SmartView Tracker

In FireWall-1 NG FP2 and before, the application is called the Log Viewer or Log Manager. In NG FP3 and later, it is called SmartView Tracker. I discuss SmartView Tracker specifically in this section. Figure 5.8 shows how SmartView Tracker looks after you authenticate.

Figure 5.8. SmartView Tracker

graphics/05fig08.jpg

When you load up the SmartView Tracker, you will see a number of things. Along the top of the screen, three tabs are shown: Log, Active, and Audit. Log is for rulebase and event logging from Check Point modules, Active means currently active connections, and Audit is for logging the actions of administrators.

Table 5.8 shows the various log fields used by FireWall-1, VPN-1, SecureClient, and SmartDefense.

Table 5.8. Entries in Log Viewer

Entry

Description

No.

The log entry number.

Date

The date the log entry was generated.

Time

The time the log entry was generated.

Product

The product for which this log entry is relevant.

Interface

The interface on which the packet being logged came in or went out (with direction) or indicates "daemon" if the message came from a FireWall-1 daemon (e.g., the security servers, fwm).

Origin

The firewall module that generated the log entry.

Type

Log (normal rulebase logging), Alert (for alert log entries), or Control (changes to policy or logging on a firewall).

Action

The action taken on the packet (Drop, Reject, Accept, and so on).

Service

The service of the packet (HTTP, Telnet, and so on), which is usually based on the destination TCP/UDP port.

Source

The source IP address of the connection or packet.

Destination

The destination IP address of the connection or packet.

Proto

The protocol of the IP packet (TCP, UDP, ICMP, and so on).

Rule No.

The rule number that this connection or packet matched in the rulebase.

NAT rule num.

The NAT rule number that this connection or packet matched in the rulebase.

Nat add. rule num.

The number of an additional NAT rule if one was applied.

Source Port

The source port of the packet if TCP or UDP. For other protocols, this field is gibberish.

User

The appropriate username if the action was an authorization or deauthorization or was the result of an authenticated connection (with or without encryption).

SrcKeyID

The source's KeyID if the action was encrypt or decrypt.

DstKeyID

The destination's KeyID if the action was encrypt or decrypt.

Elapsed

The amount of time the connection was active (Accounting mode only).

Bytes

The number of bytes for the connection in question (Accounting mode only).

XlateSrc

The source IP address the connection will have after NAT is applied.

XlateDst

The destination IP address the connection will have after NAT is applied.

XlateSPort

The source port the connection will have after NAT is applied.

XlateDport

The destination port the connection will have after NAT is applied.

Partner

The name of the partner site making a connection if an extranet is defined.

Community

The name of the community to which this log entry relates if a VPN Community is used.

Enc Scheme

The encryption scheme used for this connection (usually IKE, but may be others if managing FireWall-1 4.1 boxes).

VPN Peer Gateway

The gateway that sent or received the encrypted packet.

IKE Initiator Cookie

Information relating to the IKE communication.

IKE Responder Cookie

Information relating to the IKE communication.

IKE Phase 2 Msg Id

The ID of the IKE negotiation.

Encryption Methods

Lists all the encryption methods used in both encryption and data integrity.

Info

More information about this log entry. For most packets or connections, it will simply show "len X," where X is the number of bytes in the packet. This entry also shows useful information on encrypt/decrypt log entries and drops or rejects on Rule 0.

If you have a serious amount of traffic flowing through the firewall, you will have many log entries. It is very important that you examine your logs on a regular basis to make sure that proper security is maintained. However, it can be difficult to look through a few thousand log entries. The following list contains a few hints that might save you some time.

  • Limit the number of entries that appear in the log. Do not log on every rule, but instead log judiciously. Log only important information (e.g., all unauthorized traffic). Creating rules to catch noise services to drop and not log is one way to do this.

  • Rotate your logs frequently. The SmartView Tracker/Log Viewer does not function very well when the log contains more than a few hundred thousand entries. Although you can rotate your logs manually in the GUI, it is recommended that you set up log rotation on a schedule. This is discussed in the Log Maintenance section later in this chapter.

  • Use the selection criteria to limit the displayed items or to find the entries you are most interested in.

  • Use some of the third-party log analysis tools listed in Appendix G.

Selection criteria are chosen by right-clicking the column title in question and selecting Edit Filter. The options presented depend on the field you click. The following list contains a few notes regarding selection criteria.

  • Selection criteria are cumulative; if you use more than one selection criteria, they will be ANDed together.

  • The SmartView Tracker/Log Viewer remembers previous selection criteria, so you could possibly end up excluding all log entries. Before applying selection criteria, click the Current Selection Criteria button, and make sure all the selection criteria are deleted if necessary.

  • The option Show Null Matches on the Options screen affects how log entries are displayed in the selection criteria. You will see Show Null Matches as an icon above the log entries in FireWall-1 NG FP3 or in the Options section under the Selection menu. This shows entries that are neither included nor excluded by the current selection criteria. For example, if you are selecting entries based on the Action field and you have control entries in your log, they will neither be included nor excluded because control log entries do not have Action entries.

  • Right above the list of log entries are three icons that control whether or not the selection criteria are applied, whether or not IPs are resolved to names, and whether or not services are resolved to names. In FireWall-1 NG FP1 and FP2, these are listed under the Tools menu.

Viewing Logs from the Command Line

You can also view logs from the command line on the management module by using the command fw log. This command shows the logs in ASCII text. Note that not all fields are shown, only relevant fields. Check Point has improved the output of this command so that it is easier to read. It should also be easier to parse with a variety of tools. Output from fw log looks something like this:

Date: Aug 24, 2002

 1:15:02 ctl    craig.phoneboy.com >daemon sys_message:
installed defaultfilter; product: VPN-1 & FireWall-1;

 1:15:02 ctl    craig.phoneboy.com >daemon sys_message:
The eth-s3p1c0 interface is not protected by the
anti-spoofing feature. Your network may be at risk;
product: VPN-1 & FireWall-1;

 1:15:02 ctl    craig.phoneboy.com >daemon sys_message:
The eth-s2p1c0 interface is not protected by the
anti-spoofing feature. Your network may be at risk;
product: VPN-1 & FireWall-1;

 1:15:02 ctl    craig.phoneboy.com >daemon sys_message:
The eth-s1p1c0 interface is not protected by the
anti-spoofing feature. Your network may be at risk;
product: VPN-1 & FireWall-1;

 1:43:20 ctl    craig.phoneboy.com >daemon sys_message:
installed phoneboy-traditional; product: VPN-1 & FireWall-1;

 1:43:20        craig.phoneboy.com >daemon cp_message:
Parameter 'Connections hash table size' changed from
65536 to 32768;

 12:34:08 drop   craig     >eth-s2p1c0 product: VPN-1
& FireWall-1; src: Alpha-Cluster-Inside.foo.com; s_port:
IKE; dst: craig; service: 876; proto: udp; rule: 5;

 12:48:17 accept craig     >eth-s1p1c0 product: VPN-1
& FireWall-1; src: cartman.phoneboy.com; s_port: 2343;
dst: craig; service: https; proto: tcp; rule: 1;

 12:48:22 accept craig     >eth-s1p1c0 product: VPN-1
& FireWall-1; src: cartman.phoneboy.com; s_port: 2344;
dst: craig; service: https; proto: tcp; rule: 1;

 12:48:55 accept craig     >eth-s1p1c0 product: VPN-1
& FireWall-1; src: cartman.phoneboy.com; s_port: 2345;
dst: craig; service: https; proto: tcp; rule: 1;

There are plenty of options you can use with fw log to help you find the log entries you want to examine. Table 5.9 lists the options for this command. Here's the usage information for the fw log command:

fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host]
[-s starttime] [-e endtime] [-b starttime endtime]

Table 5.9. Options for the fw log command

Flag

Description

-f

Shows the log forever if no file is specified. Entries are shown as they are generated.

-t

Used with -f to show only new log entries (i.e., entries added after fw log was executed).

-l

Includes the date in each line's log entry instead of printing out the date separately.

-s start-time

Used with -f to show log entries generated after the specified date or time (hh:mm format).

-e end-time

Used with -f to show log entries generated before the specified date or time (hh:mm format).

-b timea timeb

Used with -f to show log entries generated between the specified times.

-o

Shows detailed log chains, i.e., all entries in a log record.

-c action

Shows only entries of a specific action type: accept, drop, reject, ctl.

-u filename

Specifies the unification scheme file name.

-m mode

Specifies the unification mode: semi, raw, initial. The latter is the default.

-a

Shows only accounting log entries.

-k alert-type

Shows only the specified alert_type (or all).

-g

Prevents delimiting of the displayed log entries, i.e., uses no colon (:) after a field name or semicolon (;) after a field value.

-h firewall

Shows log entries generated by the firewall module named "firewall."

-n

Prevents name resolution for source and destination IP addresses.

log-file

Uses the specified log file (otherwise, use $FWDIR/log/fw.log).

[-u unification_scheme_file] [-m (initial|semi|raw)]
[-a] [-k (alert_name|all)] [-g] [logfile]

Viewing Rules in SmartDashboard

When right-clicking on a log entry in SmartTracker in FireWall-1 NG FP3 and above, you have the option of selecting View Rule in SmartDashboard. This is useful because it allows you to see exactly which rule the logged packet hit. However, this works only if the currently installed security policy has a Database Revision associated with it. In SmartDashboard, select File Database Revision Control and create a database revision for the current policy. Install the security policy.

Future Accept log entries can be selected in SmartDashboard and the View Rule in SmartDashboard function will work.

Active Mode and Blocking Connections

So far, I have discussed only the most commonly used mode: Log mode. In the Log Manager application (NG FP3 and later), along the top of the screen beneath the icon bar is a series of tabs. In NG FP2 and before, there is a pull-down menu in the icon bar. Either mechanism allows you to change to the other two modes in the Log Viewer: Active and Audit. Because Active mode works differently than Log mode, let's take a look at how it works. Figure 5.9 shows a screen from Active mode. This mode shows connections that are currently active through the firewall (i.e., in its state tables). Table 5.10 lists the fields that are displayed and provides descriptions of each field.

Figure 5.9. Active mode in Log Manager

graphics/05fig09.gif

Table 5.10. Fields in Log Viewer Active mode

Name

Description

No.

The log entry number.

Date

The date the log entry was generated.

Time

The time the log entry was generated.

Conn. ID

A number referencing this specific connection.

Product

The product this connection is relevant for.

Interface

The name of the interface the packet came in on. Usually "daemon."

Origin

The firewall module that generated the log entry.

Type

Usually Log.

Action

The action taken on the packet, usually Accept.

Service

The service of the packet (HTTP, Telnet, and so on), which is usually based on the destination TCP/UDP port.

Source

The source IP of the packet.

Destination

The destination IP of the packet.

Proto

The IP protocol of the packet. This is usually TCP, UDP, or ICMP, but it could be any IP protocol or a number.

Source Port

The source port of the packet if it is TCP or UDP.

Elapsed

The amount of time elapsed since the connection began, for entries logged as type Accounting.

Bytes

The number of bytes that have elapsed since the connection began, for entries logged as type Accounting.

Information

More information about the entry. This is usually blank.

The main function you can perform in Active mode is to temporarily block a connection. This is done without modifying the existing rulebase in Smart Dashboard/Policy Editor. All such blocks are active until the firewall module is unloaded (e.g., with fw ctl uninstall), the system is rebooted, or the block is manually removed. To block a specific connection, click on the connection, then pull down Block Intruder from the Tools menu. You will be presented with the following options.

Block only this connection: Blocks only this specific connection. If the host attempts to connect to this destination and this service port again, it will be blocked.

Block access from this source: Blocks any connection the host listed as the source attempts to make.

Block access to this destination: Blocks the connection if any host tries to reach this destination host.

Blocking Timeout: Indicates how long this block will be active. Indefinite really means until the firewall module is unloaded (via fw ctl uninstall), a reboot occurs, or the connections are unblocked by using fw sam ?D or fw sam ?C, or by selecting Clear Blocking under the Tools menu.

Force this blocking: Indicates the firewalls that will enforce the block you are requesting. By default, only the firewall the connection went through will enforce this block. This function can be pushed to all firewalls managed by this management console.

Note that you can enable these actions from the command line of the management module or firewall module using the command fw sam, as shown below. These command options are described in Table 5.11.

sam [-v] [-s sam-server] [-S server-sic-name] [-t timeout]
    [-l log] [-f fw-host] [-C] -((n|i|I|j|J) <criteria>

sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host]
    -M -ijn <criteria>

sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host] -D

Table 5.11. Options for the fw sam command

Option

Description

-v

Turns on verbose mode.

-s sam_server

Specifies the Suspicious Activity Monitoring (SAM) server to be contacted. The default is localhost.

-t timeout

Specifies the timeout in seconds. The default is Never.

-f fw_gist

Specifies the firewalls to run the operation on. This command option should contain either the name of a firewalled object, the name of a group of firewalled objects, or one of the predefined names: all and gateways. The default is all.

-C

Cancels the specified option.

-n

Notifies every time a connection that matches the specified criteria passes the firewall.

-i

Inhibits connections that match the specified criteria.

-I

Inhibits connections that match the specified criteria and closes existing connections that match it.

-D

Deletes all previous operations.

The criteria for the fw sam command are described in Table 5.12.

The IP addresses in Table 5.12 may be resolvable hostnames or dotted decimal notation addresses. Service may be a resolvable service name (in the services file, like Telnet or WWW) or a service number (a TCP/UDP port number). Protocol may be a protocol name (like TCP) or a protocol number.

Table 5.12. Criteria for the fw sam command

Format

Description

src ipaddr

Matches the source address of connections

dst ipaddr

Matches the destination address of connections

any ipaddr

Matches the source or destination address of connections

subsrc ip netmask

Matches the specified network by IP and netmask in the source IP of the packet

subdst ip netmask

Matches the specified network by IP and netmask in the destination IP of the packet

subany ip netmask

Matches the specified network by IP and netmask in either the source or destination IP of the packet

srv srcip dstip service protocol

Matches the specified source, destination, and service

subsrv srcip netmask dstip netmask service protocol

Matches the specified source network (IP and netmask), specified destination network (IP and netmask), service, and protocol (i.e., blocks a service between two networks)

subsrvs srcip netmask dstip service protocol

Matches the specified source network (IP and netmask), specified destination host, service, and protocol (i.e., blocks a specific network from accessing a particular host via a particular port/protocol)

subsrvd srcip dstip netmask service protocol

Matches the specified source IP, specified destination network (IP and netmask), service, and protocol (i.e., blocks a specific host from accessing a particular network using a specific port/protocol)

dstsrv dstip service protocol

Matches the specified destination IP, service, and protocol (i.e., blocks all access to a specific host via a specific port/protocol)

subdstsrv dstip netmask service protocol

Matches the specified source network (IP and netmask), service, and protocol (i.e., blocks all access to a specific network via a specific port/protocol)

srcpr ip protocol

Matches the specified source IP address and protocol (i.e., prevents a particular IP from originating traffic of a specified protocol type)

dstpr ip protocol

Matches the specified destination IP address and protocol (i.e., prevents all access to a particular host via the specified protocol)

subsrcpr ip netmask protocol

Matches the specified source network (IP and netmask) and protocol (i.e., prevents a particular network from originating traffic of a specified protocol type)

subdstpr ip netmask protocol

Matches the specified destination network (IP and netmask) and protocol (i.e., prevents all access to a particular network via the specified protocol)

For example, if you wanted to turn on additional notification for a specific action, say, accessing www.phoneboy.com, you would type:

# fw sam -n dst www.phoneboy.com

All notifications will appear as rule "sam" in the logs. If you wanted to deny all connections to www.phoneboy.com for 60 seconds, you would type:

# fw sam -t 60 -i dst www.phoneboy.com

If you wanted to deny all connections to foo.bar.com and close any existing connections, you would type:

# fw sam -I dst foo.bar.com

If you wanted to close a specific Telnet connection from host.yoursite.com to foo.bar.com and prevent further requests from that host, you would type:

# fw sam -I srv host.yoursite.com foo.bar.com 23 6

(Note that 23 is the port number for Telnet; 6 is the protocol number for TCP.) To cancel the preceding operation, you would type:

# fw sam -C srv host.yoursite.com foo.bar.com 23 6

To cancel all previous operations (i.e., unblock all blocked connections), you would type:

# fw sam ?D

Audit Mode

A new feature in NG is the ability to see exactly what administrators do in the various SmartConsole applications. The most detail is shown for SmartDashboard/Policy Editor because that is where the most changes can be made. For the other GUIs, you will see when administrators log in or out only. Figure 5.10 shows a sample of Audit mode. Table 5.13 explains the fields you will see in this view.

Figure 5.10. SmartView Tracker, Audit mode

graphics/05fig10.jpg

Table 5.13. SmartView Tracker Entries in Audit mode

Entry

Description

No.

The log entry number

Date

The date the log entry was generated

Time

The time the log entry was generated

Origin

The management module that generated the log entry

Application

The product for which this log entry is relevant

Operation

The event that is being logged (Logged in, Logged out, Create, Update, Install Policy)

Object Name

The object that was acted upon, if relevant

Changes

The changes that occurred to this object in detail

Administrator

The administrative user making the change

General Information

Other relevant information (e.g., user logged in, which policy was loaded)