LogLogic Check Point Management Station Log Configuration Guide

Transcription

1 LogLogic Check Point Management Station Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Check Point Management Station Release 2.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring Check Point Management Station and the LogLogic Appliance Introduction to Check Point Management Station Prerequisites Configuring Check Point Management Station Enabling the LogLogic Appliance to Capture Log Data Adding a Check Point LEA Device Chapter 2 How LogLogic Supports CheckPoint How LogLogic Captures CheckPoint Data LogLogic Real-Time Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions (FAQ) Appendix A Event Reference LogLogic Support for Check Point Events Check Point Management Station Log Configuration Guide 3

4 4 Check Point Management Station Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Check Point Management Station (and Check Point SecurePlatform ) enables LogLogic Appliances to capture audit logs from machines running Check Point Management Station. Once the logs are captured and parsed, you can generate reports and create alerts on Check Point Management Station s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) [email protected] You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Check Point Management Station Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Check Point Management Station Log Configuration Guide

7 Chapter 1 Configuring Check Point Management Station and the LogLogic Appliance This chapter describes LogLogic s support for Check Point Management Station. LogLogic enables you to track log data from the Check Point Management Station device in real-time or on a scheduled basis. Introduction to Check Point Management Station Prerequisites Configuring Check Point Management Station Enabling the LogLogic Appliance to Capture Log Data Introduction to Check Point Management Station The Check Point SecurePlatform is designed to run Check Point s VPN-1 gateways and SmartCenter management servers. Check Point devices enable you to protect your entire network and maintain security for your information resources. Note: Log Export API (LEA) is used to retrieve and export VPN-1/ FireWall-1 log data. Check Point Management Interface (CPMI) is used to provide a secure interface to the Check Point management server's databases. For more information, see the LogLogic Administration Guide. The LogLogic Appliance enables you to capture log data and report on critical points of your Check Point solutions deployed on SecurePlatform. LogLogic provides an additional level of support by enabling you to generate reports and run searches on data to improve your ability to manage your Check Point activity. Check Point devices are supported by LogLogic Appliances. All Check Point log data captured by the LogLogic Appliance is parsed and made available to the LogLogic Agile Reporting engine. The Agile Reporting engine provides report templates that can be run as-is or modified to create customized reports targeting specific information. Prerequisites Prior to configuring the Check Point Management Station and LogLogic Appliance, ensure that you meet the following prerequisites: Check Point SecurePlatform version 5.5 or later installed Proper access permissions to make configuration changes LogLogic Appliance running Release 5.1 or later installed Administrative access on the LogLogic Appliance Check Point Management Station Log Configuration Guide 7

8 Configuring Check Point Management Station This section describes how to configure a Check Point Management Station to communicate with your LogLogic Appliance. To configure Check Point Management Station: 1. Log in to Check Point Management Station. 2. On the Check Point SmartDashboard, create an object for the appliance Figure 1 SmartDashboard - Host Node Window 3. Create a new OPSEC device using the same object from Step 1. You must define both LEA and CPMI on this object. This object name will also correspond to the LEA application name on the appliance configuration. 8 Check Point Management Station Log Configuration Guide

9 Figure 2 SmartDashboard - OPSEC Application Properties > General Tab 4. Specify the CPMI permissions by defining a unique profile for the user account. Check Point Management Station Log Configuration Guide 9

10 Figure 3 SmartDashboard - OPSEC Application Properties > CPMI Permissions Tab 5. On the General tab, click Communication to initialize SIC. Note: The initialization will not be established until the LogLogic Appliance configuration is completed. 10 Check Point Management Station Log Configuration Guide

11 Figure 4 SmartDashboard - OPSEC Application Properties > Communication Window 6. Create a user account and connect it to the same profile created in Step 4. IMPORTANT! You must define a password for this account to be used later for CPMI authentication. Check Point Management Station Log Configuration Guide 11

12 Figure 5 Administration Properties > General Tab Figure 6 Administrator Properties > Admin Auth Tab Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Check Point log data. IMPORTANT! This document only describes the how to add a Check Point LEA server to the LogLogic Appliance. For additional information about LogLogic s Check Point LEA and VPN-1/ FireWall-1 support, see the LogLogic Administration Guide. 12 Check Point Management Station Log Configuration Guide

13 Adding a Check Point LEA Device To configure the LogLogic Appliance to recognize a new Check Point LEA server, you must add the device s configuration information to the Appliance. To configure the LogLogic Appliance for Check Point LEA servers: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Check Point Configuration. 3. Click Add New. The Add LEA Server tab appears. 4. Type the Name for the LEA server. Note: LogLogic recommends using a naming convention similar to Check Point s naming conventions. 5. Select an Agent Mode to define how the LEA server starts. The default is Automatic, to ensure that the Check Point connection establishes during system boot up. 6. (Optional) Type a Description for the LEA server. 7. Make sure that Enable Data Collection is set to Yes. 8. Establish Secure Internal Communication (SIC): a. Check the Establish Secure Internal Communication checkbox. b. Enter the Check Point server SIC IP address. c. Enter the Activation Key for the OPSEC Application on the Check Point log source. d. Enter the OPSEC Application Name for the application on the Check Point log source. The OPSEC Application Name is the OPSEC object name and the Activation Key is the SIC key. The OPSEC object name and SIC key were defined during the Check Point configuration procedure (see To configure Check Point Management Station: on page 8). 9. Set up the SSL connection to the LEA server: a. Check the SSL Connection to LEA Server checkbox to enable it. b. Type the LEA IP address for the LEA server. c. Type the LEA Port number for the LEA server. The default port number is d. Type the LEA Server DN (domain name). 10. If the firewall and interface are on the same Check Point log source as the LEA server, configure them. If they are on separate Check Point log sources, after adding this LEA server, use the Firewall and Interface tabs instead. For more information, see the LogLogic Administration Guide. a. Select the appropriate Add Firewalls & Interfaces radio button: CPMI Auto Discovery - Automatically detects any Check Point Management Interface (CPMI) log sources connected to your system. Manual Input - Lets you manually input each CPMI log source. b. Type the CPMI IP address. Check Point Management Station Log Configuration Guide 13

14 c. Type the CPMI Port number. The default port number is d. Type the Check Point User Name. You must create an Administrator account in your Check Point application before you can use that ID for the Check Point User Name field on the LogLogic Appliance. e. Type the Check Point User Password. You must create an Administrator account in your Check Point application before you can use that password for the Check Point User Password field on the LogLogic Appliance. For more information on how to create the administrator user name and password within Check Point, see To configure Check Point Management Station: on page 8. f. Select SSL Connection to CPMI Server to enable the SSL connection to your CPMI server. g. Type the CPMI Server DN (domain name). 11. Click Add to add the LEA server. 14 Check Point Management Station Log Configuration Guide

15 Figure 7 Adding a New LEA Server Upon completion of the initialization, you will see a successful connection on both the LEA and the CPMI devices on the LEA Servers tab. Figure 8 LEA Server Information with Connection Status Note: You can start and stop the connection by clicking the button that appears to the right of the Start Mode column. Check Point Management Station Log Configuration Guide 15

16 Chapter 2 How LogLogic Supports CheckPoint This chapter describes LogLogic s support for CheckPoint. LogLogic enables you to capture CheckPoint Firewall events in syslog format. How LogLogic Captures CheckPoint Data LogLogic Real-Time How LogLogic Captures CheckPoint Data After the Check Point device is configured, the LogLogic Appliance will start receiving the logs against all the Check Point interfaces which are generating the logs, where they are processed, stored, and made available for reporting, alerting, and searching. CheckPoint s Open Platform for Security (OPSEC) provides a single framework for third-party products to integrate into all aspects of the secure virtual network through a combination of published application programming interfaces (APIs), industry-standard protocols and a high-level scripting language. One of the APIs that comes under OPSEC is the LEA or Log Export API. The Log Export API enables applications to read the VPN-1/FireWall-1 log database. The LogLogic Appliance has achieved OPSEC certification and this certificate is provided to applications only after being tested to ensure compliance with the defined OPSEC standards. Hence, the LogLogic Appliance seamlessly integrates with the Check Point FireWall-1/VPN-1 software for Check Point firewall logs collection. The LogLogic Appliance can pull firewall rules information through the CPMI (Check Point Management Interface) and aggregate firewall log data through the OPSEC Log Expert API (LEA) interface. Figure 9 Check Point and LogLogic Appliance Components Once the data is captured and parsed, it can be used for generating reports. LogLogic Real-Time LogLogic provides preconfigured Real-Time for Check Point log data. The following Real-Time are available: Check Point Policies Displays the Check Point Policies established User Access the events generated for all user actions in the Check Point environment 16 Check Point Management Station Log Configuration Guide

17 User Authentication the successful and failed user login and logout events. the last activity users performed within the Check Point environment VPN Access Displays VPN connections that VPN devices either accepted or denied VPN Sessions Displays data about VPN sessions created on VPN devices during a specified time interval Accepted Connections Displays data about IP connections that were accepted by a device Active VPN Connections Displays data about current active sessions on various VPN devices Application Distribution Displays information about messages, grouped by application ports, that were accepted by a device Denied Connections Displays data about IP connections that were denied by a device FTP Connections Displays data FTP traffic through the selected firewall device VPN Top Lists Displays data about top users and IP addresses and statistics All Unparsed Events Displays data for all events retrieved from the Check Point Firewall/ VPN log for a specified time interval Security Events Displays data for firewall security-related events classified as security messages for a specified time interval System Events Displays data for system-related events retrieved from the Check Point Firewall/VPN log for a specific time interval VPN Events Displays all Check Point Firewall/VPN events Web Surfing Displays web information served during a specified time interval You can create custom reports from the existing Real-Time Report templates. To access LMI 5.x Real-Time : 1. In the top navigation pane, click 2. Click Access Control (For Check Point Policies, click > Policy > Check Point Policies) The following Access Control Real-Time are available: User Access User Authentication 3. Click Network The following Network Real-Time are available: Accepted Connections Active VPN Connections Application Distribution Denied Connections FTP Connections VPN Top Lists VPN Access Check Point Management Station Log Configuration Guide 17

18 VPN Sessions Web Surfing 4. Click Operational The following Operational Real-Time are available: All Unparsed Events Security Events System Events VPN Events 18 Check Point Management Station Log Configuration Guide

19 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for CheckPoint. It also contains an FAQ, providing quick answers to common questions. Troubleshooting Frequently Asked Questions (FAQ) Troubleshooting Check Point events are not appearing on the LogLogic Appliance after capturing the logs via the syslog listener. The reason for this problem can be that the Check Point device might not be configured correctly. In LMI 4.x go to Administration > Check Point Devices. InLMI 5.x GUI, go to Management > Check Point Configuration. On the LEA Servers tab, the LEA Status and CPMI status should be CONNECTED. Then check the Interfaces tab, and see which of the interfaces has the Trusted and Origin columns set as YES and Device Status set as ENABLED. That interface should appear in the Log Source Status page as the Check Point source of log collection. Also check that the Syslog Server (i.e., the LogLogic Appliance) has been defined. For more information see Configuring Check Point Management Station on page 8. Frequently Asked Questions (FAQ) How does the LogLogic Appliance collect logs from Check Point? The LogLogic appliance collects the data from the CheckPoint server through syslog. On the Check Point server we can create an OPSEC application supporting LEA which enables us to configure the LogLogic Appliance with the Check Point server for log collection wherein the LEA appliacation sends the Check Point logs through syslog to the Appliance. The LogLogic Appliance collects the messages using the Syslog Listener. For more information, see How LogLogic Captures CheckPoint Data on page 16. How do I configure Syslog on Check Point? Follow the procedures for Configuring Check Point Management Station on page 8. Also make sure that you verify your configuration changes on the LogLogic Appliance. Check Point Management Station Log Configuration Guide 19

20 20 Check Point Management Station Log Configuration Guide

21 Appendix A Event Reference This appendix lists the LogLogic-supported Check Point events. The LogLogic Check Point event table identifies events which can be analyzed through the LogLogic Agile, as well as a sample log message. All sample log messages were captured by LogLogic s file pull utility. LogLogic Support for Check Point Events The following list describes the contents of each of the columns in the table below. Event Type Action taken in enforcing the Check Point security policy. Agile/Search Defines if the Check Point event is available through the LogLogic Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Event Category All events belong to the Audit category Appears In LogLogic-provided reports that the event appears in Sample Log Message Sample Check Point log messages converted into text (.txt) format. The Collector captures invaluable log data to track actions such as modifications to files, account changes, machine access, and other actions that can represent fraudulent activity. The LogLogic Appliance can be configured to provide administrators with real-time alerts whenever data integrity and confidentiality is compromised. In addition, LogLogic s Agile and search capabilities can be used to analyze the captured log data. Check Point Management Station Log Configuration Guide 21

22 Table 1 Check Point Management Station Events Event Type Agile/ Search Event Category Appears In 1 action: accept Agile Audit Accepted Rules/Policies, Application distribution 2 action: accept and resource: 3 action: accept and resource: ftp:// Agile Audit Accepted Rules/Policies, Application distribution, Web Surfing Agile Audit Accepted Rules/Policies, Application distribution, FTP Connections 4 action: drop Agile Audit Denied Rules/Policies 5 action: drop and product: SmartDefense 6 action: drop and resource: ftp:// 7 action: drop and resource: Sample Log Message <38>Dec 17 17:36: %CP: time:14mar :44:30;action:accept;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:67;dst: ;service:68;proto:17;rule: 6;packets:1;bytes:337; <38>Jul 20 10:54: %CP: time:20jul :39:20;action:accept;orig: ;i/f_dir:outbound;i/ f_name:daemon;service:21;proto:6;s_port:1187;src: ;rule:6;dst: ;resource:ftp:// /qorusag ftp:// / qorusagakfgfg;product:vpn-1 & FireWall-1;xlatesrc: ;xlatesport:1187;xlatedport:0;srcOutBytes:0;dstOut Bytes:0; <38>Jul 20 10:54: %CP: time:20jul :39:20;action:accept;orig: ;i/f_dir:outbound;i/ f_name:daemon;service:21;proto:6;s_port:1187;src: ;rule:6;dst: ;resource:ftp:// /qorusag ftp:// / qorusagakfgfg;product:vpn-1 & FireWall-1;xlatesrc: ;xlatesport:1187;xlatedport:0;srcOutBytes:0;dstOut Bytes:0; <38>Dec 17 17:36: %CP: time:14mar :37:59;action:drop;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:61153;dst: ;service:137;proto:17;r ule:4; Agile Audit Security Events <38>Jun 30 10:34: %CP: time:30jun :31:45;action:drop;orig: ;i/f_dir:inbound;direction:2;i/ f_name:eth-s3p1c2;product:smartdefense; policy_id_tag:product=vpn-1 & FireWall-1[db_tag={F914CCAD-7D6F-4DE4-B CA9DEA9E};mgmt=check point-mgmt;date= ;policy_name=main];tcp flags:fin;attack Info:TCP flags do not make sense;attack:bad packet;src: ;s_port:49434;dst: ;service:2203;proto:6;srcoutb ytes:0;dstoutbytes:0;infoex: policy_id_tag-product=vpn-1 & FireWall-1[db_tag={F914CCAD-7D6F-4DE4-B CA9DEA9E},mgmt=check point-mgmt,date= ,policy_name=main], TCP flags-fin, Attack Info-TCP flags do not make sense; Agile Audit Denied Rules/ Policies,FTP Connections Agile Audit Denied Rules/Policies, Web Surfing 8 action: reject Agile Audit Denied Rules/Policies 9 action: reject and product: VPN-1& FireWall-1 <38>Jul 20 10:54: %CP: time:20jul :39:20;action:drop;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:1187;dst: ;service:21;proto:6;rule:6;res ource:ftp:// /qorusag ftp:// /qorusagakfgfg; <38>Jul 20 10:54: %CP: time:20jul :39:29;action:accept;orig: ;i/f_dir:outbound;direction:2;i/ f_name:eth0;product:vpn-1 & FireWall-1;src: ;s_port:16182;dst: ;service:80;proto:6;ll_rule:7; rule:4;resource: <38>Dec 17 17:36: %CP: time:20mar :50:57;action:reject;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:50878;dst: ;service:6003;proto:6; rule:6;message_info:x11 is not allowed through service '* any'. To enable, create an earlier rule that explicitly allows X11.;packets:0;bytes:0; Agile Audit Security Events <38>Dec 17 17:36: %CP: time:20mar :50:57;action:reject;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:50878;dst: ;service:6003;proto:6; rule:6;product:vpn-1 & FireWall-1;message_info:Net quota exceeded; packets:0;bytes:0; 22 Check Point Management Station Log Configuration Guide

23 Event Type 10 action: reject and product: SmartDefense 11 action: reject and resource: ftp:// 12 action: reject and resource: 13 action: reject and scheme::ike 14 action:ctl and sys_msgs:secur ity policy installed/ uninstalled 15 action:ctl and sys_msgs:xxx Agile Audit Security Events <38>Dec 17 17:36: %CP: time:20mar :50:57;action:reject;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:50878;dst: ;service:6003;proto:6; rule:6;product:smartdefense;attack:url worm;packets:0;bytes:0; Agile Audit Denied Rules/Policies, FTP Connections Agile Audit Denied Rules/Policies, Web Surfing Agile Audit User Access, User Authentication,, VPN Access, VPN Events <38>Dec 17 17:36: %CP: time:20mar :50:57;action:reject;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:50878;dst: ;service:6003;proto:6; rule:8;resource:ftp:// /qorusag ftp:// /qorusagakfgfg; <38>Dec 17 17:36: %CP: time:20mar :50:57;action:reject;orig: ;i/f_dir:0;i/ f_name:1;src: ;s_port:50878;dst: ;service:6003;proto:6; rule:8;resource:resource: <38>Aug 10 21:07: %CP: time:10aug :09:08;action:reject;orig: ;i/f_dir:inbound;i/ f_name:daemon;alert:alert;src: ;dst: ;user:logtes;reason ::Client Encryption: Unknown user;scheme::ike;reject_category:secureclient authentication failure;srcoutbytes:0;dstoutbytes:0;infoex:alert-alert, user-logtes, reason:-client Encryption: Unknown user, scheme::ike, reject_category-secureclient authentication failure; Agile Audit Security Events <38>Dec 17 17:36: %CP: time:18mar :42:17;action:ctl;orig: ;i/f_dir:0;i/ f_name:4;has_accounting:0;uuid:< , , , >;sys _msgs:security policy uninstalled; Agile Audit System Events <38>Dec 17 17:36: %CP: time:20mar :23:58;action:ctl;orig: ;i/f_dir:0;i/ f_name:4;has_accounting:0;uuid:< , , , >;sys _msgs:started sending log to localhost; 16 action: keyinst Agile Audit User Access, User Authentication,, Active VPN VPN Events 17 action: keyinst and IKE:: Main Mode completion Agile/ Search Event Category Appears In Agile Audit User Access, User Authentication,, Active VPN VPN Access, VPN Sessions, VPN Top Lists, VPN Events Sample Log Message <38>Aug 4 13:48: %CP: time: 4Aug :50:22;action:keyinst;orig: ;i/f_dir:inbound;i/ f_name:daemon;src: ;dst: ;peer gateway:corporate;scheme::ike;ike::informational Exchange Send Delete IPSEC-SA to Peer: 409d5da2; SPI: accd87fa;cookiei:efaf2bde660ff67b;cookier:b02f0f3df5f4e745;msgid:d333691b;c ommunity:loglogic;srcoutbytes:0;dstoutbytes:0;infoex:peer gateway-corporate, scheme:-ike, IKE:-Informational Exchange Send Delete IPSEC-SA to Peer: 409d5da2, SPI: accd87fa, CookieI-efaf2bde660ff67b, CookieR-b02f0f3df5f4e745, msgid-d333691b, community-loglogic; <38>Aug 4 13:48: %CP: time: 4Aug :50:22;action:keyinst;orig: ;i/f_dir:inbound;i/ f_name:daemon;src: ;dst: ;peer gateway:corporate;scheme::ike;ike::main Mode completion.;cookiei:efaf2bde660ff67b;cookier:b02f0f3df5f4e745;methods::aes SHA1, Pre shared secrets;community:loglogic;srcoutbytes:0;dstoutbytes:0;infoex:peer gateway-corporate, scheme:-ike, IKE:-Main Mode completion., CookieI-efaf2bde660ff67b, CookieR-b02f0f3df5f4e745, methods:-aes SHA1, Pre shared secrets, community-loglogic; Check Point Management Station Log Configuration Guide 23

24 Event Type 18 action: encrypt Agile Audit Accepted User Access, User Authentication,, Active VPN VPN Events 19 action: decrypt Agile Audit Accepted User Access, User Authentication,, Active VPN VPN Events 20 action: authcrypt Agile/ Search Event Category Appears In Agile Audit User Access, User Authentication,, VPN Access, Active VPN VPN Sessions, VPN Top Lists, VPN Events 21 Create Object 22 Modify Object Sample Log Message <38>Aug 4 13:48: %CP: time: 4Aug :50:19;action:encrypt;orig: ;i/f_dir:inbound;i/ f_name:eth-s2p1c0;product:vpn-1 & FireWall-1; policy_id_tag:product=vpn-1 & FireWall-1[db_tag={490048AE-050C-11DA-9207-D18E1548C2C2};mgmt=Elohim;d ate= ;policy_name=standard];icmp:echo Request;src: ;dst: ;proto:1;ICMP Type:8;ICMP Code:0;rule:internal;scheme::IKE;dstkeyid:0x202d75b0;methods::ESP: AES SHA1;peer gateway:corporate;community:loglogic;srcoutbytes:0;dstoutbytes:0;infoex: polic y_id_tag-product=vpn-1 & FireWall-1[db_tag={490048AE-050C-11DA-9207-D18E1548C2C2},mgmt=Elohim,d ate= ,policy_name=standard], ICMP-Echo Request, ICMP Type-8, ICMP Code-0, scheme:-ike, dstkeyid-0x202d75b0, methods:-esp: AES SHA1, peer gateway-corporate, community-loglogic; <38>Aug 10 21:07: %CP: time:10aug :08:45;action:decrypt;orig: ;i/f_dir:inbound;direction:2;i/ f_name:eth-s3p1c0;product:vpn-1 & FireWall-1; policy_id_tag:product=vpn-1 & FireWall-1[db_tag={41F A1B-11DA-8613-D18E15485C5C};mgmt=Elohim;d ate= ;policy_name=standard];src: ;s_port:1589;dst: ;service:18234;proto:17;xlatedst: ;xlatesport:0;xlatedport:0;NAT_rul enum:internal;nat_addtnl_rulenum:internal;rule:internal;message_info:implied rule;scheme::ike;srckeyid:0xb137e7b7;methods::esp: 3DES + SHA1;peer gateway: ;vpn_user:logtest;srcoutbytes:0;dstoutbytes:0;infoex: po licy_id_tag-product=vpn-1 & FireWall-1[db_tag={41F A1B-11DA-8613-D18E15485C5C},mgmt=Elohim,d ate= ,policy_name=standard], NAT_rulenum-internal, NAT_addtnl_rulenum-internal, scheme:-ike, srckeyid-0xb137e7b7, methods:-esp: 3DE <38>Aug 10 21:06: %CP: time:10aug :08:20;action:authcrypt;orig: ;i/f_dir:inbound;i/ f_name:daemon;src: ;dst: ;user:logtest;reason::client Encryption: Authenticated by Internal Password;scheme::IKE;methods::AES-256,IKE,SHA1;srcOutBytes:0;dstOutBytes: 0;infoex:user-logtest, reason:-client Encryption: Authenticated by Internal Password, scheme:-ike, methods:-aes-256,ike,sha1; <109>Aug 19 08:24: %CP_AUDIT: time:20aug2006 3:57:02;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartupdate;objectname:the_contracts_flags; ObjectType:contracts_flags;ObjectTable:contracts;Operation:Create Object;Uid:{240F911C-B71F-47B7-B78B-3C16533BB29F};Administrator:SmartUpd ate;machine:localhost;subject:object Manipulation;Operation Number:0;lea_ip: ; <109>Aug 19 08:35: %CP_AUDIT: time:20aug2006 4:08:16;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:standard;object Type:firewall_policy;ObjectTable:fw_policies;Operation:Modify Object;Uid:{1F52940A-B7E9-403B C4131AEE9A};Administrator:Admin;Ma chine:ll210;fieldschanges:rule 2: added 'security_rule' - ;Source: Any ;Destination: Any ;VPN: Any ;Service: Any ;Action: accept;install On: Any ; ;;Subject:Object Manipulation;Operation Number:1;lea_ip: ; 24 Check Point Management Station Log Configuration Guide

25 Event Type 23 Rename Object 24 Delete Object Agile CP Auditt User Access, 25 Install Policy 26 Uninstall Policy 27 Log In Agile CP Audit User Authentication, User Access, 28 Log In Agile CP Audit User Authentication, User Access, <109>Aug 19 08:55: %CP_AUDIT: time:20aug2006 4:28:10;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:testuser1;object Type:user;ObjectTable:users;Operation:Rename Object;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:Admin;M achine:ll210;fieldschanges:object name was changed from 'testuser' to 'testuser1' ;;Subject:Object Manipulation;Operation Number:2;lea_ip: ; <109>Aug 20 06:20: %CP_AUDIT: time:21aug2006 1:53:24;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:sec215;objectt ype:host_ckp;objecttable:network_objects;operation:delete Object;Uid:{F4E9274E-CD B17B-5E98D1F0DE0E};Administrator:Admin;M achine:ll210;subject:object Manipulation;Operation Number:3;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:internal;objectname:california_gw;objecttyp e:firewall_application;objecttable:applications;operation:install Policy;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:fwadmin; Machine:Client2;Subject:Policy Installation;Audit Status:Success;Additional Info:Security Policy : Standard;Operation Number:7;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:internal;objectname:california_gw;objecttyp e:firewall_application;objecttable:applications;operation:uninstall Policy;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:fwadmin; Machine:Client2;Subject:Policy Installation;Audit Status:Success;Operation Number:8;lea_ip: ; <109>Aug 19 06:59: %CP_AUDIT: time:20aug2006 2:32:32;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:cpmi Client;Operation:Log In;Administrator:Admin;Machine:localhost;Subject:Administrator Login;Additional Info:Authentication method: Internal Password;Operation Number:10;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Tracker;Operation:Log In;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Audit Status:Failure;Additional Info:Administrator failed to log in: Wrong Password;Operation Number:11;lea_ip: ; 29 Log Out Agile CP Audit User Access <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:31;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Tracker;Operation:Log Out;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Operation Number:12;lea_ip: ; 30 Initialize SIC Certificate Agile/ Search Event Category Appears In Sample Log Message <109>Aug 20 04:10: %CP_AUDIT: time:20aug :43:00;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:cpshared_applic ation_sec215;objecttype:cpshared_application;objecttable:applications;operatio n:initialize SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:13;lea_ip: ; Check Point Management Station Log Configuration Guide 25

26 Event Type 31 Push SIC Certificate 32 Revoke SIC Certificate 33 Initialize User Registration Key 34 Disable User Registration Key 35 Generate User Certificate 36 Revoke User Certificate Agile/ Search Event Category Appears In <109>Aug 20 04:10: %CP_AUDIT: time:20aug :43:00;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:cpshared_applic ation_sec215;objecttype:cpshared_application;objecttable:applications;operatio n:push SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:14;lea_ip: ; <109>Aug 20 04:32: %CP_AUDIT: time:21aug2006 0:04:57;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:cpshared_applic ation_sec215;objecttype:cpshared_application;objecttable:applications;operatio n:revoke SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:15;lea_ip: ; <109>Aug 19 08:30: %CP_AUDIT: time:20aug2006 4:03:25;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:testuser;objectt ype:user;objecttable:users;operation:initialize User Registration Key;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:16;lea_ip: ; <109>Aug 19 08:30: %CP_AUDIT: time:20aug2006 4:03:32;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:testuser;objectt ype:user;objecttable:users;operation:disable User Registration Key;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:17;lea_ip: ; <109>Aug 19 08:28: %CP_AUDIT: time:20aug2006 4:01:14;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:testuser;objectt ype:user;objecttable:users;operation:generate User Certificate;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:18;lea_ip: ; <109>Aug 19 08:30: %CP_AUDIT: time:20aug2006 4:03:19;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:testuser;objectt ype:user;objecttable:users;operation:revoke User Certificate;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:19;lea_ip: ; 37 Force Log out Agile CP Audit User Access <109>Aug 20 09:38: %CP_AUDIT: time:21aug2006 5:11:14;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Monitor;Operation:Force Log Out;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Additional Info:Disconnect administrator 'Admin' using cpmi_client;operation Number:21;lea_ip: ; 38 Revert to Version 39 Create Version Sample Log Message <109>Aug 19 08:57: %CP_AUDIT: time:20aug2006 4:30:29;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:version 1;Operation:Revert to Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;operation Number:22;lea_ip: ; <109>Aug 19 08:55: %CP_AUDIT: time:20aug2006 4:28:39;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:version 1;Operation:Create Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;operation Number:23;lea_ip: ; 26 Check Point Management Station Log Configuration Guide

27 Event Type 40 Delete Version 41 Synchronize Peer 42 Synchronize Peer 43 Synchronize Peer 44 Synchronize Peer 45 Synchronize Peer 46 Synchronized by Peer Agile/ Search Event Category Appears In 47 Change to Active Sample Log Message <109>Aug 19 09:01: %CP_AUDIT: time:20aug2006 4:34:37;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:version 1;Operation:Delete Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;operation Number:24;lea_ip: ; <109>Aug 20 04:31: %CP_AUDIT: time:21aug2006 0:04:41;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartcenter Server;ObjectName:SERVER B;Operation:Synchronize Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Additional Info:Type: automatic, event: MgmtSync;Operation Number:24;lea_ip: ; <109>Aug 20 04:31: %CP_AUDIT: time:21aug2006 0:04:41;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartcenter Server;ObjectName:SERVER B;Operation:Synchronize Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Failure;Additional Info:Type: automatic, event: SCS-SYNCH. Error: Synchronization is not allowed: No license. Peer's mode: standby, status: Lagging.;Operation Number:24;lea_ip: ; <109>Aug 20 04:31: %CP_AUDIT: time:21aug2006 0:04:41;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartcenter Server;ObjectName:SERVER B;Operation:Synchronize Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Incomplete;Additional Info:Type: automatic, xxx.;operation Number:24;lea_ip: ; <109>Aug 20 04:31: %CP_AUDIT: time:21aug2006 0:04:41;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:secondary_man agement;operation:synchronize Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Additional Info:Type: manual. ICA DB initialization.;operation Number:24;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:internal;objectname:primary_management;op eration:synchronized By Peer;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Operation Number:25;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:internal;objectname:primary_management;op eration:synchronized By Peer;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Operation Number:25;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:primary_manag ement;operation:change to Active;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Operation Number:26;lea_ip: ; Check Point Management Station Log Configuration Guide 27

28 Event Type 48 Change to StandbyAgile 49 Detect Active Server 50 Detect Active Server Agile/ Search Event Category Appears In 51 File Stored 52 File Retrieved 53 Install Module 54 Install Module 55 Uninstall Module 56 Uninstall Module Sample Log Message 109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:primary_manag ement;operation:change to Standby;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Operation Number:27;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:internal;operation:detect Active Server;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Additional Info:xxx;Operation Number:28;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:internal;operation:detect Active Server;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Failure;Additional Info:Multiple active management servers detected: Secondary_Management Primary_Management;Operation Number:28;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Tracker;Operation:File Stored;Administrator:Admin;Machine:LL210;session_id:Eventia Analyzer Server;Subject:File Operation;Additional Info:sd_updates;Operation Number:32;lea_ip: ; <109>Aug 19 07:18: %CP_AUDIT: time:20aug2006 2:51:49;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Tracker;Operation:File Retrieved;Administrator:Admin;Machine:LL210;Subject:File Operation;Additional Info:sd_updates;Operation Number:33;lea_ip: ; <109>Jul 13 13:54: %CP_AUDIT: time:13jul :54:43;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartupdate;objectname:logexpo;operation:i nstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Success;Operation Number:34;lea_ip: ; <109>Jul 13 13:54: %CP_AUDIT: time:13jul :54:43;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartupdate;objectname:logexpo;operation:i nstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Failure;Operation Number:34;lea_ip: ; <109>Jul 13 13:54: %CP_AUDIT: time:13jul :54:43;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartupdate;objectname:logexpo;operation:u ninstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Success;Operation Number:35;lea_ip: ; <109>Jul 13 13:54: %CP_AUDIT: time:13jul :54:43;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartupdate;objectname:logexpo;operation:u ninstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Failure;Operation Number:35;lea_ip: ; 28 Check Point Management Station Log Configuration Guide

29 Event Type 57 Set Session Description 58 Log Export 59 Log Switch 60 Log Purge 61 License violation detected 62 Schedule Log Export 63 Schedule Log Export Agile/ Search Event Category Appears In Sample Log Message <109>Jul 13 13:54: %CP_AUDIT: time:13jul :54:43;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:eventia Analyzer Server;Operation:Set Session Description;Administrator:localhost;Machine:share-cpmodule1;session_id:Eventia Analyzer Server;Subject:Administrator Login;Additional Info:Eventia Analyzer Server;Operation Number:48;lea_ip: ; <109>Aug 20 06:37: %CP_AUDIT: time:21aug2006 2:10:27;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Tracker;Operation:Log Export;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Audit file 'fw.adtlog' was exported to "C:\log.txt";Operation Number:49;lea_ip: ; <109>Aug 20 06:37: %CP_AUDIT: time:21aug2006 2:10:27;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Tracker;Operation:Log Switch;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Active log file was switched to 'xxx.log';operation Number:50;lea_ip: ; <109>Aug 20 06:37: %CP_AUDIT: time:21aug2006 2:10:27;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartview Tracker;Operation:Log Purge;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Active log file was purged;operation Number:51;lea_ip: ; <109>Aug 19 08:35: %CP_AUDIT: time:20aug2006 4:08:16;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:xxx;objecttype: xxx;objecttable:xxx;operation:license Violation Detected;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:MDS Information;Audit Status:Success;Additional Info:xxx;Operation Number:x;lea_ip: ; <109>Aug 19 08:35: %CP_AUDIT: time:20aug2006 4:08:16;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:xxx;objecttype: xxx;objecttable:xxx;operation:schedule Log Export;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:Loggin g;audit Status:Success;Additional Info:xxx;Operation Number:x;lea_ip: ; <109>Aug 19 08:35: %CP_AUDIT: time:20aug2006 4:08:16;action:accept;orig: ;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:smartdashboard;objectname:xxx;objecttype: xxx;objecttable:xxx;operation:schedule Log Export;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:Loggin g;audit Status:Failure;Additional Info:xxx;Operation Number:x;lea_ip: ; Check Point Management Station Log Configuration Guide 29