Your SlideShare is downloading. ×
Smart viewreporter
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Smart viewreporter

1,839
views

Published on

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,839
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SmartView Reporter NG with Application Intelligence (R55)For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at http://support.checkpoint.com/kb/ See the latest version of this document in the User Center at: http://www.checkpoint.com/support/technical/documents/docs_r55.html Part No.: 700727 October 2003
  • 2. © 2002-2004 Check Point Software Technologies Ltd. CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE All rights reserved. This product and related documentation are protected by copyright SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in The following statements refer to those portions of the software copyrighted by The any form or by any means without prior written authorization of Check Point. While OpenSSL Project. This product includes software developed by the OpenSSL Project for every precaution has been taken in the preparation of this book, Check Point assumes use in the OpenSSL Toolkit (http://www.openssl.org/).* THIS SOFTWARE IS PROVIDED BY no responsibility for errors or omissions. This publication and features described herein THE OpenSSL PROJECT ``AS IS AND ANY * EXPRESSED OR IMPLIED WARRANTIES, are subject to change without notice. INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.RESTRICTED RIGHTS LEGEND: IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE Use, duplication, or disclosure by the government is subject to restrictions as set forth FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF at DFARS 252.227-7013 and FAR 52.227-19. SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,TRADEMARKS: WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension, The following statements refer to those portions of the software copyrighted by Eric Young. OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS AND ANY EXPRESS OR SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE SmartView Status, SmartView Tracker, SmartConsole, TurboCard, Application ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE Intelligence, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registered SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, names mentioned herein are trademarks or registered trademarks of their respective WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR owners. OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF The products described in this document are protected by U.S. Patent No. 6,496,935, ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open 5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, Group. foreign patents, or pending applications. The following statements refer to those portions of the software copyrighted byTHIRD PARTIES: Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided as-is, without any express or impliedEntrust is a registered trademark of Entrust Technologies, Inc. in the United States and warranty. In no event will the authors be held liable for any damages arising fromother countries. Entrust’s logos and Entrust product and service names are also trademarks the use of this software. Permission is granted to anyone to use this software forof Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of any purpose, including commercial applications, and to alter it and redistribute itEntrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management freely, subject to the following restrictions:technology from Entrust. 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, anVerisign is a trademark of Verisign Inc. acknowledgment in the product documentation would be appreciated but is not required.The following statements refer to those portions of the software copyrighted by University of 2. Altered source versions must be plainly marked as such, and must not beMichigan. Portions of the software copyright © 1992-1996 Regents of the University of misrepresented as being the original software.Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to the University 3. This notice may not be removed or altered from any source distribution.of Michigan at Ann Arbor. The name of the University may not be used to endorse orpromote products derived from this software without specific prior written permission. Thissoftware is provided “as is” without express or implied warranty. Copyright © Sax Software The following statements refer to those portions of the software copyrighted by the(terminal emulation only). Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) anyThe following statements refer to those portions of the software copyrighted by Carnegie later version. This program is distributed in the hope that it will be useful, butMellon University. WITHOUT ANY WARRANTY; without even the implied warranty ofCopyright 1997 by Carnegie Mellon University. All Rights Reserved. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNUPermission to use, copy, modify, and distribute this software and its documentation for any General Public License for more details.You should have received a copy of thepurpose and without fee is hereby granted, provided that the above copyright notice appear GNU General Public License along with this program; if not, write to the Freein all copies and that both that copyright notice and this permission notice appear in Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.supporting documentation, and that the name of CMU not be used in advertising or publicitypertaining to distribution of the software without specific, written prior permission.CMU The following statements refer to those portions of the software copyrighted by Thai OpenDISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers.IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL Permission is hereby granted, free of charge, to any person obtaining a copy of thisCMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR software and associated documentation files (the "Software"), to deal in the SoftwareANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, without restriction, including without limitation the rights to use, copy, modify, merge,WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons toACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE whom the Software is furnished to do so, subject to the following conditions: The aboveOF THIS SOFTWARE. copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTYThe following statements refer to those portions of the software copyrighted by The Open OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THEGroup. WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERSEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN ANMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR INNONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.comInternational Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
  • 3. Table Of ContentsChapter 1 Getting Started Installing SmartView Reporter 5 Overview 5 Standalone Installation 6 Distributed Installation 9 Starting SmartView Reporter 21Chapter 2 SmartView Reporter The Need for Reports 27 SmartView Reporter Solution 28 SmartView Reporter — Overview 28 Log Consolidation Process 30 SmartView Reporter Standard Reports 32 SmartView Reporter Express Reports 33 Predefined Reports 33 SmartView Reporter Considerations 35 Standalone vs. Distributed Deployment 35 Log Availability vs. Log Storage and Processing 36 Log Consolidation Phase Considerations 36 Report Generation Phase Considerations 37 SmartView Reporter Configuration 38 Basic Configuration Scenario 38 Required Security Policy Configuration 39 Express Reports Configuration 40 Report Generation Configuration 40 Consolidation Policy Configuration 45 SmartView Reporter Database Management 49Chapter 3 How To SmartView Reporter Instructions 55 How to re-consolidate logs according to a different Consolidation Policy 55 How to generate reports based on data unavailable in the Database 56 How to include URL information in web activity reports 56 How to retain log fields not listed in the Store Properties window 57 How to adapt reports to your specific needs 57 How to schedule generations of the same report using different settings (a different output or style) 58 How to recover the SmartView Reporter Database 58 How to interpret report results whose direction is “other” 58 How to view report results without the SmartView Reporter Client 58 How to upload reports to a web server 59 Table of Contents 3
  • 4. How to upload reports to an FTP server 60 How to improve performance 61Appendix A Out_of_the_box Consolidation Policy Overview 65 Out_of_the_box Consolidation Rules 66Appendix B Predefined Reports Executive Reports 69 Network Activity Reports 71 Security Reports 74 VPN-1 Reports 74 User Activity Reports 75 System Information Reports 76 My Reports 76 Index 774
  • 5. CHAPTER 1 Getting Started In This Chapter Installing SmartView Reporter page 5 Starting SmartView Reporter page 21Installing SmartView Reporter In This Section Overview page 5 Standalone Installation page 6 Distributed Installation page 9 Overview SmartView Reporter can be installed in either a “Standalone” installation, or a “Distributed” installation: • Standalone installation — SmartView Reporter is installed on the SmartCenter Server machine. • Distributed installation — SmartView Reporter is installed on a machine dedicated to reporting purposes. In addition, SmartView Reporter Add-on is installed on the SmartCenter Server machine. The add-on contains both data files (with report definitions) and a component that allows SmartDashboard to connect to SmartView Reporter Server. A distributed installation requires establishing Secure Internal Communication (SIC) between the two machines. The distributed installation is recommended, since it provides better performance. 5
  • 6. Installing SmartView Reporter Performance Tips To maximize the performance of your SmartView Reporter Server, follow these guidelines: Hardware Recommendations • Use a computer that matches the minimum hardware requirements, as specified in the Release Notes at: http://www.checkpoint.com/techsupport/installation/ng/release_notes.html • Configure the network connection between the SmartView Reporter Server machine and the SmartCenter, or the Log server, to the optimal speed. • Use the fastest disk available with the highest RPM (Revolutions per Minute). • Increase computer memory. It significantly improves performance. Installation Choose a distributed configuration, dedicating a computer to Consolidation and Report generation operations only. Supported Platforms Windows and Solaris platforms support both standalone and distributed installations. Linux and Nokia platforms support only SmartView Reporter Add-on Installation in a distributed configuration. Linux and Nokia platforms do not support a Standalone Installation or a SmartView Reporter server in a distributed configuration. Standalone Installation In This Section Windows Platform page 6 Solaris Platform page 9 Windows Platform 1 In order to begin the installation, login as an Administrator and launch the Wrapper by double-clicking on the setup executable. 2 Select the products that you would like to install. The following components represent the minimum standalone component requirements for SmartView Reporter:6
  • 7. Standalone Installation • SmartCenter • SmartConsole • SmartView ReporterFIGURE 1-1 Standalone Deployment - for WindowsDepending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.3 Verify the default directory, or browse to new location in which SmartView Reporter will be installed.4 Select Local SmartView Reporter Installation in order to install SmartView Reporter on the local machine.5 Verify the default directory, or browse to new location in which the output files created by SmartView Reporter’s output will be generated. Click Next and reboot the machine in order to complete the installation of the SmartView Reporter and to continue with the next phase of the installation.6 Launch SmartDashboard.7 Edit the host properties for the SmartView Reporter machine. Chapter 1 Getting Started 7
  • 8. Installing SmartView Reporter FIGURE 1-2 Edit the Host properties 8 Deselect and reselect the SmartView Reporter checkbox. Without explicitly selecting this field, the SmartView Reporter will not function. To end off, click OK. FIGURE 1-3 Select SmartView Reporter in the listbox8
  • 9. Distributed Installation 9 After activating the SmartView Reporter host, install the Security Policy, (Policy>Install) or install the database (Policy>Install Database) in order to make the SmartView Reporter fully functional. Solaris Platform 1 In order to begin the installation, mount the CD on the relevant subdirectory and launch the wrapper as follows: 2 In the mounted directory, run the script: UnixInstallScript. 3 Read and if you accept the End-User License Agreement (EULA), click Yes. 4 Select whether you would like to perform an upgrade or create a new installation. 5 Continue from step 2 on page 6 in order to complete the process. FIGURE 1-4 Standalone Deployment - for SolarisDistributed Installation In a distributed installation, SmartView Reporter is installed on a different machine to that of the SmartCenter server. Chapter 1 Getting Started 9
  • 10. Installing SmartView Reporter In This Section Windows Platform page 10 Solaris Platform page 14 Linux page 16 Nokia IPSO page 17 Windows Platform This installation process consists of three phases: • Install SmartView Reporter • Install SmartCenter and the SmartView Reporter Add-On • Prepare SmartView Reporter in SmartCenter Phase 1 - Installing the SmartView Reporter 1 Select SmartView Reporter and SmartConsole (optionally) for installation. Note - Although SmartConsole does not have to be installed on this machine, if it is, you have direct UI access to the SmartCenter server from this machine, thereby simplifying the final installation steps. FIGURE 1-5 Distributed deployment - for Windows10
  • 11. Distributed InstallationDepending on the components that you have chosen to install, you may need to takeadditional steps (such as installing other components and/or license management) beforereaching step 2.2 Verify the default directory, or browse to new location in which SmartView Reporter will be installed.3 Select a folder in which the output files created by SmartView Reporter’s output will be generated.Depending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 4.4 Enter the Activation Key in the specified fields. Remember the key; you will need to enter it at a later stage. Click Finish in order to complete the installation of the SmartView Reporter.FIGURE 1-6 SIC activationPhase 2 – Installing SmartCenter and the SmartView Reporter Add-OnSmartCenter installation is described in the Getting Started guide. Only the portion thatis related to SmartView reporter is discussed in this section. Chapter 1 Getting Started 11
  • 12. Installing SmartView Reporter 5 Install the SmartCenter server on a separate machine by selecting SmartCenter and select SmartView Reporter, so that the SmartView Reporter Add-on is also installed during the SmartCenter installation. FIGURE 1-7 Installing SmartCenter and the SmartView Reporter Add-On on a Windows Platform 6 During the SmartCenter installation a window is displayed in which you will be prompted to select the SmartView Reporter Setup Type. Select SmartView Reporter SmartCenter Add-on so that SmartCenter can connect to the distributed SmartView Reporter. 7 Reboot the machine in order to complete the installation. Phase 3 – Preparing SmartView Reporter in SmartCenter 8 Launch SmartDashboard. (SmartDashboard is installed during the SmartConsole installation). 9 Create a new host for the SmartView Reporter machine.12
  • 13. Distributed InstallationFIGURE 1-8 Create New SmartView Reporter Host10 In the General Properties window, select SmartView Reporter. Then click the Communication button.FIGURE 1-9 Initialize SIC11 Enter the Activation Key that was created in step 4 during the SmartView Reporter installation.12 After activating the SmartView Reporter host, install the Security Policy, (Policy>Install) or install the database (Policy>Install Database) in order to make the SmartView Reporter fully functional. Chapter 1 Getting Started 13
  • 14. Installing SmartView Reporter FIGURE 1-10Enter the Activation Key Solaris Platform This installation process consists of three phases: • Install the SmartView Reporter • Install SmartCenter and the SmartView Reporter Add-On • Preparing SmartView Reporter in SmartCenter Phase 1 – Installing the SmartView Reporter 1 Select SmartView Reporter and SmartConsole (optionally) for installation. FIGURE 1-11Standalone Deployment - for Solaris14
  • 15. Distributed InstallationDepending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.2 Select a folder in which the output files created by SmartView Reporter’s output will be generated.FIGURE 1-12Solaris - default directoryDepending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.3 Enter the Activation Key in the specified fields. Remember the key; you will need to enter it at a later stage. Click Finish to complete the installation of the SmartView Reporter. Chapter 1 Getting Started 15
  • 16. Installing SmartView Reporter FIGURE 1-13Solaris Activation Key 4 In order to complete the installation, continue from “Phase 2 – Installing SmartCenter and the SmartView Reporter Add-On” on page 11. Note - Although the interface is different, the installation process performed on a Windows platform is the same as the installation process performed on a Solaris platform. Linux The SmartView Reporter machine can be installed either on Solaris or Windows. For details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing the SmartView Reporter” on page 10 for installation instructions. Installing the SmartCenter Machine and the SmartView Reporter Add-On SmartCenter installation is described in its own document. Only the portion that is related to SmartView reporter is discussed here. 1 When installing SmartCenter select SmartView Reporter, so that the SmartView Reporter Add-on can be installed during as part of the SmartCenter installation.16
  • 17. Distributed InstallationFIGURE 1-14Install SmartView Reporter on Linux2 SmartView Reporter installation type will be automatically set as SmartView Reporter SmartCenter Add-on, so that SmartCenter can connect to the distributed SmartView Reporter.3 In order to complete the installation, continue from “Phase 3 – Preparing SmartView Reporter in SmartCenter” on page 12.Nokia IPSOThe SmartView Reporter machine can be installed either on Solaris or Windows. Fordetails on installing SmartView Reporter machine, please refer to “Phase 1 - Installingthe SmartView Reporter” on page 10 for installation instructions.Installing the SmartCenter Machine and the SmartView Reporter Add-OnSmartCenter installation is described in its own document. Only the portion that isrelated to SmartView reporter is discussed here.1 After installing Check Point IPSO packages, reboot the machine and run cpconfig. Chapter 1 Getting Started 17
  • 18. Installing SmartView Reporter FIGURE 1-15Installing Check Point IPSO Packages 2 Login into IPSO Voyager from a web browser. FIGURE 1-16Login to Voyager 3 Select Config to enter the Voyager Configuration screen.18
  • 19. Distributed InstallationFIGURE 1-17Click Config to enter the Configuration screen.4 In the Configuration screen, select Manage Installed Packages. Chapter 1 Getting Started 19
  • 20. Installing SmartView Reporter FIGURE 1-18Select Manage Installed Packages 5 Make sure that SmartView Reporter NG with Application Intelligence R55 (and any other relevant packages) are set to On and click Apply.20
  • 21. Distributed Installation FIGURE 1-19Activate SmartView Reporter and other relevant packages 6 After clicking Apply, click Save. 7 From a command line terminal to the IPSO machine: • Logout and then login to the system. • Run rmdstart. 8 Reboot the machine. 9 In order to complete the installation, continue from “Phase 3 – Preparing SmartView Reporter in SmartCenter” on page 12.Starting SmartView Reporter To start using SmartView Reporter, proceed as follows: 1 Launch the SmartView Reporter Client (FIGURE 1-20). Chapter 1 Getting Started 21
  • 22. Starting SmartView Reporter FIGURE 1-20SmartView Reporter Client — Main window 2 Display the Management Selection Bar view and verify that logs are indeed being consolidated and saved to the SmartView Reporter Database.22
  • 23. Distributed InstallationFIGURE 1-21SmartView Reporter Client — Management Selection Bar view3 Go back to the Reports Selection Bar view (FIGURE 1-20 on page 22) and ensure that you select the database tables for which to generate the report, as well as a report time frame. Then generate the Standard Network Activity report by selecting it in the Report Tree pane and clicking in the toolbar.4 To follow the progress of the report generation, display the Report Generation Selection Bar view (FIGURE 1-22). Chapter 1 Getting Started 23
  • 24. Starting SmartView Reporter FIGURE 1-22SmartView Reporter Client — Report Generation Selection Bar view After a brief delay, the Standard Network Activity report result is displayed through your browser (FIGURE 1-23 on page 25).24
  • 25. Distributed InstallationFIGURE 1-23Example Standard Network Activity Report Result Report Title Report Time Frame, Log Sources & Generation Time Report Description Sections (Hyperlinks)5 Click a section title to view the results in question. The section’s results are displayed in either a graph unit, a table unit or both types of units. FIGURE 1-24 on page 26 shows example results of section 2, Network Activity by Date, in both a graph unit and a table unit. Chapter 1 Getting Started 25
  • 26. Starting SmartView Reporter FIGURE 1-24Example Standard Network Activity by Date Section — Graph and Table Formats Section Section Title Description Unit Unit Title Description Unit Results: Graph Format Unit Legend Unit Unit Title Description Unit Results: Table Format Unit Terminology26
  • 27. CHAPTER 2 SmartView Reporter In This Chapter The Need for Reports page 27 SmartView Reporter Solution page 28 SmartView Reporter Configuration page 38The Need for Reports To manage your network effectively and to make informed decisions, you need to gather information on the network’s traffic patterns. There is a wide range of issues you may need to address, depending on your organization’s specific needs: • As a Check Point customer, you may wish to check if your expectations of the products are indeed met. • From a security point of view, you may be looking for suspicious activities, illegal services, blocked connections or events that generated alerts. • As a system administrator, you may wish to sort the Security Policy based on how often each Rule is matched, and delete obsolete Rules that are never matched. • You may be looking for general network activity information, for purposes such as capacity planning. • From the corporate identity and values perspective, you may want to ensure your employees’ surfing patterns comply with your company’s policy, in terms of their surfing patterns (such as the web sites they access). • From a sales and marketing point of view, you may wish to identify the most and the least visited pages on your website or your most and least active customers. To address these issues, you need an efficient tool for gathering the relevant information and displaying it in a clear, accurate format. 27
  • 28. SmartView Reporter SolutionSmartView Reporter Solution In This Section SmartView Reporter — Overview page 28 Log Consolidation Process page 30 SmartView Reporter Standard Reports page 32 Predefined Reports page 33 SmartView Reporter — Overview Check Point SmartView Reporter delivers a user-friendly solution for monitoring and auditing traffic. You can generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Pro, SecureClient and SmartDefense. SmartView Reporter implements a Consolidation Policy, which goes over your original, “raw” log file, it identifies events of interest and copies their relevant details into a special, report-specific database (the SmartView Reporter Database). This smart, succinct database enables quick and efficient generation of a wide range of reports. The SmartView Reporter solution provides the optimal balance between keeping the smallest report database possible and retaining the most vital information. A Consolidation Policy is similar to a Security Policy in terms of its structure and management. For example, both Rule Bases are defined through the SmartDashboard’s Rules menu and use the same network objects. In addition, just as Security Rules determine whether to allow or deny the connections that match them, Consolidation Rules determine whether to store or ignore the logs that match them. The key difference is that a Consolidation Policy is based on logs, as opposed to connections, and has no bearing on security issues. FIGURE 2-1 illustrates the Consolidation process, defined by the Consolidation Policy. After the VPN-1 Pro Modules send their logs to the SmartCenter Server, the Log Consolidator Engine collects them, scans them, filters out fields defined as irrelevant, merges records defined as similar and saves them to the SmartView Reporter Database.28
  • 29. SmartView Reporter — OverviewFIGURE 2-1 Log Consolidation ProcessThe SmartView Reporter Server can then extract the consolidated records matching aspecific report definition from the SmartView Reporter Database and present them in areport layout (FIGURE 2-2):FIGURE 2-2 Report Generation ProcessTwo types of reports can be created: Standard Reports and Express Reports. TheStandard Reports are generated from information in log files through the Consolidationprocess to yield relevant analysis of activity. Express Reports are generated fromSmartView Monitor history files and are produced much more quickly. Express Reportsalso support Provider-1 setups.SmartView Reporter Standard Reports are supported by two Clients:• SmartDashboard Log Consolidator — manages the Log Consolidator Engine and the SmartView Reporter Database via the SmartCenter Server. This Client is displayed by launching SmartDashboard and selecting View > Products > Log Consolidator.• SmartView Reporter Client — generates and manages reports.FIGURE 2-3 illustrates the SmartView Reporter architecture for Standard Reports: Chapter 2 SmartView Reporter 29
  • 30. SmartView Reporter Solution FIGURE 2-3 SmartView Reporter Standard Report Architecture The interaction between the SmartView Reporter Client and Server components applies both to a distributed installation (as shown in FIGURE 2-3), where the SmartCenter Server and SmartView Reporter’s server components are installed on two different machines, and to a standalone installation, in which these products are installed on the same machine. Log Consolidation Process It is recommended to use the SmartView Log Consolidator’s predefined Consolidation Policy, the out_of_the_box Policy, designed to filter out irrelevant logs (such as control messages) and store the most commonly requested ones (such as blocked connection, alert or web activity logs). The Log Consolidator Engine scans the Consolidation Rules sequentially and processes each log according to the first Rule it matches. FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a log matches a Consolidation Rule, it is either ignored or stored. If it is ignored, no record of this log is saved in the SmartView Reporter system, so its data is not available for report generation. If it is stored, it is either saved as is (so all log fields can later be represented in reports), or consolidated to the level specified by the Rule.30
  • 31. Log Consolidation ProcessFIGURE 2-4 Log Process ChartThe Consolidation is performed on two levels: the interval at which the log was createdand the log fields whose original values should be retained. When several logs matchinga specific Rule are recorded within a predefined interval, the values of their relevantfields are saved “as is”, while the values of their irrelevant fields are merged (i.e.“consolidated”) together.TABLE 2-1 provides a Consolidation example, where three logs of approved NTPconnections match the same Consolidation Rule (NTP is a time protocol that providesaccess over the Internet to systems with precise clocks).The Rule’s store options specify that logs generated within a one hour interval shouldbe consolidated into a single record, as long as they share the same values for four fieldsof interest: destination, interface, Rule name and QoS class. The values of all otherfields are either integrated into their shared value (e.g. the shared Rule Number value,1), or replaced with the term “consolidated” (e.g. the different Source values). Theconsolidated record includes a connection number column, noting how many logs itrepresents (in this case, 3).TABLE 2-1 Consolidation Example Recor Tim Source Dest. I-fac Rule Rule Clas Conn d e e Name No. s No. Log 1 10:0 10.1.3.2 172.0. hme NYC 1 Gol 0 9 0.1 0 d Chapter 2 SmartView Reporter 31
  • 32. SmartView Reporter Solution TABLE 2-1 Consolidation Example Recor Tim Source Dest. I-fac Rule Rule Clas Conn d e e Name No. s No. Log 2 10:2 10.15.2. 172.0. hme NYC 1 Gol 5 52 0.1 0 d Log 3 10:5 10.56.60 172.0. hme NYC 1 Gol 9 .4 0.1 0 d Cons. 10:0 Consoli 172.0. hme NYC 1 Gol 3 Record 0 dated 0.1 0 d How to interpret User names in DHCP enabled networks In DHCP address mapping is used, assuming the DNS knows how to resolve dynamic addresses, the information you see in the report reflects the correct resolving results for the time the reported log events have been processed by the SmartDashboard Log Consolidator and inserted into the database. Because of the dynamic nature of DHCP address distribution, there is no guaranty that consolidation of old log files will produce correct address name resolving. When DHCP is in use, consolidating log files close to the time of their creation will improve address-resolving accuracy. SmartView Reporter Standard Reports The Log Consolidation process results in a database of the most useful, relevant records, known as the SmartView Reporter Database. The information is consolidated to an optimal level, balancing the need for data availability with the need for fast and efficient report generation. Reports are generated based on a single database table, specified in the Reports Selection Bar view > Standard Reports > Report tab. By default, all consolidated records are saved to the CONNECTIONS table and all reports use it as their data source. However, each time you install and start the Consolidation Policy, you have the option of storing records in a different table. You can further organize these tables by moving records between them as needed and deleting outdated records. Dividing the consolidated records between different tables allows you to set the SmartView Reporter Client to use the table most relevant to your query, thereby improving the SmartView Reporter Server’s performance. In addition, dividing records between tables facilitates managing the SmartView Reporter Database: you can delete outdated tables, export tables you are not currently using to a location outside of the SmartView Reporter Database and import them back when you need them.32
  • 33. SmartView Reporter Express ReportsSmartView Reporter Express Reports Express Reports are based on data collected by Check Point system counters and SmartView Monitor history files. Standard Reports, in contrast, are based on Log Consolidator logs. Because Express Reports present historical data, they can be generated more quickly. SmartView Reporter Express Reports are supported by one Client, the SmartView Reporter. To configure your system to generate Express Reports, see “Express Reports Configuration” on page 40. FIGURE 2-4 illustrates the SmartView Reporter architecture for Express Network Reports: FIGURE 2-5 SmartView Reporter Express Report ArchitecturePredefined Reports The SmartView Reporter Client offers a wide selection of predefined reports for both Standard and Express reporting, designed to cover the most common network queries from a variety of perspectives. Report Subjects The reports are grouped by the following subjects, allowing you to easily locate the one you need: • Network Activity (Standard, Express) — this subject includes reports that enable you to analyze the most popular activities in your network. You can examine your network activity as a whole or focus on a specific direction (incoming, outgoing or internal) or activity type (web, ftp or Email). For example, to study network traffic inside your organization, you can investigate how your web servers, mail servers and firewalled gateways handle the network load; see which services use most of the available bandwidth; and find out what are the most popular web sites. You can Chapter 2 SmartView Reporter 33
  • 34. SmartView Reporter Solution detect illegal network traffic, such as connections to banned web sites or use of prohibited services. To examine the network usage by external sources, you can explore which sources access the corporate web site, how often and for how long. A report dedicated to FireWall-1 activity allows you to identify its top services, sources and destinations. The records are organized both by their direction and by the action taken by the firewall. In addition, you can follow the firewall activity’s distribution over various time frames (your working hours, week days and the selected date range). • Security (Standard, Express) — this subject includes reports that allow you to focus on all security-related traffic in your network. For example, you can inspect connections whose origin or destination is the FireWall-1 machine, monitor security attacks detected by SmartDefense, or analyze blocked connections and FireWall-1 alerts. In addition, you can detect Policy Installations and analyze the Rule Base order on a specific gateway. Identifying the top matched rules versus the least matched rules allows you to sort the Security Policy in the most efficient way. • User Activity (Standard) — this subject includes reports that provide you with information on how users inside your organization, as well as remote, SecureClient users, utilize your network resources. You can identify peak activity patterns, in terms of the most active users, the most commonly used services, the most active working hours or week days etc. • VPN-1 (Standard, Express) — this subject includes reports that allow you to analyze various aspects of your encrypted traffic, such as its distribution over time, the top services or sources etc. You can examine your VPN-1 activity as a whole, or focus on a specific VPN Tunnel or VPN Community. • Executive (Standard, Express) — offers a selection of reports from various subjects that are of special interest to executives, such as the Network Activity or User Activity reports. • System Info (Express) — this subject includes reports that allow you to analyze various aspects of system load and operational activity, including CPU usage, kernel usage, and memory usage. • My Reports (Standard, Express) — select predefined reports and customize to your needs. For descriptions of each predefined report available, see Appendix B, “Predefined Reports”.34
  • 35. Standalone vs. Distributed Deployment Report Structure Each report consists of a collection of sub-topics known as sections, which cover various aspects of the report. For example, the User Activity report consists of sections such as User Activity by Date, Top Users, Top User Activity Services etc. Each section consists of units, which display the same results in different formats, for your convenience. For example, the User Activity by Date section displays the same data in two units: a graph and a table. Customizing Predefined Reports In case you have a specific query that is not directly addressed by the predefined reports, you can easily customize the report that is closest to your needs (by changing its date range, filters etc.) to provide the desired information. You can save the customized report under a different name in the report subject dedicated to user-defined reports, My Reports.SmartView Reporter Considerations In This Section Standalone vs. Distributed Deployment page 35 Log Availability vs. Log Storage and Processing page 36 Log Consolidation Phase Considerations page 36 Report Generation Phase Considerations page 37 SmartView Reporter’s default options have been designed to address the most common reporting needs. However, to maximize the product’s benefits, it is recommended that you adapt it to your specific profile. This section describes the considerations you should take into account before starting to use SmartView Reporter. Standalone vs. Distributed Deployment In a standalone deployment, all SmartView Reporter server components (the Log Consolidator Engine, the SmartView Reporter Database and the SmartView Reporter Server) are installed on the Check Point SmartCenter Server machine. In a distributed deployment, the SmartView Reporter server components and the SmartCenter Server are installed on two different machines and communicate through a special Log Consolidator Add-on installed on the SmartCenter Server. Chapter 2 SmartView Reporter 35
  • 36. SmartView Reporter Considerations The standalone deployment saves relegating a dedicated machine for the SmartView Reporter, but the distributed deployment significantly improves your system’s performance. Log Availability vs. Log Storage and Processing Since all SmartView Reporter operations are performed on the logs you have saved, the extent to which you can benefit from this product depends on the quality of the available logs. Therefore, you must ensure your Security Policy is indeed tracking (logging) all events you may later wish to see in your reports. In addition, you should consider how accurately your logs represent your network activity. If only some of your Rules are tracking events that match them, the events’ proportion in your reports will be distorted. For example, if only the blocked connections Rule is generating logs, the reports will give you the false impression that 100% of the activity in your network consisted of blocked connections. On the other hand, tracking multiple connections results in an inflated log file, which not only requires more storage space and additional management operations, but significantly slows down the Consolidation process. Log Consolidation Phase Considerations Record Availability vs. Database Size Reports are a direct reflection of the records stored in the SmartView Reporter Database. To generate detailed, wide-ranging and accurate reports, the corresponding data must be available in the Database. However, effective database management requires keeping the database size under 20 GB. As the consolidated records accumulate in the Database, the tables where they are saved may become quite large. The data gradually approaches the disk space limit, using more and more memory and slowing down the SmartView Reporter processes (especially the data retrieval for report generation). Carefully consider which logs you wish to store, and to what extent you wish to consolidate them. Saving Consolidated Records to One vs. Multiple Database Tables A report is generated based on a single table. If you save all consolidated records to the same table, all the data is readily accessible and you are saved the trouble of moving records between tables and selecting the appropriate source table for each report you wish to generate.36
  • 37. Report Generation Phase Considerations Dividing the records between different tables reduces the report generation time and allows you to maintain a useful Database size by exporting tables you are not currently using to an external location.Report Generation Phase Considerations Adapting the Report’s Detail Level to your Needs When a report is very detailed, it may become difficult to sort out the most significant results and understand network’s status. To achieve the optimal balance between getting all the information you need and excluding excessive records, closely examine the report’s date range, filters (source, destination, service etc.) and filter values, and adjust them to pinpoint details. Generating only selected sections and units By default, all report sections and their unit are included in the report generation. However, to get results faster and improve your machine’s performance, you can generate only selected sections and units (by unchecking all others in the Report Tree pane). Scheduling reports The Schedule feature allows you to set both delayed and periodic report generations. If you wish to produce a detailed and lengthy report, you should consider postponing its generation and scheduling it so that it does not interfere with your employees’ working hours or with times of peak network activity, since such a report generation might slow down your system. In addition, it is useful to identify the reports you require on a regular basis (e.g. a daily alerts report or a monthly user activity report) and schedule their periodic generations. Report output (display, Email, file, printer etc.). All predefined report results are displayed on your screen and saved to the SmartView Reporter Server. Chapter 2 SmartView Reporter 37
  • 38. SmartView Reporter Configuration By default, the report is saved in HTML output in an index.htm file; and in CSV (Comma Separated Values) format in a tables.csv file. The HTML file includes descriptions and graphs, but the CSV file contains only the report table units, without a table of contents, descriptions or graphs. The tables.csv is provided in order to enable convenient table import to applications like Excel. TABLE 2-2 Report Files and Formats File Format HTML CSV File Name index.htm tables.csv Includes Table of contents, tables, Data only. Cell values descriptions, graphs. separated by commas. Rows and tables separated by lines. Before generating a report, determine whether you want it to be saved or sent to additional or different targets. For example, when you generate a user activity-related report, you may wish to make it available to all managers in your organization by sending them the output via Email or by placing it on your intranet.SmartView Reporter Configuration In This Section Basic Configuration Scenario page 38 Express Reports Configuration page 40 Required Security Policy Configuration page 39 Report Generation Configuration page 40 Consolidation Policy Configuration page 45 SmartView Reporter Database Management page 49 Basic Configuration Scenario The following procedure allows you to create the most basic SmartView Reporter configuration. Proceed as follows: 1 In the SmartDashboard, set the relevant Security Policy Rules to track connections of interest (set each Rule’s Track column to either Log or Account).38
  • 39. Required Security Policy Configuration 2 Launch the SmartView Reporter Client and display the selection bar’s Management view, to verify that consolidated records have been loaded to the SmartView Reporter Database. 3 Display the Reports view, select the database tables to be examined and the time frame for the report, choose the report type, then generate the report. This general procedure can be used to provide you with any report you are interested in. For example, to generate a report on illegal attempts to connect to your network, proceed as follows: 1 In the SmartDashboard, add the following Rule (TABLE 2-3) at the bottom of your Rule Base: TABLE 2-3 Security Rule Tracking Illegal Attempts to Connect to the Local Network Sour Destinat VP Servi Actio Trac Install Tim Comment ce ion N ce n k On e Any Company An Any Drop Log Policy Any A rule _network y Targets tracking illegal attempts to connect to the local network 2 Launch the SmartView Reporter Client and display the selection bar’s Management view, to verify that consolidated records have been loaded to the SmartView Reporter Database. 3 Display the Reports view and generate the Blocked Connections by Date report.Required Security Policy Configuration For a Security Rule to generate logs for connections that match it, the Rule’s Track column should be set to any value other than None (for example, Log generates a standard log, while Account generates an accounting log). Note that in order to obtain accounting information (the number of bytes transferred and the duration of the connection), the value of the Rule’s Track column must be Account. To utilize direction information (“incoming”, “outgoing”, “internal” or “other”), the organization’s topology must be configured properly. If this is the case, “other” can be used as a security tool, indicating there were connections whose destination was the firewall itself. Chapter 2 SmartView Reporter 39
  • 40. SmartView Reporter Configuration Express Reports Configuration The following procedure sets the SmartView Monitor to collect complete system data in order to produce SmartView Reporter Express Reports. SmartView Monitor settings are enabled through the SmartDashboard. Proceed as follows: 1 In the SmartDashboard network objects tab of the object tree, select a gateway of interest. Double click the gateway to open the Check Point Gateway properties window. 2 You will need to enable the SmartView Monitor to collect data for reporting purposes through the SmartDashboard. [If you do not see SmartView Monitor in the selection to the left, enable it through the General Properties tab. Click General Properties, then in the scroll-down window of Check Point Products, click Smart View Monitor. It will appear at left.] Select Smart View Monitor, and in the Smart View Monitor tab, click all the checkboxes to ensure that SmartView Monitor is collecting every type of data for reporting purposes. 3 To finish this procedure, in SmartDashboard select Policy > Install Database. Report Generation Configuration In This Section Adapting the Report Properties to your Needs — Overview page 41 SmartView Reporter Database Table page 41 Report Period page 41 Report Filters page 41 Result Calculation and Resolution page 42 Input location page 43 Output location page 43 Scheduling page 44 Preview page 44 Monitoring the Report Status page 44 Displaying Generated Reports page 45 Additional Settings page 45 Report Generation Command Line page 4540
  • 41. Report Generation ConfigurationAdapting the Report Properties to your Needs — OverviewWhen you generate a report, you can either use the report as a whole or run a specificsection or a unit.You can generate the selected component using its default properties, or adjust theseproperties to better address your current requirements. This section describes the mostimportant properties you should examine before generating a report.SmartView Reporter Database TableBy default, consolidated records are retrieved from the SmartView Reporter Database’sCONNECTIONS table. If you have divided your records between several tables, choose thetable containing the records you require, e.g. a special table dedicated to recordsoriginating from a specific log server, or a table covering the time frame you areinterested in. To see which table contains the relevant records, display the ManagementSelection Bar view.Select the relevant tables through the Standard Reports view’s Reports tab, by selectingthe tables in the Other Database Tables drop-down list.Report PeriodAll predefined reports are set to cover a default time range for a week to a month. Youmust change this period to reflect the data’s actual dates and times, and the time periodthat you wish to examine.Tuning Report Time FrameTo improve SmartView Reporter Server performance, when setting a user-defined timeframe for the report, specify a time frame in whole days. When setting a report period,note that the following settings will slow down the report generation speed:• Relative Time Frame: Today, Yesterday, Last X hours, This week.• Specific dates: Limit by hour checkbox.• Reports for short time periods are generated faster than reports for long time periods. A weekly report will be generated much faster than a monthly report.Report FiltersReports are based on records of the most commonly required filters (e.g. Source,Destination etc.). Specifying the appropriate filter settings is the key to extracting theinformation you are looking for. Chapter 2 SmartView Reporter 41
  • 42. SmartView Reporter Configuration For each filter you choose, specify the values (e.g. network objects, services etc.) to be matched out of all values available for that filter. The available values are taken from the SmartCenter Server and are refreshed on a regular basis. If you cannot see a value you have added through SmartDashboard in the available values list, refresh the list by selecting a different filter and then return to the previous one. The SmartView Reporter Client also allows you to include additional objects, by manually adding them to the matched values list. Filters and their values can be specified both on the report level and on its unit level. The report level settings are enforced on the unit level as well (for example, if you choose to include specific sources in the report, these sources will also be included in its units). If you set a specific unit-level filter and then choose a different report-level filter, the latter overrides the former. Tuning Report Filters If you define different filters for different units that share the same cached SQL, the SQL caching will no longer be viable and the report generation time will significantly increase. It is recommended that you define filters at the report level only. Result Calculation and Resolution Data Calculation Scheme By default, report calculations are based on the number of events logged. If you have logged accounting data (done by setting the Security Rule’s Track column to Account), you can base the report calculations on the number of bytes transferred. Sort Parameter You may sort the results by one of two parameters: the number of bytes transferred and the number of events logged. Note that an event takes on different meanings, depending on its context. In most cases, the number of events refers to the number of connections. Access this through the Tools > Options menu. The number of bytes transferred can be calculated only if the Security Rules’ Track column is set to Account. The number of events logged can be calculated as long as the Track column is set to Log or Account. If both types of information are available, they will both be displayed in the sort order you have specified. For example, a table listing the most active sources in your system can first specify the number of events each source generated and then note the number of bytes related to its activity. In addition, The unit’s Unit tab allows you to select the resolution type (byte or time) and its level.42
  • 43. Report Generation ConfigurationFormatIf user names are stored in an LDAP server, the names will include the full LDAP pathin the FireWall-1 log files. The way the report shows the user name can be changedthrough the Tools menu > Options >General tab. By default, the Show abbreviated LDAPuser name check box is selected, so that generated reports display only the user namepart of the full LDAP name. To see the name with full LDAP path, uncheck this box.Input locationThe modules from which you collect data can modified by using the report’s Input tabto let you select the following:• the module or modules of origin• whether to collect data per module or as a group, if you have selected more than one moduleOutput locationReport results are saved in subdirectories of the Results subdirectory of the SmartViewReporter Server as follows:ResultNG_AIbin<Report Name><Generation Date & Time>For each report, a directory with the report’s name “<Report Name>” is created inbin, with a subdirectory named with the generation date and time “<GenerationDate & Time>.” The report is generated into this “<Generation Date & Time>”subdirectory.The Result location can modified by selecting Tools > Options from the menu andspecifying the desired location in the Result Location field of the Options window’sGeneration page.In addition to saving the result to the SmartView Reporter Server, you can send it toany of the following:• The Client’s display (the default setting).• Email recipients.• An ftp or a web server. See “How to upload reports to an FTP server” on page 60.The Mail Information page of the Options window allows you to specify both thesender’s Email address and the mail server to be used. It also allows you to specify thedegree of message severity (Information, Warning or Error) that is to be sent to theadministrator. Chapter 2 SmartView Reporter 43
  • 44. SmartView Reporter Configuration The Mail Information page of the Tools > Options window allows you to specify that an administrator receive warnings about errors. To enable this option, fill in the Administrator email address, and choose the severity factor for which an error message will be sent, by checking one or more of the severity levels in the Specify the severity of the administrator email notification section. Scheduling Schedules are managed through the Report’s Schedule tab. All schedules of all reports defined in the system can be viewed through the Schedules option of the Selection Bar’s Management view. To improve performance, schedule report generation when there is less traffic and fewer logs are being generated, so the log consolidator is consuming fewer resources. For example, schedule reports on nights and weekends. History The reporting server can store a limited amount of Report-generation status records. In order to modify the amount of information stored, go to the Tools > Options window, and select the History page. Modify the amount in Report history size. When the quantity of the status reports passes the limit, the oldest status record is deleted. You can decide whether you would like the associated generated Report to be deleted as well by changing the Report output delete method setting. In addition, you can also specify the maximum number of Consolidation Status records that are displayed in the Management view, by modifying the Consolidation history size. Preview If the report you wish to generate covers a wide time frame (e.g. a quarterly network activity report), its generation may be time consuming. To verify you choose the appropriate settings, you can test the output by generating a partial preview of the report (select Actions > Preview Report from the menu). The Preview option (set by selecting Tools > Options... from the menu) specifies the percentage (1 to 20) of the report time frame to be included in the preview. For example, if the report period covers 30 days and you set the preview to 10%, it will only show records logged during the first three days of that time frame. Monitoring the Report Status The Selection Bar’s Report Generation view’s Currently Active option allows you to follow the report generation progress. Once the generation is complete, it is recorded in the view’s History option.44
  • 45. Consolidation Policy Configuration Displaying Generated Reports The Selection Bar’s Report Generation view’s History option lists all past report generations. Double click any generation record to display the report it describes. Additional Settings The Options window allows you to specify additional settings including the name and the location of the logo to be displayed in the report header, as well as where to Email reports, and report-sorting settings. By default, the logo file is saved in the SmartViewReporterNGbin directory. Report Generation Command Line For your convenience, it is possible to generate reports both through the SmartView Reporter Client and through the command line. Generating reports using the command line GeneratorApp has the following limitations: • No report status updates in the Report Generation view’s Currently Active window. • No distribution of the report result. To generate reports through the command line, go to the SmartViewReporterNGbin directory on the SmartView Reporter Server machine and run the following command: Usage: GeneratorApp.exe [Directory/""] {ReportID} For example, to generate the Security report, whose ID is {475AD890-2AC0-11d6-A330-0002B3321334}, run the following command: GeneratorApp.exe c:reportsSecurity {475AD890-2AC0-11d6-A330-0002B3321334} If the directory is empty (""), <Result directory><Report Name><Generation Date & Time> would be used as the directory. The default location is: c:Program FilesCheckPointSmartViewReporterNGResults For a list of all Report IDs, see Appendix B, “Predefined Reports.”Consolidation Policy Configuration Chapter 2 SmartView Reporter 45
  • 46. SmartView Reporter Configuration In This Section Overview page 46 Customizing Predefined Consolidation Rules page 48 Setting the Log Consolidator Engine to Scan Specific Logs page 48 Committing Consolidated Logs to a Specific Database Table page 49 Configuring the Log Consolidator Engine’s DNS Settings page 49 Monitoring the Log Consolidator Engine and Database Statuses page 49 Overview The out_of_the_box Consolidation Policy has been designed to address the most common Consolidation needs. However, in case you have specific Consolidation needs that are not covered by this Policy, the Consolidation Rules can be modified as needed. To modify the Consolidation settings, proceed as follows: 1 Display the SmartDashboard’s Log Consolidator View, by selecting View > Products > Log Consolidator from the menu. 2 Modify the out_of_the_box Policy’s Consolidation Rules as needed. 3 Save the modified Policy under a different name (select File > Save As from the menu and specify the modified Policy’s name). 4 Install the modified Consolidation Policy and start the SmartDashboard Log Consolidator (by selecting Policy > Install and Start... from the menu), using the following default settings: • Fetch logs from the Primary SmartCenter Server. • Continue the Consolidation from its last run (which in this case is the beginning of the fw.log file). • Save the consolidated records to the default table (CONNECTIONS). Starting and Stopping the Log Consolidator Engine Starting the Log Consolidation Engine If the Log Consolidation Engine is not running, you can start the Engine according to the Consolidation Policy that was last installed. To start the Log Consolidation Engine, choose Start from the Engine menu. The Log Consolidation Engine begins running according to the most recently installed Consolidation Policy.46
  • 47. Consolidation Policy ConfigurationStopping the Log Consolidation EngineTo stop the Log Consolidation Engine, choose Stop from the Engine menu, or click in the toolbar. The Stop Engine window is displayed.Choose one of the following:• Shutdown — This option stops the Log Consolidation Engine in an orderly way. All data that has been consolidated up to this point is stored in the Database. Shutdown may take several minutes to an hour.• Terminate — This option stops the Log Consolidation Engine immediately. Data that has been consolidated but not yet stored in the Database is not saved.Specifying the Consolidation Rule’s Store OptionsTo specify whether logs matching a Consolidation Rule should be skipped or copied tothe SmartView Reporter Database, right click the Rule’s Action column and chooseIgnore or Store (respectively).In general, it is recommended to place “Ignore” Rules at the beginning of the RuleBases, especially for services that are logged frequently but are not of interest forreports. “Ignore” Rules do not require Consolidation processes and, therefore, enablethe Log Consolidator Engine to move quickly through the logs. The Log ConsolidatorEngine does not have to consolidate and store an event that matches an “Ignore” Ruleand can quickly move to the next entry in the Log file.The Rule order is also based on how frequently services are used. Rules regarding themost common services are defined before those addressing less common services. In thisway, the Log Consolidator Engine does not have to scan a lengthy Rule Base in orderto process most of your log data.If you choose to store the logs, double click the Action cell to specify their storageformat in the Store Options window. Choose one of the following:• As Is — all log fields will be stored in the SmartView Reporter Database and will be available for report generation. This is the default storage option.• Consolidated — specify the following Consolidation parameters: • The interval at which logs matching this Rule are consolidated (e.g. all logs generated within a 10 minute interval). Hourly intervals are measured. • The log fields whose original values are retained (in addition to the Product, Origin, Date and Customer log fields, whose values are always saved). The other fields’ values are merged (consolidated) with the corresponding values of the logs included in this interval (see “Log Consolidation Process” on page 30). Chapter 2 SmartView Reporter 47
  • 48. SmartView Reporter Configuration If you wish to save all stored connections as is, you can disable the Consolidation settings of the entire Policy by selecting Policy > Global Properties... from the menu, displaying the Advanced settings tab of the Log Consolidator Policy Properties window and unchecking Consolidate log entries. By default, the Log Consolidator Engine loads the consolidated records to the SmartView Reporter Database once an hour. Display the Advanced Settings tab of the Log Consolidator Policy Properties window and choose a different value from the Stop consolidation and commit work to database every drop-down list. Customizing Predefined Consolidation Rules This section provides instructions on modifying specific out_of_the_box Rules to better address your specific consolidation requirements. For a detailed description of the out_of_the_box Rules, see Appendix A, “Out_of_the_box Consolidation Policy.” If you wish to filter out all broadcast messages (both allowed and disallowed), proceed as follows: 1 In the Security Policy, define a group of objects with broadcast IP addresses. 2 In the out_of_the_box Consolidation Policy, activate the broadcast Rule and add the broadcast group to its Destination column. If your network uses a mail server group, you can split the SMTP Rule into the following two Rules that collect data on how mail resources are used: • A Rule consolidating connections from the mail server group. Records consolidated by this Rule can be used for reports on how mail connections are balanced between the servers. This Rule’s Store Options retain the original values of the Authenticated User, Destination, and Service log fields. • A Rule consolidating connections to the mail server group. Records consolidated by this Rule can be used for reports on how local users access the mail servers. This Rule’s Store Options retain the original values for the Authenticated User, Source, and Service log fields. Setting the Log Consolidator Engine to Scan Specific Logs The Consolidation Policy is installed and started through the Install and Start window (FIGURE 1-7), accessed by selecting Policy > Install and Start... To set the Log Consolidator Engine to scan specific logs, specify the following parameters: 1 Log Server — select the log server providing the logs for Consolidation from the drop-down list and click Fetch data from log server.48
  • 49. SmartView Reporter Database Management 2 Log File — choose the log file to be scanned. If you have copied log files from other log servers to the SmartCenter Server, these external log files will be available. 3 Log Entry — the specific log entry within the selected log file, from which the Log Consolidator Engine starts running. Committing Consolidated Logs to a Specific Database Table In the above Install and Start window, select the SmartView Reporter Database table to which the consolidated logs are to be saved from the Target Table options. Configuring the Log Consolidator Engine’s DNS Settings Resolving the source and destination names slows down the Consolidation process. You can balance the need for name availability in your consolidated records with the need for a satisfactory performance level, by adapting the Log Consolidator Engine’s DNS setting to your specific needs: select Policy > Global Properties... from the menu and specify the appropriate settings in the DNS settings tab of the Log Consolidator SmartDashboard window. This setting will come into effect after a Log Consolidator policy is installed, or even if the Log Consolidator Engine is stopped and started. Monitoring the Log Consolidator Engine and Database Statuses The Log Consolidator Engine and SmartView Reporter Database statuses can be monitored through either one of the SmartView Reporter clients. The SmartView Log Consolidator provides a detailed account of these statuses (as well as DNS statistics) through the Engine and Database status window, displayed by selecting Engine and Database status from the SmartView Log Consolidator’s Status menu. If this information cannot be obtained, the window specifies the reason for the problem (for example: the Log Consolidation Engine service is not started). The SmartView Reporter Client offers more basic Consolidation information (such as the names of the log file scanned and the target SmartView Reporter Database table) through its Management view. It is recommended to check these statuses before you begin generating reports, to verify that the Log Consolidator Engine is indeed processing logs and that it had already saved the consolidated records to the SmartView Reporter Database.SmartView Reporter Database Management All database management operations are performed through the SmartView Log Consolidator’s Database menu. Chapter 2 SmartView Reporter 49
  • 50. SmartView Reporter Configuration Tuning the SmartView Reporter Database To improve performance, adjust the database cache size to match the computer’s available memory. Place the database data and log files on different hard drives (physical disks), if available. Modifying SmartView Reporter Database Configuration It is possible to change the SmartView Reporter Database settings by editing the solid.ini file, located in the CheckPointSmartViewReporterNG_AIDatabase directory. Note that before editing the solid.ini file, you must: 1 Stop all SmartView Reporter services (such as the Log Consolidator, Reporter Database and Reporter Server services) by running rmdstop. 2 Back up the solid.ini file before modifying it. Note - Although it is possible to give the file(s) any name, the naming convention cannot be changed. The file name must contain a *.db extension. When editing a value in solid.ini file, do not add any spaces or tabs before or after the = sign on each row. After completing your editing, ensure that you restart SmartView Reporter services by running rmdstart. Changing the SmartView Reporter Database Cache Size To change the Database cache size, modify the CacheSize value in the solid.ini file. CacheSize represents the size of the memory cache in bytes, and is always a multiple of 1024. Ensure that you do not set the cache size too large to fit into the computer’s available memory. Increasing the SmartView Reporter Database Size The default size of the database is 20 GB, allocated in 10 separate files of 2 GB each. You can increase the allocated size of the database by adding more files. To increase the Reporting Database size limit, proceed as follows: Warning - Make sure all the SmartView Reporter services are stopped before editingsolid.ini.50
  • 51. SmartView Reporter Database Management1 In the IndexFile section of the solid.ini file, add lines with FileSpec_#. Each of these lines enlarges the Database size limit by 2 GB, which is the maximum byte size per line. Warning - Do not change the size of an existing database file in order to increase database space. For example, the following default configuration amounts to a 20 GB limit: [IndexFile] ... FileSpec_1=./Database/RT_Database.db 2147483647 FileSpec_2=./Database/RT_Database2.db 2147483647 FileSpec_3=./Database/RT_Database3.db 2147483647 ……… ……… FileSpec_10=./Database/RT_Database4.db 2147483647 CacheSize=33554432 Adding the following line will enlarge the database size limit to 22 GB: FileSpec_11=./Database/RT_Database11.db 21474836472 Restart the SmartView Reporter services.Changing the SmartView Reporter Database Data and Log FilesLocationDisk contention occurs when multiple processes try to access the same disksimultaneously. To avoid this, move files from heavily accessed disks to less active disksuntil they all have roughly the same amount of load. To improve performance, use aseparate disk for Database Log files. To distribute the SmartView Reporter database filesbetween different physical disks, proceed as follows: Chapter 2 SmartView Reporter 51
  • 52. SmartView Reporter Configuration 1 Use a separate disk for Database Log files: Under the [Logging]section in the solid.ini file, specify the new location of the log files by modifying the line: FileNameTemplate=./Log/sol#####.log For example: FileNameTemplate=F:/ReporterLogs/sol#####.log Do not change the original log file name, and ensure that the specified folder (e.g. W:/ReporterLogs) exists. 2 Divide Database files between several disks: Under the [IndexFile] section, specify a new location for Database files by modifying the relevant Database file line (e.g. FileSpec_1, FileSpec_2 etc.). For example: FileSpec_1=E:/RT_Database.db 2147483647 You must then physically move these files to their new locations. 3 Use a separate disk for the Sort folder: Under the [Sorter] section, specify the new location of the Sort folder by modifying the line: TmpDir_1=./Sort For example: TmpDir_1=D:/Sort Make sure the specified location (e.g. D:/Sort) exists. Backing Up the SmartView Reporter Database The SmartView Reporter Database system consists of a set of files that can be copied, compressed or backed up like any other file. Backup files require the same disk space as the original files. It is highly recommended to save backup copies of the SmartView Reporter Database files, which can later be used to recover from an unexpected database corruption. Proceed as follows: 1 Stop the SmartView Reporter services: • Windows — in the Services window (accessed from the Start menu, by selecting Settings > Control Panel > Services), select the Check Point Reporting Database Server service and click Stop. This automatically stops the Check Point SmartView Log Consolidator and the Check Point Reporting Database Server services as well. • Solaris — use rmdstop.52
  • 53. SmartView Reporter Database Management2 From the SmartView Reporter Database directories, copy RT_Database.db through RT_Database10.db to the backup location (you may compress them to save disk space).3 Restart the SmartView Reporter services, starting with the Check Point Reporting Database Server service. Chapter 2 SmartView Reporter 53
  • 54. SmartView Reporter Configuration54
  • 55. CHAPTER 3 How ToSmartView Reporter Instructions In This Chapter How to re-consolidate logs according to a different Consolidation Policy page 55 How to generate reports based on data unavailable in the Database page 56 How to include URL information in web activity reports page 56 How to retain log fields not listed in the Store Properties window page 57 How to adapt reports to your specific needs page 57 How to schedule generations of the same report using different settings (a different output or style) page 58 How to recover the SmartView Reporter Database page 58 How to interpret report results whose direction is “other” page 58 How to view report results without the SmartView Reporter Client page 58 How to upload reports to an FTP server page 60 How to improve performance page 61 This chapter provides information on advanced or specific configuration scenarios. For standard configuration instructions, see “SmartView Reporter Configuration” on page 38. For Express Report configuration, see “Express Reports Configuration” on page 40. How to re-consolidate logs according to a different Consolidation Policy 55
  • 56. SmartView Reporter Instructions To re-scan and re-consolidate the same log files the Log Consolidator Engine has already processed according to a different Consolidation Policy, you must undo (“Roll Back”) the installation of the current Consolidation Policy. In addition to removing the current Consolidation Policy, the Log Consolidator Engine deletes all consolidated records loaded to the SmartView Reporter Database since the last time this Policy was installed. The records that are deleted from the Database cannot be retrieved and are no longer available for report generation. To undo the installation of the current Policy, choose Roll Back Installation from the Database menu. The process begins immediately and you can follow its progress by selecting Roll Back Installation Status from the Status menu. If you wish to rescan logs without deleting their current consolidated records, install and start the Consolidation Policy using the Install and Start window’s Manual option, select the relevant logs and save the consolidated records to a special target table. For more information on scanning specific logs, see “Setting the Log Consolidator Engine to Scan Specific Logs” on page 48. How to generate reports based on data unavailable in the Database To generate a report based on information that is not currently available in the SmartView Reporter Database, you must consolidate the relevant logs and save them to the Database. To consolidate a log file, make sure it is saved to the Management Server (if it is on a different log server, copy it to the Check Point Management Server) and proceed as follows: 1 Reinstall and start the Consolidation Policy. The Install and Start window is displayed. 2 Select the machine providing the logs for consolidation from the drop-down list and click Fetch data from log server to start retrieving the logs. The Start section’s options become available. 3 Choose Manual. You can now select the log file to be scanned (and later specify the log entry from which the Engine will start running). 4 The Log file drop-down list includes specific file names of any log files copied from other log servers to the management server. Choose the log file you wish to consolidate and click OK. How to include URL information in web activity reports56
  • 57. How to retain log fields not listed in the Store Properties window To view URL data in your reports, you must set your Security Policy to log this information. URL information is logged using URI or FTP resources, which are defined through the URI Resource Properties and FTP Resource Properties windows (respectively). Because processing the detailed URL information inside the logs consumes a lot of resources, default this processing is disabled. Note that you must also change the default settings if you want to use extended URLs and file extensions, as they are not available by default. To enable URL processing, run the following commands on your SmartView Reporter Server computer: 1 cpstop 2 log_consolidator -K true 3 cpstart The next step is to open the SmartView Reporter Client Reports Selection Bar, Standard Reports view, then select the FTP and Web Activity report sections, and ensure that the following sections are checked (selected): • Top Pages • Top Pages and their top sources • Top Files • Top file types. To disable detailed URL processing, run: 1 cpstop 2 log_consolidator -K false 3 cpstartHow to retain log fields not listed in the Store Propertieswindow The Store Properties window has been designed to facilitate specifying the Consolidation settings, by narrowing down the log fields list to the fields most commonly required for reports. If this list does not include a specific field you are interested in, you can still retain its original values by choosing the As Is Store Option.How to adapt reports to your specific needs Chapter 3 How To 57
  • 58. SmartView Reporter Instructions The predefined reports have been specifically designed to cover the most common reporting needs. In addition, they can be easily customized to further address your specific query. If you cannot find a report that matches your exact query, choose the one that is closest to your needs, customize it (change its date range, filters etc.) and save it under a different name. Filtering is a powerful tool for extracting new meanings out of existing reports. For example, if you filter the List of All Connections report by specifying your gateway as the destination, this Network Activity report becomes a Security report. How to schedule generations of the same report using different settings (a different output or style) To schedule generations of the same report using different settings, modify the original report, save it under a different name (e.g. Network_Activity_NYC, Network_Activity_Paris etc.) and specify the appropriate schedule for each modified report. How to recover the SmartView Reporter Database To recover the SmartView Reporter Database, proceed as follows: 1 Stop the SmartView Reporter Database service: • Windows — go to the Services window, choose the Check Point SmartView Reporter Database service and select Stop. • Solaris — run the command rmdstop. 2 Replace the original SmartView Reporter Database files with your backed up SmartView Reporter Database files in <SmartView Reporter directory>/NG_AI/database. 3 Delete the contents of the <SmartView Reporter directory>/NG_AI/database/Log directory. 4 Start the SmartView Reporter Database service normally. How to interpret report results whose direction is “other” To interpret direction data, the network’s topology must be defined accurately. If this is the case, connections whose direction is “Other” should be interpreted as attempts to connect to the FireWall itself. How to view report results without the SmartView Reporter Client58
  • 59. How to upload reports to a web server You can make the report results available through an internet browser, by checking FTP Upload or Web Upload in the Output tab of the Report Properties.How to upload reports to a web server In order to enable report uploads to a web server you must configure the Reports output properties, and configure the web server to allow uploads. Configuring the Report Output tab 1 Check the Web Upload checkbox 2 Fill the server properties in the fields to the right of the checkbox list including the web server’s name or IP, the User Name and Password that SmartView Reporter uses to connect to the web server, and the Path of the directory in which the report results are saved. 3 Select how the new uploaded report is saved, whether in a new directory or overriding the previous report. Configuring the web server Define the Report’s virtual directory 1 You must define a virtual directory named reports, in the web server’s root directory. All the Report files that are uploaded to the web server will be placed in this directory. 2 Grant this directory PUT command permission (also known as Write permission). It is not recommended that permission for anonymous http login be granted. Create a directory for each Report For the Web upload, the SmartView Reporter uploads Report result files to the target directory. A target directory must exist at the time of the upload. The upload uses the http:put operation, and on most web servers, permission for this operation needs to be explicitly granted for the target directory. There are 2 ways to ensure that target directories exist: Chapter 3 How To 59
  • 60. SmartView Reporter Instructions 1 Manual directory creation: On the web server, create a directory with the path <reports directory root>/<optional path field>/<ReportName> before generating the report. This operation needs to be done only once. Those who prefer to avoid installing and configuring scripts may prefer to create a directory manually. If you use this option, you must ensure that you select to Override Previous Report in the Reports Output tab. If you leave the Path field empty in the Reports output tab, then you need to create the folder <reports directory root>/<ReportName> on the web server. 2 Automatic directory creation: A Configure the svr_webupload.pl by running the svr_webupload_config utility: i On the SmartView Reporter server, in the RTDIR/bin directory, run the utility svr_webupload_config using the following command structure: svr_webupload_config [-i perl_int_loc] [-p rep_dir_root] where -i specifies the Perl interpreter location and -p specifies the path for the reports virtual directory which you previously configured. An example of the command is: svr_webupload_config -i c:perlbinperl.exe -p c:Inetpubwwwrootreports ii Copy the svr_webupload.pl file from the RTDIR/bin directory from the SmartView Reporter computer to the cgi-bin directory on the web server. Note that both the cgi-bin directory and the script name can be changed in the SmartView Reporter Client via Tools > Options > Web Information > CGI Script Location field. B Grant the svr_webupload.pl script (on the web server only) execution permission. It is not recommended that permission be granted for anonymous http login. How to upload reports to an FTP server In order to enable report uploads to an FTP server you must configure the Reports output properties.60
  • 61. How to improve performance Configuring the FTP upload 1 Check the FTP Upload checkbox 2 Fill the server properties in the fields to the right of the checkbox list including the FTP server’s name or IP, the User Name and Password that SmartView Reporter uses to connect to the FTP server, and the Path of the directory in which the report results are saved. 3 Select how the new uploaded report is saved, whether in a new directory or overriding the previous report. 4 The FTP upload does not require any configuration on the FTP server. The root directory for all report uploads is the FTP root directory of the user specified in User Name field.How to improve performance For the most updated performance tuning information, see Release Notes for the SmartView Reporter at: http://www.checkpoint.com/techsupport/installation/ng/release_notes.html Performance Tips To maximize the performance of your SmartView Reporter Server, follow these guidelines: Hardware Recommendations • Use a computer that matches the minimum hardware requirements, as specified in the Release Notes. • Configure the network connection between the SmartView Reporter Server machine and the SmartCenter, or the Log server, to the optimal speed. • Use the fastest disk available with the highest RPM (Revolutions per Minute). • Increase computer memory. It significantly improves performance. • Increase the database and log disk size (for example, several gigabytes) to enable the SmartView Reporter to cache information for better report generation performance. Allocating database and log disk size so that it is twice the space that the database currently occupies will improve report generation performance even more. If a report requires additional space for caching, it will be noted in the report’s Generation Information section. The Generation Information section can be found in Appendix A > View generation information of the report result. Chapter 3 How To 61
  • 62. SmartView Reporter Instructions Installation Choose a distributed configuration, dedicating a computer to Consolidation and Report generation operations only. Windows and Solaris platforms support both standalone and distributed installations. Linux and Nokia platforms support only distributed installations. Log Consolidator Improve the Log Consolidator Engines performance by configuring the following settings: 1 Set the Consolidation Rules to ignore immaterial logs. 2 Change the DNS resolution settings: Open the Policy menu in SmartDashboard, select Global properties and change the settings in the DNS settings tab: A To improve DNS resolution performance, modify the following: • Maximum requests handled concurrently - Set to 50. This value controls the numbers of threads handling DNS requests. • Maximum cache items - Set to 65536. This value defines the maximum number of resolved IP addresses in the cache. • Refresh cached items every - Set to 24 hours. This value determines how long it takes for a resolved IP address to expire and be removed from the cache. setting. If set too high it may result in wrong data because DHCP may change the addresses. B To turn off reverse DNS resolution, uncheck the resolve source and destination names checkbox. 3 Increase the Log Consolidator memory pool. To do this: Open the Policy menu in SmartDashboard, select Global properties, then select the Advanced settings tab. Modify the maximum consolidation memory pool to 256 MB or 1 GB according to the memory available on the Log Consolidator computer. Report Units Generated • Do not choose unnecessary reporting elements. Uncheck units and sections that are not relevant to your report. The Reporter Generator uses an internal cache for SQL query results, so not every unit you uncheck speeds up the report generation. But in general this will result in a smaller report and reduce generation time. • Table and Graph units that belong to the same section often use the same SQL, so unchecking only one of them may not decrease the generation time. It is recommended that you deselect (uncheck) an entire section.62
  • 63. How to improve performance• If you uncheck report units, you should also uncheck the matching category in the Summary unit, since it usually uses the same SQL query. Every report contains a link to a file with the details of the SQL queries that the Report Generator runs, how many queries are cached and how long each query takes. To view this, scroll to Appendix A in the report result, and click View generation information at the bottom of Appendix A.Report FiltersIf you define different filters for different reporting units that share the same cachedSQL, the SQL caching will no longer be viable and the report generation time willsignificantly increase. It is recommended that you define filters at the report level only.Report Time FrameWhen setting a user-defined time frame for the report, specify a time frame in wholedays. When setting a report period, note that the following settings will slow down thereport generation speed:• Relative Time Frame: Today, Yesterday, Last X hours, This week.• Specific dates: Limit by hour checkbox.• Reports for short time periods are generated faster than reports for long time periods. A weekly report will be generated much faster than a monthly report.Report Generation SchedulingSchedule report generation when there is less traffic and fewer logs are being generated,so the log consolidator is consuming less resources. Schedule reports on nights andweekends.Tuning SmartView Reporter DatabaseAdjust the database cache size to match your Server’s available memory. Place thedatabase data and log files on different hard drives (physical disks), if available. Chapter 3 How To 63
  • 64. SmartView Reporter Instructions64
  • 65. Appendix A Out_of_the_box Consolidation Policy In This Appendix Overview page 65 Out_of_the_box Consolidation Rules page 66Overview The predefined, out_of_the_box Consolidation Policy consists of fifteen Consolidation Rules. Each Rule addresses a certain type of log (e.g. alerts, blocked or broadcast logs) and specifies whether to ignore it or store it. If a log is to be stored, the Rule specifies its Store Properties: • As Is — all log fields are stored in the SmartView Reporter Database and will be available for report generation. This is the default storage option. • Consolidated — specify the following Consolidation parameters: • Consolidation Interval — the interval at which logs matching this Rule are consolidated (e.g. all logs generated within a 10 minute interval). Hourly intervals are measured. • Original Values Retained — the log fields whose original values are retained (in addition to the Product, Origin, Date and Customer log fields, whose values are always saved). The other fields’ values are merged (consolidated) with the corresponding values of the logs included in this interval. 65
  • 66. Out_of_the_box Consolidation Rules TABLE A-1 describes the function of each Rule and specifies its Store Properties.TABLE A-1 Out_of_the_box Consolidation Rules Rule Description Cons. Original Values Retained No. Interval 1 Consolidate and store alert logs. 10 minutes URL (full path), Action, Service, Source, Destination, User, Interface and Rule Number. 2 Consolidate and store blocked none All (store as is). (rejected or dropped) connection logs 3 Consolidate and store approved 10 minutes URL (full path), Action, HTTP connections logs Service, Source, Destination, User, Interface and Rule Number. 4 Consolidate all SMTP logs. 1 hour Action, Service, Source, Destination, User, Interface and Rule Number. 5 Consolidate and store approved FTP 10 minutes URL (full path), Action, logs Service, Source, Destination, User, Interface and Rule Number. 6 Ignore all message logs. none All (store as is). Placing this Rule first enables the Engine to scan the logs quickly and efficiently. 7 By default, this Rule is inactive. If none None (ignored). activated, it filters out all broadcast message logs. 8 Ignore both approved and blocked none None (ignored). bootp (Bootstrap Protocol, used to boot diskless systems) packet logs. 9 Ignore both approved and blocked none All (store as is). nbdatagram logs. 10 Ignore all NBT logs. NBT are none None (ignored). NetBios services.66
  • 67. TABLE A-1 Out_of_the_box Consolidation Rules Rule Description Cons. Original Values Retained No. Interval 11 Ignore both approved and blocked none None (ignored). nbsession logs. 12 Ignore both approved and blocked none None. DNS logs 13 Consolidate and store approved 1 hour Action, Service, Source, POP-3 logs Destination, User, Interface and Rule Number. 14 Consolidate and store NTP logs. 1 hour Action, Service, Source, NTP is a time protocol that provides Destination, User, Interface and access over the Internet to systems Rule Number. with precise clocks. 15 Consolidate and store connections 1 hour URL (full path), Action, that do not match any of the previous Service, Source, Destination, Rules User, Interface and Rule Number. Appendix A 67
  • 68. 68
  • 69. Appendix B Predefined Reports In This Appendix Executive Reports page 69 Network Activity Reports page 71 Security Reports page 74 VPN-1 Reports page 74 User Activity Reports page 75 My Reports page 76 This appendix describes the predefined reports available under each subject and specifies the report ID required for command line generations.Executive Reports This subject includes a collection of reports from other subjects, that are of special interest to executives. Standard Reports • Most Interesting — presents an overview of network activity handled through FireWall-1 according to the sources selected as being of greatest interest for tracking purposes. Report ID — 3C522E32-843E-43D4-8CB7-9436632CC85D. • Network Activity — presents the network traffic that FireWall-1 accepted. It includes data on the total traffic load, specific services load, traffic source, destination and direction data. The report presents data for all connections that were accepted, encrypted and decrypted by FireWall-1. Report ID — F9D9020E-95E0-4104-A1F4-9E1B1B0DA00D. 69
  • 70. • Web Activity — this report presents data on the web traffic through FireWall-1. It includes data on total web traffic load and distribution of web traffic by time period and direction. Report ID — 696B6E03-DE24-4BBC-A098-B4BF390BB5C5. • Incoming Network Activity — provides an overview of the incoming network activity handled by FireWall-1. It includes data on the incoming traffic load, specific services load, distribution by source and destination. Report ID — F0732D17-8C89-4603-8A74-2AEAE917A2A1. • Outgoing Network Activity — provides an overview of the outgoing network activity handled by FireWall-1. It includes data on the outgoing traffic load, specific services load, distribution by source and destination. Report ID — 4D73AE89-D5BA-47C5-A9F9-0CA3DF6E0178. • Internal Network Activity — provides an overview of the internal network activity handled by FireWall-1. It includes data on the internal traffic load, specific services load, distribution by source and destination. Report ID — F53C3DF6-FEB5-4576-8A92-C3231F920C54. • Smart Defense Attacks — This report presents the security attacks detected by Smart Defense. It includes the distribution of alerts by source, destination, service, date and time. Report ID — B389979B-016E-4B22-BA70-3345FCF270EF. • User Activity — presents the network traffic produced by authenticated users. It includes data on authenticated users producing both the total and service-specific traffic load. Report ID — AAEC6832-BEAD-4A78-BA2D-00C909D67199. • Encrypted Network Activity — presents the network traffic that FireWall-1 encrypted. It includes data on total encrypted traffic load, as well as the distribution of encrypted traffic by services and by traffic direction. Report ID — D530FB3F-DB49-4EB7-8AF2-299F7079082E. • Rule Based Activity for a Specific Gateway — presents an analysis of FireWall-1 rule base for a specific gateway. It includes data on the most and least matched rules, as well as the distribution of rules matched by services, sources and destinations. The report is designed for analysis of any single gateway. Using this report to study multiple gateways may produce misleading results. Report ID — 436681BE-176E-4F8E-B503-7C4566E4EE4F. Express Reports • Network Activity — presents the network traffic that FireWall-1 accepted. It includes data on the total traffic load, specific services load, traffic source, destination and direction data. The report presents data for all connections that were accepted, encrypted and decrypted by FireWall-1. Report ID — B483F96A-E911-4F45-940C-A3F5E0AAD2FA.70
  • 71. • Smart Defense Attacks — presents the security attacks detected by Smart Defense. It includes the distribution of alerts by source, destination, service, date and time. Report ID — 6E21A9BC-AA05-457F-A0C4-9CBD153F6370 • VPN-1 Activity — presents an overview of the traffic handled by VPN-1 modules. It includes data on traffic encrypted and decrypted by VPN-1 modules. Report ID — 03906744-8656-4B44-BE05-E2D58BA8D80C • VPN-1 Tunnels — presents data regarding processes involved in tunnel creation by VPN-1 modules. It includes data on VPN-1 and remote access tunnels, as well as on IKE negotiations. Report ID — 96B5F28C-3AAE-4C4D-BDF6-6998C3241E20 • System Information — provides data on system status, including CPU, memory and disk space usage. Report ID — 51A6F08C-FC0E-48B8-9057-007C26C980D2Network Activity Reports Standard Reports • Network Activity — presents the network traffic that FireWall-1 accepted, encrypted and decrypted. It includes data on the total traffic load, specific services load, traffic source, destination and direction data. Report ID — 0A4E3BB9-55C0-11d6-A342-0002B3321334. • Web Activity — presents the web traffic handled by FireWall-1. It includes data on the total web traffic load and on its distribution by direction. Report ID — 7B12F481-5DF0-11d6-A343-0002B3321334. • FTP Activity — presents the FTP traffic handled by FireWall-1. It includes data on the total FTP traffic load and on and on its distribution by direction. Report ID — 7B12F482-5DF0-11d6-A343-0002B3321334. • SMTP Activity — presents the SMTP handled by FireWall-1. It includes SMTP traffic load and distribution by top sources, by date, day of the week, hour of the day, sources, servers and direction. Report ID — 7B12F483-5DF0-11D6-A343-0002B3321334. • POP3 Activity — presents the POP3 activity handled by FireWall-1. It includes POP3 activity and distribution by top sources, by date, day of the week, hour of the day, sources, servers and direction. Report ID — 70D7A36F-B3E1-45B7-BDC9-165E35653538. • Incoming Network Activity — provides an overview of the incoming network activity handled by FireWall-1. It includes data on the incoming traffic load, specific services load, distribution by source and destination. Report ID — 7C607EC1-3A78-11d6-A33C-0002B3321334. Appendix B 71
  • 72. • Incoming Web Activity — presents the incoming web traffic. It includes data on the most visited sites, pages and files, as well as the sources outside the organization exploring your web site. Report ID — 7C607EC2-3A78-11d6-A33C-0002B3321334. • Incoming FTP Activity — presents the incoming FTP traffic. It includes data on the most visited FTP servers, the most downloaded files and the sources outside the organization downloading these files. Report ID — 7C607EC3-3A78-11d6-A33C-0002B3321334. • Incoming SMTP Activity — presents the incoming Email traffic. It includes activity and distribution by top senders, top recipients, top sources, by date, day of the week, and hour of the day. Report ID — 7C607EC4-3A78-11d6-A33C-0002B3321334. • Outgoing Network Activity — provides an overview of the outgoing network activity handled by FireWall-1. It includes data on the outgoing traffic load, specific services load, distribution by source and destination. Report ID —1375AD84-49F1-11d6-A340-0002B3321334. • Outgoing Web Activity — presents the outgoing web traffic. It includes data on the most visited sites, pages and files, as well as on the sources inside the organization exploring the Internet. Report ID — 1375AD85-49F1-11d6-A340-0002B3321334. • Outgoing FTP Activity — presents the outgoing FTP traffic. It includes data on the most visited FTP servers, the most downloaded files and the sources inside the organization downloading these files. Report ID —1375AD86-49F1-11d6-A340-0002B3321334. • Outgoing SMTP Activity — presents the outgoing SMTP traffic. It includes data on senders inside the organization and on the top destinations. Report ID —1375AD87-49F1-11d6-A340-0002B3321334. • Internal Network Activity — provides an overview of the internal network activity handled by FireWall-1. It includes data on the internal traffic load, specific services load, distribution by source and destination. Report ID — B724EABC-581D-11d6-A342-0002B3321334. • Internal Web Activity — presents the internal web traffic. It includes data on the most visited sites, pages and files, as well as the sources inside the organization exploring your intranet. Report ID —B724EABD-581D-11d6-A342-0002B3321334. • Internal FTP Activity — presents the internal FTP traffic. It includes data on the most visited FTP servers and most downloaded files, as well as the sources inside the organization downloading these files. Report ID —B724EABE-581D-11d6-A342-0002B3321334.72
  • 73. • FireWall-1 Activity — presents the network activity handled by FireWall-1. It includes data on the traffic load, specific services load and distribution of traffic by direction, source and destination. The report shows data for all connections handled by FireWall-1, as well as the actions it took (accept, reject, encrypt, etc.). Report ID — 0A4E3BC7-55C0-11d6-A342-0002B3321334.• List of All Connections — presents the details of all connections. It can be used for specific security or network behavior inspection. Use this report to collect specific data by filtering only the data you wish to view. Report ID — 9CBEE3F3-DA22-46a8-B13B-3BF4D5E1D2EA.Express Reports• Network Activity — presents the network traffic for top modules over time per specific connections, services, sources, destinations and per rule. Report ID — DB3CBF73-DC1C-4E0C-8D04-8000EA64FF5F.• Selected Services — presents the an overview of selected services: FTP, HTTP, HTTPS, SMTP, TELNET and POP3. Includes data on traffic byte load, byte rate and the number of concurrent connections for these services. Report ID — 3D7854AB-6118-437F-87A3-71BD392E7DF3.• FireWall-1 Activity — presents the network activity handled by FireWall-1. It includes data on the top modules packet load and top modules accept/reject/drop behavior, as well as examining load behavior by hour and by day. Report ID — F9504B51-4E93-484E-BA9B-747632278B65.• FireWall-1 Memory — presents the network activity handled by FireWall-1. It includes data on the traffic load, specific services load and distribution of traffic by direction, source and destination. The report shows data for all connections handled by FireWall-1, as well as the actions it took (accept, reject, encrypt, etc.). Report ID — F896C74F-72F0-47A8-A54D-0974B518E9CD.• FTP Activity — presents the FTP activity for modules. It includes data on the top modules FTP action’s success and failure most visited FTP servers and most downloaded files, as well as the sources inside the organization downloading these files. Report ID — C0D0C34B-F35D-4482-9CF8-631B7ACEEE57.• SMTP Activity — presents the SMTP traffic. It includes data on the top modules SMTP Emails, connections, concurrent connections, activity load. Report ID — 9BE87F3D-AADC-425D-B59E-E4B221564FAD. Appendix B 73
  • 74. Security Reports Standard Reports • Security — presents the security aspects handled by FireWall-1. It includes the distribution of traffic by the FireWall-1 action taken and data on the traffic originating from or addressed to FireWall-1 itself. Report ID — 475AD890-2AC0-11d6-A330-0002B3321334. • Smart Defense Attacks — This report presents the security attacks detected by Smart Defense. It includes the distribution of alerts by source, destination, service, date and time. Report ID — F76CEB9F-6718-4875-8273-54A0F420BC13. • Blocked Connections — presents connections blocked by FireWall-1. It includes data on blocked connections in various traffic directions and on the distribution of blocked connections by sources, destinations and services. Report ID — 475AD891-2AC0-11d6-A330-0002B3321334.l • Alerts — presents the alerts issued by FireWall-1. It includes the entire list of alerts issued, as well as the distribution of alerts by source, destination and service. Report ID — 475AD894-2AC0-11d6-A330-0002B3321334. • Rule Base Analysis for Specific Gateway— presents an analysis of FireWall-1’s Security Rule Base. It includes data on the most and least matched Rules, distribution of Rules being matched by services sources and destinations. Report ID — 475AD88E-2AC0-11d6-A330-0002B3321334. • Policy Installations Analysis for Specific Gateway — presents Policy installations. It includes data regarding the number of Policy installations. Report ID — 475AD88F-2AC0-11d6-A330-0002B3321334. Express Reports • Smart Defense Attacks — This report presents the security attacks detected by Smart Defense by module. It includes the distribution of alerts by source, destination, service, date and time. Report ID — 9947930D-8C99-4680-A1DE-F5CF8732E87B.VPN-1 Reports Standard Reports • Encrypted Network Activity — presents the network traffic encrypted by FireWall-1. It includes data on total encrypted traffic load, distribution of encrypted traffic by services and by traffic direction. Report ID — 0A4E3BC6-55C0-11d6-A342-0002B3321334. • VPN Tunnel for Specific Gateway — provides data on VPN connections. It presents the peer gateway’s activity, VPN tunnel creation and VPN traffic distribution. The report is designed to produce results for a single VPN-1 gateway. Using this report74
  • 75. for multiple VPN-1 gateways may produce misleading results. To obtain data regarding multiple VPN-1 gateways, use the VPN-1 Community report. Report ID — E74B0FA9-7617-11d6-A351-0002B3321334. • VPN Community — provides data on the VPN community’s activity. The report can also be used for any set of multiple VPN gateways. The report provides data on VPN encrypted traffic activity, VPN tunnel creation activity and its distribution throughout the day. Report ID — BD534B0B-C4CA-41c4-A996-76D3317FF2D2. Express Reports • VPN-1 Activity — presents the network traffic encrypted by FireWall-1. It includes data on total encrypted traffic load, distribution of encrypted traffic by services and by traffic direction. Report ID — E276053F-19B2-429C-9FB2-21BA0DE5B6B2. • VPN-1 Tunnel — presents data regarding VPN tunnel creation. It includes data regarding number of concurrent tunnels per top modules, averages and peaks, IKE negotiation successes and failures, and negotiation times. Report ID — B640C862-DF0E-485E-A0B0-086E0D35EC76. • VPN Accelerator — presents data regarding network traffic encrypted by FireWall-1. It includes data on top modules VPN Accelerator compression and decompression traffic load, VPN Accelerator compression and decompression errors, and VPN Accelerator activity over time. Report ID — 4D585F97-1E48-4F5A-9DCB-51AF5B61F6BA. • VPN Compression — presents the amount of IP Compression per module. It includes data on top modules compression and decompression load, compression and decompression errors, and duration. Report ID — 62611BAD-DC70-4C5A-A76F-804050E31708.User Activity Reports Standard Reports • User Activity — presents the network traffic produced by authenticated users. It includes data on authenticated users producing both the total and service-specific traffic load. Report ID — D7CD8E72-6978-48db-897A-365ED6B42482. • Web Activity — presents the network traffic produced by web activity. It includes data on web activity by top users, top sites, top sources, top files, direction, and load per day of week. Report ID — 2CB9CBC0-50E2-4C09-A5A4-28FA9C2A3BBB. Appendix B 75
  • 76. • SecureClient Users Activity — presents SecureClient activity as it was logged by the alerts uploaded from the desktop. The report also shows Policy Server activity information. Report ID — E387C01B-0373-406a-84BC-DAF15A3E5759. • List of All SecureClient Users Login — presents details of all login actions of SecureClient users to FireWall-1. It can be used for specific or user behavior inspection. You may use this report to collect data by filtering only the users you wish to view. Report ID — 20CBB924-B685-4bad-B3AB-2C08AA51FDB7.System Information Reports • System Information — presents details regarding system behavior and system conditions. Presents details per top module of Operating System activity, kernel activity, CPU usage, free disk space, memory usage, and virtual memory usage over time. Report ID — 26450EBC-37B4-4465-A9E0-F3FFA61917E6.My Reports This subject includes predefined reports you have customized and saved under different names, to better address your specific needs.76
  • 77. IndexC H reporter database changing data and log files location 51configuration 38 How to Upload Reports to Web and increasing cache size 50configure FTP upload 61 FTP servers 59 increasing the size limit 50configure Web upload 59 management 49consolidation interval 31 modifying configuration 50 levels 31 I recovery 58 status 49 modifying 46 process 30 reporter database table 32, 36, 41, 49 installation reports rescanning logs 56 roll back 56 alerts 74consolidation policy 30 interval blocked connections 74 out_of_the_box rule see consolidation interval 31 convert to Excel 38 descriptions 65 CSV format 38 roll back installation 56 data calculation scheme 42 L different styles 58 displaying generated reports 45D log consolidation process Email 43 encrypted network activity 74 see consolidation process 30database log consolidator engine executive reports 69 see reporter database 49 status 49 filters 41deployment 35 log fields 57 FireWall-1distributed deployment 35 retaining the original values 57 activity 73 log file memory 73 rescanning 56 FireWall-1 activity 73 scanning 48E logo 45 ftp activity 71 FTP server 43 generating from the commandEmail line 45 reports 43 severity 43 P HTML format 38 input location 43Excel logo 45 table import to 38 Performance Tips network activity 69, 70, 71, 73Express Reports Hardware Recommendations 6, output 37 Setup 33 61 output location 43 Installation 6, 62 period 41 predefined reports 33, 69 policy installations analysis 74F POP3 Activity 71 predefined 33, 69FTP reports 43 R preview 44 properties 41 report results 43 most interesting 69 rule base analysis 74 OS Activity by Module 76 scheduling 37, 4477
  • 78. S security reports 74 selected services 73 SMTP activity 71 sort parameter 42 status 44 System Information 76 user activity 75 VPN Community 75 VPN tunnel per origin 74 VPN-1 accelerator 75 Activity 75 Compression 75 web activity 71 Web server 43rolling back the installation 56Sscheduling reports 37, 44security policy logging accounting information 39services 52sort parameter 42standalone deployment 35Status history size 44store options 47, 57UURL information 56VVPN-1 reports Activity 75 Tunnel 7578