. It includes data on the most visited sites, pages and files, as well as on the sources inside the organization exploring the Internet.Report ID — 1375AD85-49F1-11d6-A340-0002B3321334.

• Outgoing FTP Activity — presents the outgoing FTP traffic. It includes data on the most visited FTP servers, the most downloaded files and the sources inside the organization downloading these files.Report ID —1375AD86-49F1-11d6-A340-0002B3321334.

• Outgoing SMTP Activity — presents the outgoing SMTP traffic. It includes data on senders inside the organization and on the top destinations.Report ID —1375AD87-49F1-11d6-A340-0002B3321334.

• Internal Network Activity — provides an overview of the internal network activity handled by FireWall-1. It includes data on the internal traffic load, specific services load, distribution by source and destination.Report ID — B724EABC-581D-11d6-A342-0002B3321334.

• Internal Web Activity — presents the internal web traffic. It includes data on the most visited sites, pages and files, as well as the sources inside the organization exploring your intranet.Report ID —B724EABD-581D-11d6-A342-0002B3321334.

• Internal FTP Activity — presents the internal FTP traffic. It includes data on the most visited FTP servers and most downloaded files, as well as the sources inside the organization downloading these files.Report ID —B724EABE-581D-11d6-A342-0002B3321334.

72

• FireWall-1 Activity — presents the network activity handled by FireWall-1. It includes data on the traffic load, specific services load and distribution of traffic by direction, source and destination. The report shows data for all connections handled by FireWall-1, as well as the actions it took (accept, reject, encrypt, etc.).Report ID — 0A4E3BC7-55C0-11d6-A342-0002B3321334.

• List of All Connections — presents the details of all connections. It can be used for specific security or network behavior inspection. Use this report to collect specific data by filtering only the data you wish to view.Report ID — 9CBEE3F3-DA22-46a8-B13B-3BF4D5E1D2EA.

Express Reports• Network Activity — presents the network traffic for top modules over time per

specific connections, services, sources, destinations and per rule.Report ID — DB3CBF73-DC1C-4E0C-8D04-8000EA64FF5F.

• Selected Services — presents the an overview of selected services: FTP, HTTP, HTTPS, SMTP, TELNET and POP3. Includes data on traffic byte load, byte rate and the number of concurrent connections for these services.Report ID — 3D7854AB-6118-437F-87A3-71BD392E7DF3.

• FireWall-1 Activity — presents the network activity handled by FireWall-1. It includes data on the top modules packet load and top modules accept/reject/drop behavior, as well as examining load behavior by hour and by day.Report ID — F9504B51-4E93-484E-BA9B-747632278B65.

• FireWall-1 Memory — presents the network activity handled by FireWall-1. It includes data on the traffic load, specific services load and distribution of traffic by direction, source and destination. The report shows data for all connections handled by FireWall-1, as well as the actions it took (accept, reject, encrypt, etc.).Report ID — F896C74F-72F0-47A8-A54D-0974B518E9CD.

• FTP Activity — presents the FTP activity for modules. It includes data on the top modules FTP action’s success and failure most visited FTP servers and most downloaded files, as well as the sources inside the organization downloading these files.Report ID — C0D0C34B-F35D-4482-9CF8-631B7ACEEE57.

• SMTP Activity — presents the SMTP traffic. It includes data on the top modules SMTP Emails, connections, concurrent connections, activity load.Report ID — 9BE87F3D-AADC-425D-B59E-E4B221564FAD.

Appendix B 73

Security Reports

Standard Reports• Security — presents the security aspects handled by FireWall-1. It includes the

distribution of traffic by the FireWall-1 action taken and data on the traffic originating from or addressed to FireWall-1 itself.Report ID — 475AD890-2AC0-11d6-A330-0002B3321334.

• Smart Defense Attacks — This report presents the security attacks detected by Smart Defense. It includes the distribution of alerts by source, destination, service, date and time.Report ID — F76CEB9F-6718-4875-8273-54A0F420BC13.

• Blocked Connections — presents connections blocked by FireWall-1. It includes data on blocked connections in various traffic directions and on the distribution of blocked connections by sources, destinations and services.Report ID — 475AD891-2AC0-11d6-A330-0002B3321334.l

• Alerts — presents the alerts issued by FireWall-1. It includes the entire list of alerts issued, as well as the distribution of alerts by source, destination and service.Report ID — 475AD894-2AC0-11d6-A330-0002B3321334.

• Rule Base Analysis for Specific Gateway— presents an analysis of FireWall-1’s Security Rule Base. It includes data on the most and least matched Rules, distribution of Rules being matched by services sources and destinations.

Report ID — 475AD88E-2AC0-11d6-A330-0002B3321334.• Policy Installations Analysis for Specific Gateway — presents Policy installations. It

includes data regarding the number of Policy installations.Report ID — 475AD88F-2AC0-11d6-A330-0002B3321334.

Express Reports• Smart Defense Attacks — This report presents the security attacks detected by Smart

Defense by module. It includes the distribution of alerts by source, destination, service, date and time.Report ID — 9947930D-8C99-4680-A1DE-F5CF8732E87B.

VPN-1 Reports

Standard Reports• Encrypted Network Activity — presents the network traffic encrypted by FireWall-1.

It includes data on total encrypted traffic load, distribution of encrypted traffic by services and by traffic direction.Report ID — 0A4E3BC6-55C0-11d6-A342-0002B3321334.

• VPN Tunnel for Specific Gateway — provides data on VPN connections. It presents the peer gateway’s activity, VPN tunnel creation and VPN traffic distribution. The report is designed to produce results for a single VPN-1 gateway. Using this report

74

for multiple VPN-1 gateways may produce misleading results. To obtain data regarding multiple VPN-1 gateways, use the VPN-1 Community report.Report ID — E74B0FA9-7617-11d6-A351-0002B3321334.

• VPN Community — provides data on the VPN community’s activity. The report can also be used for any set of multiple VPN gateways. The report provides data on VPN encrypted traffic activity, VPN tunnel creation activity and its distribution throughout the day. Report ID — BD534B0B-C4CA-41c4-A996-76D3317FF2D2.

Express Reports• VPN-1 Activity — presents the network traffic encrypted by FireWall-1. It includes

data on total encrypted traffic load, distribution of encrypted traffic by services and by traffic direction.Report ID — E276053F-19B2-429C-9FB2-21BA0DE5B6B2.

• VPN-1 Tunnel — presents data regarding VPN tunnel creation. It includes data regarding number of concurrent tunnels per top modules, averages and peaks, IKE negotiation successes and failures, and negotiation times.Report ID — B640C862-DF0E-485E-A0B0-086E0D35EC76.

• VPN Accelerator — presents data regarding network traffic encrypted by FireWall-1. It includes data on top modules VPN Accelerator compression and decompression traffic load, VPN Accelerator compression and decompression errors, and VPN Accelerator activity over time.Report ID — 4D585F97-1E48-4F5A-9DCB-51AF5B61F6BA.

• VPN Compression — presents the amount of IP Compression per module. It includes data on top modules compression and decompression load, compression and decompression errors, and duration. Report ID — 62611BAD-DC70-4C5A-A76F-804050E31708.

User Activity Reports

Standard Reports• User Activity — presents the network traffic produced by authenticated users. It

includes data on authenticated users producing both the total and service-specific traffic load.Report ID — D7CD8E72-6978-48db-897A-365ED6B42482.

• Web Activity — presents the network traffic produced by web activity. It includes data on web activity by top users, top sites, top sources, top files, direction, and load per day of week.Report ID — 2CB9CBC0-50E2-4C09-A5A4-28FA9C2A3BBB.

Appendix B 75

• SecureClient Users Activity — presents SecureClient activity as it was logged by the alerts uploaded from the desktop. The report also shows Policy Server activity information.Report ID — E387C01B-0373-406a-84BC-DAF15A3E5759.

• List of All SecureClient Users Login — presents details of all login actions of SecureClient users to FireWall-1. It can be used for specific or user behavior inspection. You may use this report to collect data by filtering only the users you wish to view.Report ID — 20CBB924-B685-4bad-B3AB-2C08AA51FDB7.

System Information Reports• System Information — presents details regarding system behavior and system

conditions. Presents details per top module of Operating System activity, kernel activity, CPU usage, free disk space, memory usage, and virtual memory usage over time.Report ID — 26450EBC-37B4-4465-A9E0-F3FFA61917E6.

My Reports This subject includes predefined reports you have customized and saved under different names, to better address your specific needs.

76

Index

Cconfiguration 38configure FTP upload 61configure Web upload 59consolidation

interval 31levels 31modifying 46process 30rescanning logs 56

consolidation policy 30out_of_the_box rule

descriptions 65roll back installation 56

Ddatabase

see reporter database 49deployment 35distributed deployment 35

EEmail

reports 43severity 43

Exceltable import to 38

Express ReportsSetup 33

FFTP reports 43

HHow to Upload Reports to Web and

FTP servers 59

Iinstallation

roll back 56interval

see consolidation interval 31

Llog consolidation process

see consolidation process 30log consolidator engine

status 49log fields 57

retaining the original values 57log file

rescanning 56scanning 48

logo 45

PPerformance Tips

Hardware Recommendations 6, 61

Installation 6, 62predefined reports 33, 69

Rreport

most interesting 69OS Activity by Module 76

reporter databasechanging data and log files

location 51increasing cache size 50increasing the size limit 50management 49modifying configuration 50recovery 58status 49

reporter database table 32, 36, 41, 49reports

alerts 74blocked connections 74convert to Excel 38CSV format 38data calculation scheme 42different styles 58displaying generated reports 45Email 43encrypted network activity 74executive reports 69filters 41FireWall-1

activity 73memory 73

FireWall-1 activity 73ftp activity 71FTP server 43generating from the command

line 45HTML format 38input location 43logo 45network activity 69, 70, 71, 73output 37output location 43period 41policy installations analysis 74POP3 Activity 71predefined 33, 69preview 44properties 41results 43rule base analysis 74scheduling 37, 44

77

S

security reports 74selected services 73SMTP activity 71sort parameter 42status 44System Information 76user activity 75VPN Community 75VPN tunnel per origin 74VPN-1

accelerator 75Activity 75Compression 75

web activity 71Web server 43

rolling back the installation 56

Sscheduling reports 37, 44security policy

logging accounting information 39

services 52sort parameter 42standalone deployment 35Status

history size 44store options 47, 57

UURL information 56

VVPN-1 reports

Activity 75Tunnel 75

78

Smart viewreporter

Education

software forof

technologies limited

check point products

check point logo

check point assumesuse

trademarksthe use

ifcheck point

services loss of use