Smart viewreporter

2,073 views

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,073
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Smart viewreporter

  1. 1. SmartView Reporter NG with Application Intelligence (R55)For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at http://support.checkpoint.com/kb/ See the latest version of this document in the User Center at: http://www.checkpoint.com/support/technical/documents/docs_r55.html Part No.: 700727 October 2003
  2. 2. © 2002-2004 Check Point Software Technologies Ltd. CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE All rights reserved. This product and related documentation are protected by copyright SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in The following statements refer to those portions of the software copyrighted by The any form or by any means without prior written authorization of Check Point. While OpenSSL Project. This product includes software developed by the OpenSSL Project for every precaution has been taken in the preparation of this book, Check Point assumes use in the OpenSSL Toolkit (http://www.openssl.org/).* THIS SOFTWARE IS PROVIDED BY no responsibility for errors or omissions. This publication and features described herein THE OpenSSL PROJECT ``AS IS AND ANY * EXPRESSED OR IMPLIED WARRANTIES, are subject to change without notice. INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.RESTRICTED RIGHTS LEGEND: IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE Use, duplication, or disclosure by the government is subject to restrictions as set forth FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF at DFARS 252.227-7013 and FAR 52.227-19. SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,TRADEMARKS: WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension, The following statements refer to those portions of the software copyrighted by Eric Young. OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS AND ANY EXPRESS OR SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE SmartView Status, SmartView Tracker, SmartConsole, TurboCard, Application ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE Intelligence, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registered SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, names mentioned herein are trademarks or registered trademarks of their respective WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR owners. OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF The products described in this document are protected by U.S. Patent No. 6,496,935, ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open 5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, Group. foreign patents, or pending applications. The following statements refer to those portions of the software copyrighted byTHIRD PARTIES: Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided as-is, without any express or impliedEntrust is a registered trademark of Entrust Technologies, Inc. in the United States and warranty. In no event will the authors be held liable for any damages arising fromother countries. Entrust’s logos and Entrust product and service names are also trademarks the use of this software. Permission is granted to anyone to use this software forof Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of any purpose, including commercial applications, and to alter it and redistribute itEntrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management freely, subject to the following restrictions:technology from Entrust. 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, anVerisign is a trademark of Verisign Inc. acknowledgment in the product documentation would be appreciated but is not required.The following statements refer to those portions of the software copyrighted by University of 2. Altered source versions must be plainly marked as such, and must not beMichigan. Portions of the software copyright © 1992-1996 Regents of the University of misrepresented as being the original software.Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to the University 3. This notice may not be removed or altered from any source distribution.of Michigan at Ann Arbor. The name of the University may not be used to endorse orpromote products derived from this software without specific prior written permission. Thissoftware is provided “as is” without express or implied warranty. Copyright © Sax Software The following statements refer to those portions of the software copyrighted by the(terminal emulation only). Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) anyThe following statements refer to those portions of the software copyrighted by Carnegie later version. This program is distributed in the hope that it will be useful, butMellon University. WITHOUT ANY WARRANTY; without even the implied warranty ofCopyright 1997 by Carnegie Mellon University. All Rights Reserved. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNUPermission to use, copy, modify, and distribute this software and its documentation for any General Public License for more details.You should have received a copy of thepurpose and without fee is hereby granted, provided that the above copyright notice appear GNU General Public License along with this program; if not, write to the Freein all copies and that both that copyright notice and this permission notice appear in Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.supporting documentation, and that the name of CMU not be used in advertising or publicitypertaining to distribution of the software without specific, written prior permission.CMU The following statements refer to those portions of the software copyrighted by Thai OpenDISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers.IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL Permission is hereby granted, free of charge, to any person obtaining a copy of thisCMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR software and associated documentation files (the "Software"), to deal in the SoftwareANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, without restriction, including without limitation the rights to use, copy, modify, merge,WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons toACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE whom the Software is furnished to do so, subject to the following conditions: The aboveOF THIS SOFTWARE. copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTYThe following statements refer to those portions of the software copyrighted by The Open OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THEGroup. WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERSEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN ANMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR INNONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.comInternational Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
  3. 3. Table Of ContentsChapter 1 Getting Started Installing SmartView Reporter 5 Overview 5 Standalone Installation 6 Distributed Installation 9 Starting SmartView Reporter 21Chapter 2 SmartView Reporter The Need for Reports 27 SmartView Reporter Solution 28 SmartView Reporter — Overview 28 Log Consolidation Process 30 SmartView Reporter Standard Reports 32 SmartView Reporter Express Reports 33 Predefined Reports 33 SmartView Reporter Considerations 35 Standalone vs. Distributed Deployment 35 Log Availability vs. Log Storage and Processing 36 Log Consolidation Phase Considerations 36 Report Generation Phase Considerations 37 SmartView Reporter Configuration 38 Basic Configuration Scenario 38 Required Security Policy Configuration 39 Express Reports Configuration 40 Report Generation Configuration 40 Consolidation Policy Configuration 45 SmartView Reporter Database Management 49Chapter 3 How To SmartView Reporter Instructions 55 How to re-consolidate logs according to a different Consolidation Policy 55 How to generate reports based on data unavailable in the Database 56 How to include URL information in web activity reports 56 How to retain log fields not listed in the Store Properties window 57 How to adapt reports to your specific needs 57 How to schedule generations of the same report using different settings (a different output or style) 58 How to recover the SmartView Reporter Database 58 How to interpret report results whose direction is “other” 58 How to view report results without the SmartView Reporter Client 58 How to upload reports to a web server 59 Table of Contents 3
  4. 4. How to upload reports to an FTP server 60 How to improve performance 61Appendix A Out_of_the_box Consolidation Policy Overview 65 Out_of_the_box Consolidation Rules 66Appendix B Predefined Reports Executive Reports 69 Network Activity Reports 71 Security Reports 74 VPN-1 Reports 74 User Activity Reports 75 System Information Reports 76 My Reports 76 Index 774
  5. 5. CHAPTER 1 Getting Started In This Chapter Installing SmartView Reporter page 5 Starting SmartView Reporter page 21Installing SmartView Reporter In This Section Overview page 5 Standalone Installation page 6 Distributed Installation page 9 Overview SmartView Reporter can be installed in either a “Standalone” installation, or a “Distributed” installation: • Standalone installation — SmartView Reporter is installed on the SmartCenter Server machine. • Distributed installation — SmartView Reporter is installed on a machine dedicated to reporting purposes. In addition, SmartView Reporter Add-on is installed on the SmartCenter Server machine. The add-on contains both data files (with report definitions) and a component that allows SmartDashboard to connect to SmartView Reporter Server. A distributed installation requires establishing Secure Internal Communication (SIC) between the two machines. The distributed installation is recommended, since it provides better performance. 5
  6. 6. Installing SmartView Reporter Performance Tips To maximize the performance of your SmartView Reporter Server, follow these guidelines: Hardware Recommendations • Use a computer that matches the minimum hardware requirements, as specified in the Release Notes at: http://www.checkpoint.com/techsupport/installation/ng/release_notes.html • Configure the network connection between the SmartView Reporter Server machine and the SmartCenter, or the Log server, to the optimal speed. • Use the fastest disk available with the highest RPM (Revolutions per Minute). • Increase computer memory. It significantly improves performance. Installation Choose a distributed configuration, dedicating a computer to Consolidation and Report generation operations only. Supported Platforms Windows and Solaris platforms support both standalone and distributed installations. Linux and Nokia platforms support only SmartView Reporter Add-on Installation in a distributed configuration. Linux and Nokia platforms do not support a Standalone Installation or a SmartView Reporter server in a distributed configuration. Standalone Installation In This Section Windows Platform page 6 Solaris Platform page 9 Windows Platform 1 In order to begin the installation, login as an Administrator and launch the Wrapper by double-clicking on the setup executable. 2 Select the products that you would like to install. The following components represent the minimum standalone component requirements for SmartView Reporter:6
  7. 7. Standalone Installation • SmartCenter • SmartConsole • SmartView ReporterFIGURE 1-1 Standalone Deployment - for WindowsDepending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.3 Verify the default directory, or browse to new location in which SmartView Reporter will be installed.4 Select Local SmartView Reporter Installation in order to install SmartView Reporter on the local machine.5 Verify the default directory, or browse to new location in which the output files created by SmartView Reporter’s output will be generated. Click Next and reboot the machine in order to complete the installation of the SmartView Reporter and to continue with the next phase of the installation.6 Launch SmartDashboard.7 Edit the host properties for the SmartView Reporter machine. Chapter 1 Getting Started 7
  8. 8. Installing SmartView Reporter FIGURE 1-2 Edit the Host properties 8 Deselect and reselect the SmartView Reporter checkbox. Without explicitly selecting this field, the SmartView Reporter will not function. To end off, click OK. FIGURE 1-3 Select SmartView Reporter in the listbox8
  9. 9. Distributed Installation 9 After activating the SmartView Reporter host, install the Security Policy, (Policy>Install) or install the database (Policy>Install Database) in order to make the SmartView Reporter fully functional. Solaris Platform 1 In order to begin the installation, mount the CD on the relevant subdirectory and launch the wrapper as follows: 2 In the mounted directory, run the script: UnixInstallScript. 3 Read and if you accept the End-User License Agreement (EULA), click Yes. 4 Select whether you would like to perform an upgrade or create a new installation. 5 Continue from step 2 on page 6 in order to complete the process. FIGURE 1-4 Standalone Deployment - for SolarisDistributed Installation In a distributed installation, SmartView Reporter is installed on a different machine to that of the SmartCenter server. Chapter 1 Getting Started 9
  10. 10. Installing SmartView Reporter In This Section Windows Platform page 10 Solaris Platform page 14 Linux page 16 Nokia IPSO page 17 Windows Platform This installation process consists of three phases: • Install SmartView Reporter • Install SmartCenter and the SmartView Reporter Add-On • Prepare SmartView Reporter in SmartCenter Phase 1 - Installing the SmartView Reporter 1 Select SmartView Reporter and SmartConsole (optionally) for installation. Note - Although SmartConsole does not have to be installed on this machine, if it is, you have direct UI access to the SmartCenter server from this machine, thereby simplifying the final installation steps. FIGURE 1-5 Distributed deployment - for Windows10
  11. 11. Distributed InstallationDepending on the components that you have chosen to install, you may need to takeadditional steps (such as installing other components and/or license management) beforereaching step 2.2 Verify the default directory, or browse to new location in which SmartView Reporter will be installed.3 Select a folder in which the output files created by SmartView Reporter’s output will be generated.Depending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 4.4 Enter the Activation Key in the specified fields. Remember the key; you will need to enter it at a later stage. Click Finish in order to complete the installation of the SmartView Reporter.FIGURE 1-6 SIC activationPhase 2 – Installing SmartCenter and the SmartView Reporter Add-OnSmartCenter installation is described in the Getting Started guide. Only the portion thatis related to SmartView reporter is discussed in this section. Chapter 1 Getting Started 11
  12. 12. Installing SmartView Reporter 5 Install the SmartCenter server on a separate machine by selecting SmartCenter and select SmartView Reporter, so that the SmartView Reporter Add-on is also installed during the SmartCenter installation. FIGURE 1-7 Installing SmartCenter and the SmartView Reporter Add-On on a Windows Platform 6 During the SmartCenter installation a window is displayed in which you will be prompted to select the SmartView Reporter Setup Type. Select SmartView Reporter SmartCenter Add-on so that SmartCenter can connect to the distributed SmartView Reporter. 7 Reboot the machine in order to complete the installation. Phase 3 – Preparing SmartView Reporter in SmartCenter 8 Launch SmartDashboard. (SmartDashboard is installed during the SmartConsole installation). 9 Create a new host for the SmartView Reporter machine.12
  13. 13. Distributed InstallationFIGURE 1-8 Create New SmartView Reporter Host10 In the General Properties window, select SmartView Reporter. Then click the Communication button.FIGURE 1-9 Initialize SIC11 Enter the Activation Key that was created in step 4 during the SmartView Reporter installation.12 After activating the SmartView Reporter host, install the Security Policy, (Policy>Install) or install the database (Policy>Install Database) in order to make the SmartView Reporter fully functional. Chapter 1 Getting Started 13
  14. 14. Installing SmartView Reporter FIGURE 1-10Enter the Activation Key Solaris Platform This installation process consists of three phases: • Install the SmartView Reporter • Install SmartCenter and the SmartView Reporter Add-On • Preparing SmartView Reporter in SmartCenter Phase 1 – Installing the SmartView Reporter 1 Select SmartView Reporter and SmartConsole (optionally) for installation. FIGURE 1-11Standalone Deployment - for Solaris14
  15. 15. Distributed InstallationDepending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.2 Select a folder in which the output files created by SmartView Reporter’s output will be generated.FIGURE 1-12Solaris - default directoryDepending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.3 Enter the Activation Key in the specified fields. Remember the key; you will need to enter it at a later stage. Click Finish to complete the installation of the SmartView Reporter. Chapter 1 Getting Started 15
  16. 16. Installing SmartView Reporter FIGURE 1-13Solaris Activation Key 4 In order to complete the installation, continue from “Phase 2 – Installing SmartCenter and the SmartView Reporter Add-On” on page 11. Note - Although the interface is different, the installation process performed on a Windows platform is the same as the installation process performed on a Solaris platform. Linux The SmartView Reporter machine can be installed either on Solaris or Windows. For details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing the SmartView Reporter” on page 10 for installation instructions. Installing the SmartCenter Machine and the SmartView Reporter Add-On SmartCenter installation is described in its own document. Only the portion that is related to SmartView reporter is discussed here. 1 When installing SmartCenter select SmartView Reporter, so that the SmartView Reporter Add-on can be installed during as part of the SmartCenter installation.16
  17. 17. Distributed InstallationFIGURE 1-14Install SmartView Reporter on Linux2 SmartView Reporter installation type will be automatically set as SmartView Reporter SmartCenter Add-on, so that SmartCenter can connect to the distributed SmartView Reporter.3 In order to complete the installation, continue from “Phase 3 – Preparing SmartView Reporter in SmartCenter” on page 12.Nokia IPSOThe SmartView Reporter machine can be installed either on Solaris or Windows. Fordetails on installing SmartView Reporter machine, please refer to “Phase 1 - Installingthe SmartView Reporter” on page 10 for installation instructions.Installing the SmartCenter Machine and the SmartView Reporter Add-OnSmartCenter installation is described in its own document. Only the portion that isrelated to SmartView reporter is discussed here.1 After installing Check Point IPSO packages, reboot the machine and run cpconfig. Chapter 1 Getting Started 17
  18. 18. Installing SmartView Reporter FIGURE 1-15Installing Check Point IPSO Packages 2 Login into IPSO Voyager from a web browser. FIGURE 1-16Login to Voyager 3 Select Config to enter the Voyager Configuration screen.18
  19. 19. Distributed InstallationFIGURE 1-17Click Config to enter the Configuration screen.4 In the Configuration screen, select Manage Installed Packages. Chapter 1 Getting Started 19
  20. 20. Installing SmartView Reporter FIGURE 1-18Select Manage Installed Packages 5 Make sure that SmartView Reporter NG with Application Intelligence R55 (and any other relevant packages) are set to On and click Apply.20
  21. 21. Distributed Installation FIGURE 1-19Activate SmartView Reporter and other relevant packages 6 After clicking Apply, click Save. 7 From a command line terminal to the IPSO machine: • Logout and then login to the system. • Run rmdstart. 8 Reboot the machine. 9 In order to complete the installation, continue from “Phase 3 – Preparing SmartView Reporter in SmartCenter” on page 12.Starting SmartView Reporter To start using SmartView Reporter, proceed as follows: 1 Launch the SmartView Reporter Client (FIGURE 1-20). Chapter 1 Getting Started 21
  22. 22. Starting SmartView Reporter FIGURE 1-20SmartView Reporter Client — Main window 2 Display the Management Selection Bar view and verify that logs are indeed being consolidated and saved to the SmartView Reporter Database.22
  23. 23. Distributed InstallationFIGURE 1-21SmartView Reporter Client — Management Selection Bar view3 Go back to the Reports Selection Bar view (FIGURE 1-20 on page 22) and ensure that you select the database tables for which to generate the report, as well as a report time frame. Then generate the Standard Network Activity report by selecting it in the Report Tree pane and clicking in the toolbar.4 To follow the progress of the report generation, display the Report Generation Selection Bar view (FIGURE 1-22). Chapter 1 Getting Started 23
  24. 24. Starting SmartView Reporter FIGURE 1-22SmartView Reporter Client — Report Generation Selection Bar view After a brief delay, the Standard Network Activity report result is displayed through your browser (FIGURE 1-23 on page 25).24
  25. 25. Distributed InstallationFIGURE 1-23Example Standard Network Activity Report Result Report Title Report Time Frame, Log Sources & Generation Time Report Description Sections (Hyperlinks)5 Click a section title to view the results in question. The section’s results are displayed in either a graph unit, a table unit or both types of units. FIGURE 1-24 on page 26 shows example results of section 2, Network Activity by Date, in both a graph unit and a table unit. Chapter 1 Getting Started 25
  26. 26. Starting SmartView Reporter FIGURE 1-24Example Standard Network Activity by Date Section — Graph and Table Formats Section Section Title Description Unit Unit Title Description Unit Results: Graph Format Unit Legend Unit Unit Title Description Unit Results: Table Format Unit Terminology26
  27. 27. CHAPTER 2 SmartView Reporter In This Chapter The Need for Reports page 27 SmartView Reporter Solution page 28 SmartView Reporter Configuration page 38The Need for Reports To manage your network effectively and to make informed decisions, you need to gather information on the network’s traffic patterns. There is a wide range of issues you may need to address, depending on your organization’s specific needs: • As a Check Point customer, you may wish to check if your expectations of the products are indeed met. • From a security point of view, you may be looking for suspicious activities, illegal services, blocked connections or events that generated alerts. • As a system administrator, you may wish to sort the Security Policy based on how often each Rule is matched, and delete obsolete Rules that are never matched. • You may be looking for general network activity information, for purposes such as capacity planning. • From the corporate identity and values perspective, you may want to ensure your employees’ surfing patterns comply with your company’s policy, in terms of their surfing patterns (such as the web sites they access). • From a sales and marketing point of view, you may wish to identify the most and the least visited pages on your website or your most and least active customers. To address these issues, you need an efficient tool for gathering the relevant information and displaying it in a clear, accurate format. 27
  28. 28. SmartView Reporter SolutionSmartView Reporter Solution In This Section SmartView Reporter — Overview page 28 Log Consolidation Process page 30 SmartView Reporter Standard Reports page 32 Predefined Reports page 33 SmartView Reporter — Overview Check Point SmartView Reporter delivers a user-friendly solution for monitoring and auditing traffic. You can generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Pro, SecureClient and SmartDefense. SmartView Reporter implements a Consolidation Policy, which goes over your original, “raw” log file, it identifies events of interest and copies their relevant details into a special, report-specific database (the SmartView Reporter Database). This smart, succinct database enables quick and efficient generation of a wide range of reports. The SmartView Reporter solution provides the optimal balance between keeping the smallest report database possible and retaining the most vital information. A Consolidation Policy is similar to a Security Policy in terms of its structure and management. For example, both Rule Bases are defined through the SmartDashboard’s Rules menu and use the same network objects. In addition, just as Security Rules determine whether to allow or deny the connections that match them, Consolidation Rules determine whether to store or ignore the logs that match them. The key difference is that a Consolidation Policy is based on logs, as opposed to connections, and has no bearing on security issues. FIGURE 2-1 illustrates the Consolidation process, defined by the Consolidation Policy. After the VPN-1 Pro Modules send their logs to the SmartCenter Server, the Log Consolidator Engine collects them, scans them, filters out fields defined as irrelevant, merges records defined as similar and saves them to the SmartView Reporter Database.28
  29. 29. SmartView Reporter — OverviewFIGURE 2-1 Log Consolidation ProcessThe SmartView Reporter Server can then extract the consolidated records matching aspecific report definition from the SmartView Reporter Database and present them in areport layout (FIGURE 2-2):FIGURE 2-2 Report Generation ProcessTwo types of reports can be created: Standard Reports and Express Reports. TheStandard Reports are generated from information in log files through the Consolidationprocess to yield relevant analysis of activity. Express Reports are generated fromSmartView Monitor history files and are produced much more quickly. Express Reportsalso support Provider-1 setups.SmartView Reporter Standard Reports are supported by two Clients:• SmartDashboard Log Consolidator — manages the Log Consolidator Engine and the SmartView Reporter Database via the SmartCenter Server. This Client is displayed by launching SmartDashboard and selecting View > Products > Log Consolidator.• SmartView Reporter Client — generates and manages reports.FIGURE 2-3 illustrates the SmartView Reporter architecture for Standard Reports: Chapter 2 SmartView Reporter 29
  30. 30. SmartView Reporter Solution FIGURE 2-3 SmartView Reporter Standard Report Architecture The interaction between the SmartView Reporter Client and Server components applies both to a distributed installation (as shown in FIGURE 2-3), where the SmartCenter Server and SmartView Reporter’s server components are installed on two different machines, and to a standalone installation, in which these products are installed on the same machine. Log Consolidation Process It is recommended to use the SmartView Log Consolidator’s predefined Consolidation Policy, the out_of_the_box Policy, designed to filter out irrelevant logs (such as control messages) and store the most commonly requested ones (such as blocked connection, alert or web activity logs). The Log Consolidator Engine scans the Consolidation Rules sequentially and processes each log according to the first Rule it matches. FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a log matches a Consolidation Rule, it is either ignored or stored. If it is ignored, no record of this log is saved in the SmartView Reporter system, so its data is not available for report generation. If it is stored, it is either saved as is (so all log fields can later be represented in reports), or consolidated to the level specified by the Rule.30
  31. 31. Log Consolidation ProcessFIGURE 2-4 Log Process ChartThe Consolidation is performed on two levels: the interval at which the log was createdand the log fields whose original values should be retained. When several logs matchinga specific Rule are recorded within a predefined interval, the values of their relevantfields are saved “as is”, while the values of their irrelevant fields are merged (i.e.“consolidated”) together.TABLE 2-1 provides a Consolidation example, where three logs of approved NTPconnections match the same Consolidation Rule (NTP is a time protocol that providesaccess over the Internet to systems with precise clocks).The Rule’s store options specify that logs generated within a one hour interval shouldbe consolidated into a single record, as long as they share the same values for four fieldsof interest: destination, interface, Rule name and QoS class. The values of all otherfields are either integrated into their shared value (e.g. the shared Rule Number value,1), or replaced with the term “consolidated” (e.g. the different Source values). Theconsolidated record includes a connection number column, noting how many logs itrepresents (in this case, 3).TABLE 2-1 Consolidation Example Recor Tim Source Dest. I-fac Rule Rule Clas Conn d e e Name No. s No. Log 1 10:0 10.1.3.2 172.0. hme NYC 1 Gol 0 9 0.1 0 d Chapter 2 SmartView Reporter 31
  32. 32. SmartView Reporter Solution TABLE 2-1 Consolidation Example Recor Tim Source Dest. I-fac Rule Rule Clas Conn d e e Name No. s No. Log 2 10:2 10.15.2. 172.0. hme NYC 1 Gol 5 52 0.1 0 d Log 3 10:5 10.56.60 172.0. hme NYC 1 Gol 9 .4 0.1 0 d Cons. 10:0 Consoli 172.0. hme NYC 1 Gol 3 Record 0 dated 0.1 0 d How to interpret User names in DHCP enabled networks In DHCP address mapping is used, assuming the DNS knows how to resolve dynamic addresses, the information you see in the report reflects the correct resolving results for the time the reported log events have been processed by the SmartDashboard Log Consolidator and inserted into the database. Because of the dynamic nature of DHCP address distribution, there is no guaranty that consolidation of old log files will produce correct address name resolving. When DHCP is in use, consolidating log files close to the time of their creation will improve address-resolving accuracy. SmartView Reporter Standard Reports The Log Consolidation process results in a database of the most useful, relevant records, known as the SmartView Reporter Database. The information is consolidated to an optimal level, balancing the need for data availability with the need for fast and efficient report generation. Reports are generated based on a single database table, specified in the Reports Selection Bar view > Standard Reports > Report tab. By default, all consolidated records are saved to the CONNECTIONS table and all reports use it as their data source. However, each time you install and start the Consolidation Policy, you have the option of storing records in a different table. You can further organize these tables by moving records between them as needed and deleting outdated records. Dividing the consolidated records between different tables allows you to set the SmartView Reporter Client to use the table most relevant to your query, thereby improving the SmartView Reporter Server’s performance. In addition, dividing records between tables facilitates managing the SmartView Reporter Database: you can delete outdated tables, export tables you are not currently using to a location outside of the SmartView Reporter Database and import them back when you need them.32
  33. 33. SmartView Reporter Express ReportsSmartView Reporter Express Reports Express Reports are based on data collected by Check Point system counters and SmartView Monitor history files. Standard Reports, in contrast, are based on Log Consolidator logs. Because Express Reports present historical data, they can be generated more quickly. SmartView Reporter Express Reports are supported by one Client, the SmartView Reporter. To configure your system to generate Express Reports, see “Express Reports Configuration” on page 40. FIGURE 2-4 illustrates the SmartView Reporter architecture for Express Network Reports: FIGURE 2-5 SmartView Reporter Express Report ArchitecturePredefined Reports The SmartView Reporter Client offers a wide selection of predefined reports for both Standard and Express reporting, designed to cover the most common network queries from a variety of perspectives. Report Subjects The reports are grouped by the following subjects, allowing you to easily locate the one you need: • Network Activity (Standard, Express) — this subject includes reports that enable you to analyze the most popular activities in your network. You can examine your network activity as a whole or focus on a specific direction (incoming, outgoing or internal) or activity type (web, ftp or Email). For example, to study network traffic inside your organization, you can investigate how your web servers, mail servers and firewalled gateways handle the network load; see which services use most of the available bandwidth; and find out what are the most popular web sites. You can Chapter 2 SmartView Reporter 33
  34. 34. SmartView Reporter Solution detect illegal network traffic, such as connections to banned web sites or use of prohibited services. To examine the network usage by external sources, you can explore which sources access the corporate web site, how often and for how long. A report dedicated to FireWall-1 activity allows you to identify its top services, sources and destinations. The records are organized both by their direction and by the action taken by the firewall. In addition, you can follow the firewall activity’s distribution over various time frames (your working hours, week days and the selected date range). • Security (Standard, Express) — this subject includes reports that allow you to focus on all security-related traffic in your network. For example, you can inspect connections whose origin or destination is the FireWall-1 machine, monitor security attacks detected by SmartDefense, or analyze blocked connections and FireWall-1 alerts. In addition, you can detect Policy Installations and analyze the Rule Base order on a specific gateway. Identifying the top matched rules versus the least matched rules allows you to sort the Security Policy in the most efficient way. • User Activity (Standard) — this subject includes reports that provide you with information on how users inside your organization, as well as remote, SecureClient users, utilize your network resources. You can identify peak activity patterns, in terms of the most active users, the most commonly used services, the most active working hours or week days etc. • VPN-1 (Standard, Express) — this subject includes reports that allow you to analyze various aspects of your encrypted traffic, such as its distribution over time, the top services or sources etc. You can examine your VPN-1 activity as a whole, or focus on a specific VPN Tunnel or VPN Community. • Executive (Standard, Express) — offers a selection of reports from various subjects that are of special interest to executives, such as the Network Activity or User Activity reports. • System Info (Express) — this subject includes reports that allow you to analyze various aspects of system load and operational activity, including CPU usage, kernel usage, and memory usage. • My Reports (Standard, Express) — select predefined reports and customize to your needs. For descriptions of each predefined report available, see Appendix B, “Predefined Reports”.34
  35. 35. Standalone vs. Distributed Deployment Report Structure Each report consists of a collection of sub-topics known as sections, which cover various aspects of the report. For example, the User Activity report consists of sections such as User Activity by Date, Top Users, Top User Activity Services etc. Each section consists of units, which display the same results in different formats, for your convenience. For example, the User Activity by Date section displays the same data in two units: a graph and a table. Customizing Predefined Reports In case you have a specific query that is not directly addressed by the predefined reports, you can easily customize the report that is closest to your needs (by changing its date range, filters etc.) to provide the desired information. You can save the customized report under a different name in the report subject dedicated to user-defined reports, My Reports.SmartView Reporter Considerations In This Section Standalone vs. Distributed Deployment page 35 Log Availability vs. Log Storage and Processing page 36 Log Consolidation Phase Considerations page 36 Report Generation Phase Considerations page 37 SmartView Reporter’s default options have been designed to address the most common reporting needs. However, to maximize the product’s benefits, it is recommended that you adapt it to your specific profile. This section describes the considerations you should take into account before starting to use SmartView Reporter. Standalone vs. Distributed Deployment In a standalone deployment, all SmartView Reporter server components (the Log Consolidator Engine, the SmartView Reporter Database and the SmartView Reporter Server) are installed on the Check Point SmartCenter Server machine. In a distributed deployment, the SmartView Reporter server components and the SmartCenter Server are installed on two different machines and communicate through a special Log Consolidator Add-on installed on the SmartCenter Server. Chapter 2 SmartView Reporter 35
  36. 36. SmartView Reporter Considerations The standalone deployment saves relegating a dedicated machine for the SmartView Reporter, but the distributed deployment significantly improves your system’s performance. Log Availability vs. Log Storage and Processing Since all SmartView Reporter operations are performed on the logs you have saved, the extent to which you can benefit from this product depends on the quality of the available logs. Therefore, you must ensure your Security Policy is indeed tracking (logging) all events you may later wish to see in your reports. In addition, you should consider how accurately your logs represent your network activity. If only some of your Rules are tracking events that match them, the events’ proportion in your reports will be distorted. For example, if only the blocked connections Rule is generating logs, the reports will give you the false impression that 100% of the activity in your network consisted of blocked connections. On the other hand, tracking multiple connections results in an inflated log file, which not only requires more storage space and additional management operations, but significantly slows down the Consolidation process. Log Consolidation Phase Considerations Record Availability vs. Database Size Reports are a direct reflection of the records stored in the SmartView Reporter Database. To generate detailed, wide-ranging and accurate reports, the corresponding data must be available in the Database. However, effective database management requires keeping the database size under 20 GB. As the consolidated records accumulate in the Database, the tables where they are saved may become quite large. The data gradually approaches the disk space limit, using more and more memory and slowing down the SmartView Reporter processes (especially the data retrieval for report generation). Carefully consider which logs you wish to store, and to what extent you wish to consolidate them. Saving Consolidated Records to One vs. Multiple Database Tables A report is generated based on a single table. If you save all consolidated records to the same table, all the data is readily accessible and you are saved the trouble of moving records between tables and selecting the appropriate source table for each report you wish to generate.36
  37. 37. Report Generation Phase Considerations Dividing the records between different tables reduces the report generation time and allows you to maintain a useful Database size by exporting tables you are not currently using to an external location.Report Generation Phase Considerations Adapting the Report’s Detail Level to your Needs When a report is very detailed, it may become difficult to sort out the most significant results and understand network’s status. To achieve the optimal balance between getting all the information you need and excluding excessive records, closely examine the report’s date range, filters (source, destination, service etc.) and filter values, and adjust them to pinpoint details. Generating only selected sections and units By default, all report sections and their unit are included in the report generation. However, to get results faster and improve your machine’s performance, you can generate only selected sections and units (by unchecking all others in the Report Tree pane). Scheduling reports The Schedule feature allows you to set both delayed and periodic report generations. If you wish to produce a detailed and lengthy report, you should consider postponing its generation and scheduling it so that it does not interfere with your employees’ working hours or with times of peak network activity, since such a report generation might slow down your system. In addition, it is useful to identify the reports you require on a regular basis (e.g. a daily alerts report or a monthly user activity report) and schedule their periodic generations. Report output (display, Email, file, printer etc.). All predefined report results are displayed on your screen and saved to the SmartView Reporter Server. Chapter 2 SmartView Reporter 37
  38. 38. SmartView Reporter Configuration By default, the report is saved in HTML output in an index.htm file; and in CSV (Comma Separated Values) format in a tables.csv file. The HTML file includes descriptions and graphs, but the CSV file contains only the report table units, without a table of contents, descriptions or graphs. The tables.csv is provided in order to enable convenient table import to applications like Excel. TABLE 2-2 Report Files and Formats File Format HTML CSV File Name index.htm tables.csv Includes Table of contents, tables, Data only. Cell values descriptions, graphs. separated by commas. Rows and tables separated by lines. Before generating a report, determine whether you want it to be saved or sent to additional or different targets. For example, when you generate a user activity-related report, you may wish to make it available to all managers in your organization by sending them the output via Email or by placing it on your intranet.SmartView Reporter Configuration In This Section Basic Configuration Scenario page 38 Express Reports Configuration page 40 Required Security Policy Configuration page 39 Report Generation Configuration page 40 Consolidation Policy Configuration page 45 SmartView Reporter Database Management page 49 Basic Configuration Scenario The following procedure allows you to create the most basic SmartView Reporter configuration. Proceed as follows: 1 In the SmartDashboard, set the relevant Security Policy Rules to track connections of interest (set each Rule’s Track column to either Log or Account).38
  39. 39. Required Security Policy Configuration 2 Launch the SmartView Reporter Client and display the selection bar’s Management view, to verify that consolidated records have been loaded to the SmartView Reporter Database. 3 Display the Reports view, select the database tables to be examined and the time frame for the report, choose the report type, then generate the report. This general procedure can be used to provide you with any report you are interested in. For example, to generate a report on illegal attempts to connect to your network, proceed as follows: 1 In the SmartDashboard, add the following Rule (TABLE 2-3) at the bottom of your Rule Base: TABLE 2-3 Security Rule Tracking Illegal Attempts to Connect to the Local Network Sour Destinat VP Servi Actio Trac Install Tim Comment ce ion N ce n k On e Any Company An Any Drop Log Policy Any A rule _network y Targets tracking illegal attempts to connect to the local network 2 Launch the SmartView Reporter Client and display the selection bar’s Management view, to verify that consolidated records have been loaded to the SmartView Reporter Database. 3 Display the Reports view and generate the Blocked Connections by Date report.Required Security Policy Configuration For a Security Rule to generate logs for connections that match it, the Rule’s Track column should be set to any value other than None (for example, Log generates a standard log, while Account generates an accounting log). Note that in order to obtain accounting information (the number of bytes transferred and the duration of the connection), the value of the Rule’s Track column must be Account. To utilize direction information (“incoming”, “outgoing”, “internal” or “other”), the organization’s topology must be configured properly. If this is the case, “other” can be used as a security tool, indicating there were connections whose destination was the firewall itself. Chapter 2 SmartView Reporter 39
  40. 40. SmartView Reporter Configuration Express Reports Configuration The following procedure sets the SmartView Monitor to collect complete system data in order to produce SmartView Reporter Express Reports. SmartView Monitor settings are enabled through the SmartDashboard. Proceed as follows: 1 In the SmartDashboard network objects tab of the object tree, select a gateway of interest. Double click the gateway to open the Check Point Gateway properties window. 2 You will need to enable the SmartView Monitor to collect data for reporting purposes through the SmartDashboard. [If you do not see SmartView Monitor in the selection to the left, enable it through the General Properties tab. Click General Properties, then in the scroll-down window of Check Point Products, click Smart View Monitor. It will appear at left.] Select Smart View Monitor, and in the Smart View Monitor tab, click all the checkboxes to ensure that SmartView Monitor is collecting every type of data for reporting purposes. 3 To finish this procedure, in SmartDashboard select Policy > Install Database. Report Generation Configuration In This Section Adapting the Report Properties to your Needs — Overview page 41 SmartView Reporter Database Table page 41 Report Period page 41 Report Filters page 41 Result Calculation and Resolution page 42 Input location page 43 Output location page 43 Scheduling page 44 Preview page 44 Monitoring the Report Status page 44 Displaying Generated Reports page 45 Additional Settings page 45 Report Generation Command Line page 4540
  41. 41. Report Generation ConfigurationAdapting the Report Properties to your Needs — OverviewWhen you generate a report, you can either use the report as a whole or run a specificsection or a unit.You can generate the selected component using its default properties, or adjust theseproperties to better address your current requirements. This section describes the mostimportant properties you should examine before generating a report.SmartView Reporter Database TableBy default, consolidated records are retrieved from the SmartView Reporter Database’sCONNECTIONS table. If you have divided your records between several tables, choose thetable containing the records you require, e.g. a special table dedicated to recordsoriginating from a specific log server, or a table covering the time frame you areinterested in. To see which table contains the relevant records, display the ManagementSelection Bar view.Select the relevant tables through the Standard Reports view’s Reports tab, by selectingthe tables in the Other Database Tables drop-down list.Report PeriodAll predefined reports are set to cover a default time range for a week to a month. Youmust change this period to reflect the data’s actual dates and times, and the time periodthat you wish to examine.Tuning Report Time FrameTo improve SmartView Reporter Server performance, when setting a user-defined timeframe for the report, specify a time frame in whole days. When setting a report period,note that the following settings will slow down the report generation speed:• Relative Time Frame: Today, Yesterday, Last X hours, This week.• Specific dates: Limit by hour checkbox.• Reports for short time periods are generated faster than reports for long time periods. A weekly report will be generated much faster than a monthly report.Report FiltersReports are based on records of the most commonly required filters (e.g. Source,Destination etc.). Specifying the appropriate filter settings is the key to extracting theinformation you are looking for. Chapter 2 SmartView Reporter 41
  42. 42. SmartView Reporter Configuration For each filter you choose, specify the values (e.g. network objects, services etc.) to be matched out of all values available for that filter. The available values are taken from the SmartCenter Server and are refreshed on a regular basis. If you cannot see a value you have added through SmartDashboard in the available values list, refresh the list by selecting a different filter and then return to the previous one. The SmartView Reporter Client also allows you to include additional objects, by manually adding them to the matched values list. Filters and their values can be specified both on the report level and on its unit level. The report level settings are enforced on the unit level as well (for example, if you choose to include specific sources in the report, these sources will also be included in its units). If you set a specific unit-level filter and then choose a different report-level filter, the latter overrides the former. Tuning Report Filters If you define different filters for different units that share the same cached SQL, the SQL caching will no longer be viable and the report generation time will significantly increase. It is recommended that you define filters at the report level only. Result Calculation and Resolution Data Calculation Scheme By default, report calculations are based on the number of events logged. If you have logged accounting data (done by setting the Security Rule’s Track column to Account), you can base the report calculations on the number of bytes transferred. Sort Parameter You may sort the results by one of two parameters: the number of bytes transferred and the number of events logged. Note that an event takes on different meanings, depending on its context. In most cases, the number of events refers to the number of connections. Access this through the Tools > Options menu. The number of bytes transferred can be calculated only if the Security Rules’ Track column is set to Account. The number of events logged can be calculated as long as the Track column is set to Log or Account. If both types of information are available, they will both be displayed in the sort order you have specified. For example, a table listing the most active sources in your system can first specify the number of events each source generated and then note the number of bytes related to its activity. In addition, The unit’s Unit tab allows you to select the resolution type (byte or time) and its level.42
  43. 43. Report Generation ConfigurationFormatIf user names are stored in an LDAP server, the names will include the full LDAP pathin the FireWall-1 log files. The way the report shows the user name can be changedthrough the Tools menu > Options >General tab. By default, the Show abbreviated LDAPuser name check box is selected, so that generated reports display only the user namepart of the full LDAP name. To see the name with full LDAP path, uncheck this box.Input locationThe modules from which you collect data can modified by using the report’s Input tabto let you select the following:• the module or modules of origin• whether to collect data per module or as a group, if you have selected more than one moduleOutput locationReport results are saved in subdirectories of the Results subdirectory of the SmartViewReporter Server as follows:ResultNG_AIbin<Report Name><Generation Date & Time>For each report, a directory with the report’s name “<Report Name>” is created inbin, with a subdirectory named with the generation date and time “<GenerationDate & Time>.” The report is generated into this “<Generation Date & Time>”subdirectory.The Result location can modified by selecting Tools > Options from the menu andspecifying the desired location in the Result Location field of the Options window’sGeneration page.In addition to saving the result to the SmartView Reporter Server, you can send it toany of the following:• The Client’s display (the default setting).• Email recipients.• An ftp or a web server. See “How to upload reports to an FTP server” on page 60.The Mail Information page of the Options window allows you to specify both thesender’s Email address and the mail server to be used. It also allows you to specify thedegree of message severity (Information, Warning or Error) that is to be sent to theadministrator. Chapter 2 SmartView Reporter 43
  44. 44. SmartView Reporter Configuration The Mail Information page of the Tools > Options window allows you to specify that an administrator receive warnings about errors. To enable this option, fill in the Administrator email address, and choose the severity factor for which an error message will be sent, by checking one or more of the severity levels in the Specify the severity of the administrator email notification section. Scheduling Schedules are managed through the Report’s Schedule tab. All schedules of all reports defined in the system can be viewed through the Schedules option of the Selection Bar’s Management view. To improve performance, schedule report generation when there is less traffic and fewer logs are being generated, so the log consolidator is consuming fewer resources. For example, schedule reports on nights and weekends. History The reporting server can store a limited amount of Report-generation status records. In order to modify the amount of information stored, go to the Tools > Options window, and select the History page. Modify the amount in Report history size. When the quantity of the status reports passes the limit, the oldest status record is deleted. You can decide whether you would like the associated generated Report to be deleted as well by changing the Report output delete method setting. In addition, you can also specify the maximum number of Consolidation Status records that are displayed in the Management view, by modifying the Consolidation history size. Preview If the report you wish to generate covers a wide time frame (e.g. a quarterly network activity report), its generation may be time consuming. To verify you choose the appropriate settings, you can test the output by generating a partial preview of the report (select Actions > Preview Report from the menu). The Preview option (set by selecting Tools > Options... from the menu) specifies the percentage (1 to 20) of the report time frame to be included in the preview. For example, if the report period covers 30 days and you set the preview to 10%, it will only show records logged during the first three days of that time frame. Monitoring the Report Status The Selection Bar’s Report Generation view’s Currently Active option allows you to follow the report generation progress. Once the generation is complete, it is recorded in the view’s History option.44
  45. 45. Consolidation Policy Configuration Displaying Generated Reports The Selection Bar’s Report Generation view’s History option lists all past report generations. Double click any generation record to display the report it describes. Additional Settings The Options window allows you to specify additional settings including the name and the location of the logo to be displayed in the report header, as well as where to Email reports, and report-sorting settings. By default, the logo file is saved in the SmartViewReporterNGbin directory. Report Generation Command Line For your convenience, it is possible to generate reports both through the SmartView Reporter Client and through the command line. Generating reports using the command line GeneratorApp has the following limitations: • No report status updates in the Report Generation view’s Currently Active window. • No distribution of the report result. To generate reports through the command line, go to the SmartViewReporterNGbin directory on the SmartView Reporter Server machine and run the following command: Usage: GeneratorApp.exe [Directory/""] {ReportID} For example, to generate the Security report, whose ID is {475AD890-2AC0-11d6-A330-0002B3321334}, run the following command: GeneratorApp.exe c:reportsSecurity {475AD890-2AC0-11d6-A330-0002B3321334} If the directory is empty (""), <Result directory><Report Name><Generation Date & Time> would be used as the directory. The default location is: c:Program FilesCheckPointSmartViewReporterNGResults For a list of all Report IDs, see Appendix B, “Predefined Reports.”Consolidation Policy Configuration Chapter 2 SmartView Reporter 45
  46. 46. SmartView Reporter Configuration In This Section Overview page 46 Customizing Predefined Consolidation Rules page 48 Setting the Log Consolidator Engine to Scan Specific Logs page 48 Committing Consolidated Logs to a Specific Database Table page 49 Configuring the Log Consolidator Engine’s DNS Settings page 49 Monitoring the Log Consolidator Engine and Database Statuses page 49 Overview The out_of_the_box Consolidation Policy has been designed to address the most common Consolidation needs. However, in case you have specific Consolidation needs that are not covered by this Policy, the Consolidation Rules can be modified as needed. To modify the Consolidation settings, proceed as follows: 1 Display the SmartDashboard’s Log Consolidator View, by selecting View > Products > Log Consolidator from the menu. 2 Modify the out_of_the_box Policy’s Consolidation Rules as needed. 3 Save the modified Policy under a different name (select File > Save As from the menu and specify the modified Policy’s name). 4 Install the modified Consolidation Policy and start the SmartDashboard Log Consolidator (by selecting Policy > Install and Start... from the menu), using the following default settings: • Fetch logs from the Primary SmartCenter Server. • Continue the Consolidation from its last run (which in this case is the beginning of the fw.log file). • Save the consolidated records to the default table (CONNECTIONS). Starting and Stopping the Log Consolidator Engine Starting the Log Consolidation Engine If the Log Consolidation Engine is not running, you can start the Engine according to the Consolidation Policy that was last installed. To start the Log Consolidation Engine, choose Start from the Engine menu. The Log Consolidation Engine begins running according to the most recently installed Consolidation Policy.46
  47. 47. Consolidation Policy ConfigurationStopping the Log Consolidation EngineTo stop the Log Consolidation Engine, choose Stop from the Engine menu, or click in the toolbar. The Stop Engine window is displayed.Choose one of the following:• Shutdown — This option stops the Log Consolidation Engine in an orderly way. All data that has been consolidated up to this point is stored in the Database. Shutdown may take several minutes to an hour.• Terminate — This option stops the Log Consolidation Engine immediately. Data that has been consolidated but not yet stored in the Database is not saved.Specifying the Consolidation Rule’s Store OptionsTo specify whether logs matching a Consolidation Rule should be skipped or copied tothe SmartView Reporter Database, right click the Rule’s Action column and chooseIgnore or Store (respectively).In general, it is recommended to place “Ignore” Rules at the beginning of the RuleBases, especially for services that are logged frequently but are not of interest forreports. “Ignore” Rules do not require Consolidation processes and, therefore, enablethe Log Consolidator Engine to move quickly through the logs. The Log ConsolidatorEngine does not have to consolidate and store an event that matches an “Ignore” Ruleand can quickly move to the next entry in the Log file.The Rule order is also based on how frequently services are used. Rules regarding themost common services are defined before those addressing less common services. In thisway, the Log Consolidator Engine does not have to scan a lengthy Rule Base in orderto process most of your log data.If you choose to store the logs, double click the Action cell to specify their storageformat in the Store Options window. Choose one of the following:• As Is — all log fields will be stored in the SmartView Reporter Database and will be available for report generation. This is the default storage option.• Consolidated — specify the following Consolidation parameters: • The interval at which logs matching this Rule are consolidated (e.g. all logs generated within a 10 minute interval). Hourly intervals are measured. • The log fields whose original values are retained (in addition to the Product, Origin, Date and Customer log fields, whose values are always saved). The other fields’ values are merged (consolidated) with the corresponding values of the logs included in this interval (see “Log Consolidation Process” on page 30). Chapter 2 SmartView Reporter 47
  48. 48. SmartView Reporter Configuration If you wish to save all stored connections as is, you can disable the Consolidation settings of the entire Policy by selecting Policy > Global Properties... from the menu, displaying the Advanced settings tab of the Log Consolidator Policy Properties window and unchecking Consolidate log entries. By default, the Log Consolidator Engine loads the consolidated records to the SmartView Reporter Database once an hour. Display the Advanced Settings tab of the Log Consolidator Policy Properties window and choose a different value from the Stop consolidation and commit work to database every drop-down list. Customizing Predefined Consolidation Rules This section provides instructions on modifying specific out_of_the_box Rules to better address your specific consolidation requirements. For a detailed description of the out_of_the_box Rules, see Appendix A, “Out_of_the_box Consolidation Policy.” If you wish to filter out all broadcast messages (both allowed and disallowed), proceed as follows: 1 In the Security Policy, define a group of objects with broadcast IP addresses. 2 In the out_of_the_box Consolidation Policy, activate the broadcast Rule and add the broadcast group to its Destination column. If your network uses a mail server group, you can split the SMTP Rule into the following two Rules that collect data on how mail resources are used: • A Rule consolidating connections from the mail server group. Records consolidated by this Rule can be used for reports on how mail connections are balanced between the servers. This Rule’s Store Options retain the original values of the Authenticated User, Destination, and Service log fields. • A Rule consolidating connections to the mail server group. Records consolidated by this Rule can be used for reports on how local users access the mail servers. This Rule’s Store Options retain the original values for the Authenticated User, Source, and Service log fields. Setting the Log Consolidator Engine to Scan Specific Logs The Consolidation Policy is installed and started through the Install and Start window (FIGURE 1-7), accessed by selecting Policy > Install and Start... To set the Log Consolidator Engine to scan specific logs, specify the following parameters: 1 Log Server — select the log server providing the logs for Consolidation from the drop-down list and click Fetch data from log server.48
  49. 49. SmartView Reporter Database Management 2 Log File — choose the log file to be scanned. If you have copied log files from other log servers to the SmartCenter Server, these external log files will be available. 3 Log Entry — the specific log entry within the selected log file, from which the Log Consolidator Engine starts running. Committing Consolidated Logs to a Specific Database Table In the above Install and Start window, select the SmartView Reporter Database table to which the consolidated logs are to be saved from the Target Table options. Configuring the Log Consolidator Engine’s DNS Settings Resolving the source and destination names slows down the Consolidation process. You can balance the need for name availability in your consolidated records with the need for a satisfactory performance level, by adapting the Log Consolidator Engine’s DNS setting to your specific needs: select Policy > Global Properties... from the menu and specify the appropriate settings in the DNS settings tab of the Log Consolidator SmartDashboard window. This setting will come into effect after a Log Consolidator policy is installed, or even if the Log Consolidator Engine is stopped and started. Monitoring the Log Consolidator Engine and Database Statuses The Log Consolidator Engine and SmartView Reporter Database statuses can be monitored through either one of the SmartView Reporter clients. The SmartView Log Consolidator provides a detailed account of these statuses (as well as DNS statistics) through the Engine and Database status window, displayed by selecting Engine and Database status from the SmartView Log Consolidator’s Status menu. If this information cannot be obtained, the window specifies the reason for the problem (for example: the Log Consolidation Engine service is not started). The SmartView Reporter Client offers more basic Consolidation information (such as the names of the log file scanned and the target SmartView Reporter Database table) through its Management view. It is recommended to check these statuses before you begin generating reports, to verify that the Log Consolidator Engine is indeed processing logs and that it had already saved the consolidated records to the SmartView Reporter Database.SmartView Reporter Database Management All database management operations are performed through the SmartView Log Consolidator’s Database menu. Chapter 2 SmartView Reporter 49
  50. 50. SmartView Reporter Configuration Tuning the SmartView Reporter Database To improve performance, adjust the database cache size to match the computer’s available memory. Place the database data and log files on different hard drives (physical disks), if available. Modifying SmartView Reporter Database Configuration It is possible to change the SmartView Reporter Database settings by editing the solid.ini file, located in the CheckPointSmartViewReporterNG_AIDatabase directory. Note that before editing the solid.ini file, you must: 1 Stop all SmartView Reporter services (such as the Log Consolidator, Reporter Database and Reporter Server services) by running rmdstop. 2 Back up the solid.ini file before modifying it. Note - Although it is possible to give the file(s) any name, the naming convention cannot be changed. The file name must contain a *.db extension. When editing a value in solid.ini file, do not add any spaces or tabs before or after the = sign on each row. After completing your editing, ensure that you restart SmartView Reporter services by running rmdstart. Changing the SmartView Reporter Database Cache Size To change the Database cache size, modify the CacheSize value in the solid.ini file. CacheSize represents the size of the memory cache in bytes, and is always a multiple of 1024. Ensure that you do not set the cache size too large to fit into the computer’s available memory. Increasing the SmartView Reporter Database Size The default size of the database is 20 GB, allocated in 10 separate files of 2 GB each. You can increase the allocated size of the database by adding more files. To increase the Reporting Database size limit, proceed as follows: Warning - Make sure all the SmartView Reporter services are stopped before editingsolid.ini.50
  51. 51. SmartView Reporter Database Management1 In the IndexFile section of the solid.ini file, add lines with FileSpec_#. Each of these lines enlarges the Database size limit by 2 GB, which is the maximum byte size per line. Warning - Do not change the size of an existing database file in order to increase database space. For example, the following default configuration amounts to a 20 GB limit: [IndexFile] ... FileSpec_1=./Database/RT_Database.db 2147483647 FileSpec_2=./Database/RT_Database2.db 2147483647 FileSpec_3=./Database/RT_Database3.db 2147483647 ……… ……… FileSpec_10=./Database/RT_Database4.db 2147483647 CacheSize=33554432 Adding the following line will enlarge the database size limit to 22 GB: FileSpec_11=./Database/RT_Database11.db 21474836472 Restart the SmartView Reporter services.Changing the SmartView Reporter Database Data and Log FilesLocationDisk contention occurs when multiple processes try to access the same disksimultaneously. To avoid this, move files from heavily accessed disks to less active disksuntil they all have roughly the same amount of load. To improve performance, use aseparate disk for Database Log files. To distribute the SmartView Reporter database filesbetween different physical disks, proceed as follows: Chapter 2 SmartView Reporter 51
  52. 52. SmartView Reporter Configuration 1 Use a separate disk for Database Log files: Under the [Logging]section in the solid.ini file, specify the new location of the log files by modifying the line: FileNameTemplate=./Log/sol#####.log For example: FileNameTemplate=F:/ReporterLogs/sol#####.log Do not change the original log file name, and ensure that the specified folder (e.g. W:/ReporterLogs) exists. 2 Divide Database files between several disks: Under the [IndexFile] section, specify a new location for Database files by modifying the relevant Database file line (e.g. FileSpec_1, FileSpec_2 etc.). For example: FileSpec_1=E:/RT_Database.db 2147483647 You must then physically move these files to their new locations. 3 Use a separate disk for the Sort folder: Under the [Sorter] section, specify the new location of the Sort folder by modifying the line: TmpDir_1=./Sort For example: TmpDir_1=D:/Sort Make sure the specified location (e.g. D:/Sort) exists. Backing Up the SmartView Reporter Database The SmartView Reporter Database system consists of a set of files that can be copied, compressed or backed up like any other file. Backup files require the same disk space as the original files. It is highly recommended to save backup copies of the SmartView Reporter Database files, which can later be used to recover from an unexpected database corruption. Proceed as follows: 1 Stop the SmartView Reporter services: • Windows — in the Services window (accessed from the Start menu, by selecting Settings > Control Panel > Services), select the Check Point Reporting Database Server service and click Stop. This automatically stops the Check Point SmartView Log Consolidator and the Check Point Reporting Database Server services as well. • Solaris — use rmdstop.52

×