Check Point Firewall - fwlog, audit log, messages

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to my channel my name is magnus and today i was going to show you three different type of log files first of all we will check on the firewall log then we will check on audit log and we will also check on the messages log and i will show you a few things that you can find in these logs and why it's important to know all three of them so first of all let's start with the normal file log so let's generate some traffic and easiest to do well just go to google so google and then we can do to facebook and facebook will actually be blocked or hopefully it will be blocked uh and it is and let's go to youtube as well and youtube should be working and it is and of course you should subscribe to my channel so just find me and click subscribe so let's see in the firewall log if we can see any of this traffic so then we need to go to logs and monitor and you press on this little plus sign and here you see the logs and i have already been in here so let's see if we have any filters or whatnot and first of all we need to find our own ip address of our client if you want to filter on something specific and here we have our ipaddress so let's just copy and paste and we can see here that we have a few uh logs but it doesn't really say anything we see here drop facebook can we see web surfing it's possible to just click on one of these and get up some more traffic logs or some more information so more as you can see here that the traffic is not that behind this ipaddress and this is due to hide net if you want to see this explicitly or why it is like that you can just go to nut rule number seven if you want to see which rule this is actually hitting well then you can either just press match rule and you will see it and one thing that can be important to note this or just be aware of is that you see here this policy section and you see the policy date that's the time when this policy was actually installed on the gateway so if you just recently have done a change and the traffic is coming too fast maybe it's hitting the old policy so this is nice to be aware of this um this date and that and time and which policy name is actually hitting because you can have multiple firewalls and we didn't specify what file what we're actually looking for we can see that this is gateway number one but within checkpoints you can have multiple firewalls on the same management station so if you want to see like which rule did this actually hit well then you can press on match rule and here you see that it hit root six and it's an inline layer for web surfing and the rule that it actually did hit where the traffic actually passed was 6.3 so if you press on 6.3 we will be prompted how this uh this traffic actually look so this was a generic 443 and if you want to see like for example all the facebook or youtube that we actually did go to well just click cancel here go back to logs and monitor then you can do blade and you can do application control here you can see all the applications that we actually did visit so we did visit facebook two times and we'd visit youtube so they are listed under application name and if we double click on here we can see like well we can see some like traffic that was actually going through this uh this section i'm not sure if this is actually correct well at least you get the feeling on how much bandwidth it's actually using and you can see some information regarding the application in this case it's youtube and you can see an application description and what more you can do well you can actually see how long was this specific session and in our case it was less than one minute i'm also not sure if this is 100 accurate but um well you at least get the feeling on if someone is spending way too long on social media or youtube if they're seeing youtube well if they're looking on my channel then it's no problem that was the basic of the firewall log you can do a lot of filters so you can do for example port 443 sorry i need this one and you can see all the web traffic and of course you can do like you can press on something and you can right click and you can do and not and it will filter this one away and it will show everything else so this is really powerful and you can see like the top destination top services and so on and of course the top services in this case well it should be only https i don't know if you're aware of this but if you're trying to export something from here like file and then export to csv well the issue with this is that it will only export what is actually visible on the on these lines so in this case it will show 100 results it will not even show the 547 results if you want to do an export of all the traffic from a specific host well then you should go to smart view and smart view is like so you need to make sure to go to https and then you just do smart view and you do this to your management station so advanced and then just continue and you do your normal login and here you can see the same so here you have the logs as well but in this this view if we make it a bit bigger you can still have all the filters and like what type of application and what the original it is what source is the top and so on and you can extend this as well and you see a bit more information regarding that specific log but the nice thing here is that you can actually do so if we filter on our our on our client we can do options and we can do export to excel and here we can pick how many logs do we actually want to export so if we export up to one million logs and we can take all columns instead of all visible if it's all visible you only get what is actually already presented here but there are more so if you press ok here then it will start the job and if you want to see this job and where it's actually located you can go to the plus and then you can do i think it's here archive under task and archive and here we have the log and we can download this one and here we get an x um a csv file i don't know if i have excel on this one so let's open it in wordpad ah that didn't work so let's move that file to my normal computer so it's under downloads here and we copy that one and we put it into my regular pc so let's open this one up and here you can see all this is all the logs from that specific source and you see there is a lot more tabs than was actually visible and you can of course filter here as well because we didn't put in any filters when we did the export but this is just to show you there is um a lot of cool stuff that you can actually do and you see here that it's the nat source address well maybe we need to find somewhere how to find a real address so here's the source on column y well this is how you export a large number of rules you can do one million lines at a time so that was both smart view and the normal logs so you got two for one there and secondly we want to check well that's the audit log so if we do a change in the policy so for example we remove netflix media and we also remove media streams from this line and we just do publish and we do install policy okay so the policy is installed so if you now want to revert this well you can do like revision control but i just wanted to show you where you can actually see this where something was changed so you go to logs and monitor and then you press the plus sign and you see here audit logs so double click on that one so what did we actually do here well we did log in to the gateway here 12 12. and we did modify a rule so if we double click on this one we can see here what was actually modified and we see here that the service and application that was removed was media streams and netflix streaming so that's correct and the layer was web surfing from clients and the policy name we don't have any but here you see that this was what actually happened so we did remove services from a specific line and you can see which administrator it was i'm logged in as admin as admin here and you can see what time it was and so on um this can be a bit tricky if you do a lot of changes so within normal clusters you can use revision control to revert what you want to do but if you just want to like track and audit what you have actually done this can be a good way there is better options with external tools or or even smart console extensions but for this i just press cancel here and we see that it was published so the session was published and one object was changed and we see that we also did install the policy what i normally use the audit log is to to check like policy installation and so on when what is actually done did something break after policy installation and if something did break after the policy installation well then you can check between these two lines between the installed policies well then you can check what was changed and maybe you can revert it so that was the audit log and the last log that we are going to check on that's the messages log and to do that we need to do some we need to destroy a little bit things so for example we take this gateway and we do we do set things on this one and let's remove an interface well let's remove this one so disconnect this one so let's see what happens so if you go back into the windows 10 machine so we log in to secure crt so we go to secure crt that we have here and we go to the gateway and that should be the gateway and we log in and we go to expert then there is a file called messages and the easiest way to do this if you just want to check the last lines then you can do tail minus 10 for 10 lines and then you do the path where exactly is so the path is var log slash messages so here we see we have done a change here so we see that at this time the link went down and the cluster did go active to active with an exclamation mark because this interface was disconnected or down and then it did go a stage change from active to down and the reason that one of the interfaces is down or disconnected then we also see that there was a standby to active change meaning we did change the cluster members like what is activated so messages file you can see all the physical things that happens on the gateway you cannot see like the firewall logs or anything like that you cannot see audit logs so the three different logs that is really important to check on is the firewall logs where you see all the traffic then you have the audit log where you see all the changes and then you see the messages that's all the changes that happened to like a physical box and yes there's a bonus well there is a command to check like which type of policy is installed and so on then you can do like this one you can do cp stat and then space firewall here you can see the installation time of the specific policy and the name of the policy you can also see like some interface stats and do you remember where we actually see the the state of the cluster well that's cph probe state so here we see that the gateway 1 is down and the gateways 2 is active and the reason for this is that ethernet 3 was disconnected linked down and just to show you you can see a lot more in this var log messages file so you can do like cat var log and then messages and you see all and if you just do like that it's a lot harder so you need to learn to do grep so you can do pipe grip and you can filter on like down down and it will show you everything that has down within the the line and you see here it actually fitted for download so if you use the grep command you can find quite nice things so if you already know like you are looking for ethernet 3 well they can do grep ethernet 3 and you can see all the status where ethernet 3 is included or involved and this is the part well i will do clear i will do page up and i will just do grep ethernet 3. so you will see everything that is related to ethernet 3 if you do the grep commands if you just want to see the last messages in this file well then it's the tail minus and then the line number so let's say 20 and then bar slash logs last messages and you see the last 20 lines and you can actually see the policy installation here as well so you see here that the policy installation was done so that's quite nice so um warlord slash messages is really important to to be aware of and you can find a lot of information and if you trouble shooting like why in a cluster is failing over or so this can be the file that you should check in and i think that's it for this video if you want to see a more detailed in depth on each of these logs files please comment below and maybe we can do that later thank you for watching please subscribe to channel like and share if you find this useful and i hope to see in the next one take care bye

Info

Channel: Magnus Holmberg

Views: 4,366

Rating: undefined out of 5

Keywords: check point software, cyber security, ccsa, ccse, checkpoint, check point, network, secuirty, firewall, checkpoint training, r80, r80.40, checkpoint firewall, checkpoint firewall training videos

Id: 9uvOy3xLZeY

Channel Id: undefined

Length: 18min 23sec (1103 seconds)

Published: Sun Aug 30 2020