Checkpoint NGX Even Ti Are Porter User Guide

7/31/2019 Checkpoint NGX Even Ti Are Porter User Guide

1/96

Eventia Reporter

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at:

https:/ / secureknowledge.checkpoint.com

See the latest version of this document in the User Center at:

http:/ / www.checkpoint.com/ support/ technical/ documents/ docs_r60.html

Part No.: 701312

May 2005
https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttps://secureknowledge.checkpoint.com/


2/96


3/96

Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appear

in supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,

2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,


4/96

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWAREOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No oneother than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from ".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials must

be immediately destroyed.Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in this document should be construed asgranting, by implication, estoppel, or otherwise, any license or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in

advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.


5/96

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NORANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE

INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN

THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE

ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release


6/96


7/96

Table of Contents 7

Table Of Contents

Chapter 1 Getting StartedInstalling Eventia Reporter 9

Overview 9

Standalone Installation 11

Distributed Installation 13

Installing Eventia Reporter with Provider-1/ SiteManager-1 MDS 25Starting Eventia Reporter 27

Licenses 32

Chapter 2 Eventia ReporterThe Need for Reports 33

Eventia Reporter Solution 34

Some Basic Concepts and Terminology 34

Eventia Reporter Overview 35Log Consolidation Process 37

Eventia Reporter Standard Reports 39

Eventia Reporter Express Reports 40

Predefined Reports 41

Eventia Reporter Considerations 43

Standalone vs. Distributed Deployment 43

Log Availability vs. Log Storage and Processing 43

Log Consolidation Phase Considerations 44

R eport Generation Phase Considerations 46Eventia Reporter Database Management 48

Chapter 3 How ToQuick Start 53

How to Generate a Report 54

How to Customize a R eport 55

How to View and Collect Information about the Status of Report Generation 56

How to Start and Stop the Log Consolidator Engine 58How to Configure Consolidation Settings and Sessions 59

How to Export and Import Database Tables 62

How to Configure Database Maintenance Properties 63

Eventia Reporter Instructions 65

R equired Security Policy Configuration 66

Express R eports Configuration 66

Using Accounting Information in R eports 66

R eport Output Location 67

Additional Settings for Report Generation 68Generating R eports using the Command Line 68


8/96

8

How to Generate R eports based on Log Files that are not part of the Log File Sequence 69

How to Schedule Generations of the Same Report using Different Settings (a Different

Output or Style) 69

How to R ecover the Eventia Reporter Database 70

How to Interpret R eport Results whose Direction is Other 70

How to View Report Results without the Eventia Reporter Client 70

How to Upload Reports to a Web Server 70

How to Upload Reports to an FTP Server 72

How to Distribute Reports with a Custom Report Distribution Script 73

How to Improve Performance 74

Consolidation Policy Configuration 77

Chapter 4 Troubleshooting

Chapter 5 Out_of_the_box Consolidation Policy

Chapter 6 Predefined ReportsSecurity R eports 87

Network Activity Reports 88

VPN-1 Pro R eports 91System Information R eports 92

InterSpect 93

Firewall-1 GX R eports 94

My Reports 94


9/96

9

CHAPTER 1

Getting Started

In This Chapter

Installing Eventia Reporter

In This Section

Overview

Eventia Reporter can be installed in either a Standalone installation, or aDistributed installation:

SmartCenter Standalone installation Eventia R eporter is installed on theSmartCenter Server machine.

SmartCenter Distributed installation Eventia R eporter is installed on a machinededicated to reporting purposes. In addition, the Eventia Reporter Add-O n is

installed on the SmartCenter Server or a Provider-1/ SiteManager-1 machine. The

add-on contains data files with report definitions.

Installing Eventia Reporter page 9

Starting Eventia Reporter page 27

Licenses page 32

Overview page 9

Standalone Installation page 11Distributed Installation page 13

Installing Eventia Reporter with Provider-1/ SiteManager-1 MDS page 25


10/96


10

A distributed installation requires establishing Secure Internal Communication(SIC) between the two machines. The distributed installation is recommended,

since it provides better performance.

Performance Tips

To maximize the performance of your Eventia Reporter Server, follow these guidelines:

Hardware Recommendations for SmartCenter and Provider-1/SiteManager-1

Use a computer that matches the minimum hardware requirements, as specified inthe R elease Notes at:

http:/ / www.checkpoint.com/ techsupport/ downloads.jsp

Configure the network connection between the Eventia Reporter Server machineand the SmartCenter, or the Log server, to the optimal speed.

Use the fastest disk available with the highest R PM (R evolutions per Minute) anda large buffer size.

Adjust the database configuration file and consolidation memory buffers to use the

additional memory.

Increase the database and log disk size (for example, several gigabytes) to enable theEventia Reporter to cache information for better report generation performance. Ifa report requires additional space for caching it will be noted in the reports

Generation Information section. The Generation Information section can be foundin Appendix A > View generation information of the report result.

Installation

Choose a distributed configuration, dedicating a computer to Consolidation andR eport generation operations only.

Supported PlatformsWindows, Solaris and Linux platforms support both standalone and distributedinstallations.

Nokia platforms support only Eventia Reporter Add-O n Installation in a distributed

configuration.

Note - If you expect Eventia Reporter to read logs from a distributed log server, the database

must be installed on the log sever after the Eventia Reporter installation is complete.
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp


11/96

Standalone Installation

Chapter 1 Getting Started 11

Standalone Installation

In This Section

Windows Platform

1 In order to begin the installation, login as an Administrator and launch the Wrapperby double-clicking on the setup executable.

2 Select the products that you would like to install see Figure 1-1 on page 12. The

following components represent the minimum standalone component requirementsfor Eventia Reporter:

SmartCenter

SmartConsole

Eventia R eporter

Windows Platform page 11

Solaris / Linux Platform page 13

SecurePlatform page 13


12/96


12

FIGURE 1-1 Standalone Deployment - for Windows

Depending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.

3 Verify the default directory, or browse to new location in which Eventia R eporter

will be installed.

4 Select Local Eventia Reporter Installation in order to install Eventia Reporter on the

local machine.

5 Verify the default directory, or browse to new location in which the output filescreated by Eventia Reporters output will be generated.

ClickNext and reboot the machine in order to complete the installation of the

Eventia R eporter and to continue with the next phase of the installation.

6 Launch SmartDashboard.

7 Install the Security Policy, (Policy>Install) or install the database (Policy>Install

Database) in order to make the Eventia Reporter fully functional.


13/96

Distributed Installation


Solaris / Linux Platform

1 In order to begin the installation, mount the CD on the relevant subdirectory andlaunch the wrapper as follows:

2 In the mounted directory, run the script: UnixInstallScript.

3 R ead the End-User License Agreement (EULA) and if you accept clickYes.

4 Select whether you would like to perform an upgrade or create a new installation.

5 Continue from step 2 on page 11 in order to complete the process.

SecurePlatform1 After you install SecurePlatform from the CD, select the Eventia R eporter product

from cpconfig or from the SecurePlatform Web GUI.

2 Select whether you would like to perform an upgrade or create a new installation.

3 Continue from step 2 on page 11 in order to complete the process.


In a distributed installation, Eventia R eporter is installed on a different machine to that

of the SmartCenter server.

In This Section

Windows Platform

This installation process consists of three phases:

Install Eventia Reporter

Install SmartCenter and the Eventia R eporter Add-On

Prepare Eventia R eporter in SmartCenter

Windows Platform page 13Solaris / Linux / SecurePlatform page 18

Nokia IPSO page 20


14/96


14

Phase 1 - Installing the Eventia Reporter

1 Select Eventia R eporter and SmartConsole (optionally) for installation.

FIGURE 1-2 Distributed deployment - for Windows

Depending on the components that you have chosen to install, you may need to

take additional steps (such as installing other components and/ or licensemanagement) before reaching step 2.

2 Verify the default directory, or browse to new location in which Eventia R eporter

will be installed.

3 Select a folder in which the output files created by Eventia R eporters output will

be generated.

Depending on the components that you have chosen to install, you may need to

take additional steps before reaching step 4.

Note - Although SmartConsole does not have to be installed on this machine, if it is, youhave direct UI access to the SmartCenter server from this machine, thereby simplifying the

final installation steps.


15/96



4 Enter the Activation Key in the specified fields. R emember the key; you will needto enter it at a later stage.

ClickFinish in order to complete the installation of the Eventia Reporter.

FIGURE 1-3 SIC activation

Phase 2 Installing SmartCenter and the Eventia Reporter Add-On

SmartCenter installation is described in the Getting Startedguide. Only the portion thatis related to Eventia R eporter is discussed in this section.

5 Install the SmartCenter server on a separate machine by selecting SmartCenter and

select Eventia Reporter, so that the Eventia Reporter Add-on is also installed duringthe SmartCenter installation.


16/96


16

FIGURE 1-4 Installing SmartCenter and the Eventia Reporter Add-On on a WindowsPlatform

6 Dur ing the SmartCenter installation a window is displayed in which you will beprompted to select the Eventia Reporter Setup Type. Select Eventia ReporterSmartCenter Add-on so that SmartCenter can connect to the distributed Eventia

Reporter.

7 R eboot the machine in order to complete the installation.

Phase 3 Preparing Eventia Reporter in SmartCenter

8 Launch SmartDashboard. (SmartDashboard is installed during the SmartConsoleinstallation).

9 Create a new host for the Eventia R eporter machine.

Note - If SmartCenter and Eventia Reporter are installed on either side of a firewall a ruleneeds to be added in the firewall to enable SIC communication.


17/96



FIGURE 1-5 Create New Eventia Reporter Host

10 In the General Properties window, select Eventia Reporter. Then click theCommunication button.

FIGURE 1-6 Selecting the Reporter Property

11 Enter the Activation Key that was created in step 4 during the Eventia R eporter

installation.

ll


18/96


18

12 After activating the Eventia Reporter host, install the Security Policy,(Policy>Install) or install the database (Policy>Install Database) in order to make the

Eventia R eporter fully functional.

FIGURE 1-7 Enter the Activation Key

Solaris / Linux / SecurePlatform

This installation process consists of three phases:

Install the Eventia R eporter

Install SmartCenter and the Eventia R eporter Add-On

Preparing Eventia R eporter in SmartCenter

Phase 1 Installing the Eventia Reporter

1 Select Eventia R eporter and SmartConsole (optionally) for installation.

DistributedInstallation


19/96



FIGURE 1-8 Standalone Deployment - for Solaris

Depending on the components that you have chosen to install, you may need to take

additional steps before reaching step 3.

2 Select a folder in which the output files created by Eventia R eporters output will

be generated.

FIGURE 1-9 Solaris - default directory

Depending on the components that you have chosen to install, you may need to take

additional steps before reaching step 3.

3 Enter the Activation Key in the specified fields. R emember the key; you will need

to enter it at a later stage.

Enter Finish to complete the installation of the Eventia R eporter.

InstallingEventiaReporter


20/96


20

FIGURE 1-10 Solaris Activation Key

4 In order to complete the installation, continue from Phase 2 Installing

SmartCenter and the Eventia R eporter Add-O n on page 15.

Nokia IPSO

Nokia IPSO only supports Eventia R eporter Add-O n. For details on installing EventiaR eporter machine, please refer to Phase 1 - Installing the Eventia R eporter on page

14 for installation instructions.

Installing the SmartCenter Machine and the Eventia Reporter Add-On

SmartCenter installation is described in its own document. Only the portion that is

related to Eventia Reporter is discussed here.

1 After installing Check Point IPSO packages, reboot the machine and run cpconfig.

Note - Although the interface is different, the installation process performed on a Windows

platform is the same as the installation process performed on a Solaris platform.

DistributedInstallation


21/96



FIGURE 1-11 Installing Check Point IPSO Packages

2 Login into IPSO Voyager from a web browser.

FIGURE 1-12 Login to Voyager

3 Select Config to enter the Voyager Configuration screen.



22/96

g p

22

FIGURE 1-13 Click Config to enter the Configuration screen.

4 In the Configuration screen, select Manage Installed Packages.



23/96


FIGURE 1-14 Select Manage Installed Packages

5 Make sure that Eventia R eporter NGX R 60 (and any other relevant packages) are

set to On and clickApply.



24/96

24

FIGURE 1-15 Activate Eventia Reporter and other relevant packages

6 After clicking Apply, clickSave.

7 From a command line terminal to the IPSO machine:

Logout and then login to the system.

R un rmdstart.

8 Reboot the machine.

9 In order to complete the installation, continue from Phase 3 Preparing EventiaR eporter in SmartCenter on page 16.

Installing Eventia Reporter with Provider-1/SiteManager-1 MDS


25/96


Installing Eventia Reporter with Provider-1/SiteManager-1MDS

To expand the reporting abilities of Provider-1, Eventia R eporter can be produced for

customer modules (version N GX R 60).

Phase 1: Installing the Eventia Reporter

1 Install Eventia R eporter Server from the Check Point NGX R 60 CD on a

dedicated machine different from the MDS. (This is a distributed installation).R efer to Distributed Installation on page 13.

Phase 2 Installing Eventia Reporter Add-On onProvider-1/SiteManager-1 MDS

2 Install a complementary package (the Eventia R eporter Add-on), on an MDS. To

do so, run SVRSetup (the SVR installation script for Provider-1), using the followingcommands:

cd $MDSDIR/scripts

./SVRSetup install

3 In a multi-MDS environment, the Eventia R eporter Add-on should be installed onthe same MDS that issued the certificate for the Eventia Reporter Server. The

Eventia Reporter Client should also connect to this MDS.

4 The SVRsetup installation script will ask if you want to stop the MDS. Answer yes.

5 After the installation script is finished, the SVRsetup installation script will ask if youwant to start the MDS. Answer yes.

Phase 3 Preparing Eventia Reporter inProvider-1/SiteManager-1 MDS

6 From the MDG, open the Global Policy SmartDashboard, and create a new CheckPoint host. Define it as the Eventia Reporter Server object. It will represent the

Eventia Reporter Server installed in step 1.

7 Establish SIC between the MDS and Eventia R eporter Server.8 Click Save.



26/96

26

9 Eventia R eporter Server can connect to the CMA only afterthe Global Policy isassigned to the customer, and the Global Eventia R eporter object appears in the

CMA database.

a) Select Global Policies.

b) R ight-click the relevant customer.

c) Select Assign/Install Global Policy....

d) Select the relevant policy.

e) ClickOK.

10 Install the database on each log server to allow Eventia R eporter to read its logs:

a) Select General.

b) R ight-click the relevant log servers and launch SmartDashboard.

c) In SmartDashboard selectPolicy > Install Database...

.11 Define the machine that runs Eventia Reporter client as a Provider-1 GU I client.

12 Launch the Eventia R eporter Client via the MDG.

a) In Provider-1 select General > Manage > Launch Eventia Reporter....

13 Define Log Consolidation sessions.

Note - If the Customer is set to the Assign only Global Objects that are used in the

assigned Global Policy (the selective assignment mode of Global objects), then the Eventia

Reporter Server object should be referred to in the Global Policy assigned.



27/96


Starting Eventia Reporter

To start Eventia R eporter, proceed as follows:

1 Launch the Eventia R eporter Client (FIGURE 1-16).FIGURE 1-16 Eventia Reporter Client Report View

2 Display the Management Selection Bar view and verify that logs are indeed being

consolidated and saved to the Eventia R eporter Database if consolidation is beingperformed.



28/96

28

FIGURE 1-17 Eventia Reporter Client Management View - Consolidation

The status "processing logs" indicates that the log consolidator is working properly. If

you do not see anything in this screen, proceed to defining a consolidation session, asexplained in How to Configure Consolidation Settings and Sessions on page 59.



29/96


FIGURE 1-18 Eventia Reporter Client Management View - Database Maintenance

3 Go back to the Reports view (FIGUR E 1-16 on page 27) and ensure that you

select the database tables for which to generate the report, as well as a report timeframe. Then generate the Network Activity report by selecting it in the Report Treeand clicking in the toolbar.

4 To follow the progress of the report generation, display the Results view.

After a brief delay, the Network Activity report result is displayed through yourbrowser (FIGUR E 1-19 on page 30). You may get an empty report if the

consolidator did not commit any data into the database yet. It may take up to an

hour before you can first see results in the reports you produce.



30/96

30

FIGURE 1-19 Example Standard Network Activity Report Result

5 Click a section title to view the results in question. The sections results are

displayed in either a graph unit, a table unit or both types of units.

FIGUR E 1-20 on page 31 shows example results of section 2, Network Activity by

Date, in both a graph unit and a table unit.



31/96


FIGURE 1-20 Example Standard Network Activity by Date Section Graph and TableFormats

Licenses


32/96

32

Licenses

Licenses are installed on the SmartCenter/ MDS Server on a per gateway basis and a per

CMA basis.

When the license is installed on a per gateway basis the user must select which gateways

for which reports are generated. With Provider-1, select the customers instead of the

gateways.

If you have three gateways and you buy three licenses you do not have to select the

gateways because the system knows that you only have three.

But, if you have 4 gateways and three licenses you have to choose the gateways to

which each license belongs.

Up to 5 VPN-1 Edge devices are considered a single gateway. Beyond 5 each VPN-1Edge gateway is counted as an individual gateway.


33/96

33

CHAPTER 2

Eventia Reporter

In This Chapter

The Need for Reports

To manage your network effectively and to make informed decisions, you need to

gather information on the networks traffic patterns. There is a wide range of issues youmay need to address, depending on your organizations specific needs:

As a Check Point customer, you may wish to check if your expectations of theproducts are indeed met.

From a security point of view, you may be looking for suspicious activities, illegal

services, blocked connections or events that generated alerts.

As a system administrator, you may wish to sort the Security Policy based on how

often each R ule is matched, and delete obsolete R ules that are never matched.

You may be looking for general network activity information, for purposes such as

capacity planning.

From the corporate identity and values perspective, you may want to ensure your

employees surfing (such as the web sites they access) comply with your companys

policy.

From a sales and marketing point of view, you may wish to identify the most andthe least visited pages on your website or your most and least active customers.

The Need for Reports page 33

Eventia Reporter Solution page 34

Eventia Reporter Considerations page 43

Eventia Reporter Database Management page 48

Eventia Reporter Solution


34/96

34

To address these issues, you need an efficient tool for gathering the relevant informationand displaying it in a clear, accurate format.

Eventia Reporter SolutionIn This Section

Some Basic Concepts and Terminology

Automatic Maintenance - the process of automatically deleting and/ or archiving olderdatabase records into a backup file.

Consolidation - the process of reading logs, combining instances with the same keyinformation to compress data and writing it to the database.

Consolidation Policy - the rules to determine which logs the consolidator will acceptand how to consolidate them. We recommend that you use the out-of-the-box

policy without change.

Consolidation Session - an instance of the consolidation process. There can be oneactive session for every log server.

Express Reports - reports based on the SmartView Monitor counters and the

Activity Log. These reports are not as flexible as standard reports but are generatedquickly.

Log Sequence - the series of log files as specified by fw.logtrack. When a log switchis performed, the log file is recorded in the sequence of files. The log consolidator

can follow this sequence.

Report- a high-level view of combined log information that provides meaning tousers. R eports are compr ised of sections.

Standard R eports - reports based on consolidated logs.

$RTDIR - the installation directory of the Eventia Reporter.

Some Basic Concepts and Terminology page 34

Eventia Reporter Overview page 35

Log Consolidation Process page 37

Eventia Reporter Standard R eports page 39

Predefined Reports page 41

Eventia Reporter Overview

E ti R t O i


35/96

Chapter 2 Eventia Reporter 35

Eventia Reporter Overview

Check Point Eventia Reporter delivers a user-friendly solution for monitoring and

auditing traffic. You can generate detailed or summarized reports in the format of your

choice (list, vertical bar, pie chart etc.) for all events logged by Check PointVPN-1 Pro, SecureClient and SmartDefense.

Eventia Reporter implements a Consolidation Policy, which goes over your original,raw log file, it compresses similar events and writes the compressed list of events into

a relational database (the Eventia R eporter Database). This smart, database enablesquick and efficient generation of a wide range of reports. The Eventia R eporter

solution provides a balance between keeping the smallest report database possible and

retaining the most vital information with the most flexibility.

A Consolidation Policy is similar to a Security Policy in terms of its structure andmanagement. For example, both R ule Bases are defined through the SmartDashboards

Rules menu and use the same network objects. In addition, just as Security Rules

determine whether to allow or deny the connections that match them, ConsolidationR ules determine whether to store or ignore the logs that match them. The key

difference is that a Consolidation Policy is based on logs, as opposed to connections, and

has no bearing on security issues.

FIGUR E 2-1 illustrates the Consolidation process, defined by the Consolidation Policy.

After the VPN-1 Pro Modules send their logs to the SmartCenter Server, the Log

Consolidator Engine collects them, scans them, filters out fields defined as irrelevant,merges records defined as similar and saves them to the Eventia R eporter Database.

FIGURE 2-1 Log Consolidation Process

The Eventia Reporter Server can then extract the consolidated records matching aspecific report definition from the Eventia Reporter Database and present them in a

report layout (FIGUR E 2-2):


FIGURE 2 2 Report Generation Process


36/96

36

FIGURE 2-2 Report Generation Process

Two types of reports can be created: Standard R eports and Express R eports. TheStandard R eports are generated from information in log files through the C onsolidation

process to yield relevant analysis of activity. Express R eports are generated from

SmartView Monitor History files and are produced much more quickly.

Eventia R eporter Standard Reports are supported by two Clients:

SmartDashboard Log Consolidator manages the Log Consolidation rules.

Eventia Reporter Client generates and manages reports.

FIGURE 2-3 illustrates the Eventia R eporter architecture for Standard Reports:

Log Consolidation Process

FIGURE 2-3 Eventia Reporter Standard Report Architecture


37/96


FIGURE 2 3 Eventia Reporter Standard Report Architecture

The interaction between the Eventia R eporter C lient and Server components applies

both to a distributed installation (as shown in FIGURE 2-3), where the SmartCenterServer and Eventia R eporters Server components are installed on two different

machines, and to a standalone installation, in which these products are installed on the

same machine.

Log Consolidation Process

It is recommended to use the SmartView Log Consolidators predefined Consolidation

Policy (the out_of_the_box Policy), designed to filter out irrelevant logs and store themost commonly requested ones (such as blocked connection, alert or web activity logs).

The Log Consolidator Engine scans the Consolidation R ules sequentially and processes

each log according to the first R ule it matches.


FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a log


38/96

38

FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a logmatches a Consolidation R ule, it is either ignored or stored. If it is ignored, no record

of this log is saved in the Eventia Reporter system, so its data is not available for report

generation. If it is stored, it is either saved as is (so all log fields can later be representedin reports), or consolidated to the level specified by the R ule.

FIGURE 2-4 Log Process Chart

The Consolidation is performed on two levels: the interval at which the log was createdand the log fields whose original values should be retained. When several logs matching

a specific R ule are recorded within a predefined interval, the values of their relevantfields are saved as is, while the values of their irrelevant fields are merged (for

example, consolidated) together.

TABLE 2-1 provides a Consolidation example, where three logs of approved NTPconnections match the same Consolidation R ule (NT P is a time protocol that provides

access over the Internet to systems with precise clocks).

The R ules store options specify that logs generated within a one hour interval should

be consolidated into a single record, as long as they share the same values for four fieldsof interest: destination, interface, R ule name and Q oS class. The values of all other

fields are either integrated into their shared value (for example, the shared R ule

Eventia Reporter Standard Reports

Number value, 1), or replaced with the term consolidated (for example, the different


39/96


Number value, 1), or replaced with the term consolidated (for example, the differentSource values). The consolidated record includes a connection number column, noting

how many logs it represents (in this case, 3).

How to interpret Computer names in DHCP enabled networks

In DHCP address mapping is used. Assuming the DNS knows how to resolve dynamicaddresses, the information you see in the report reflects the correct resolving results forthe time the reported log events have been processed by the SmartDashboard Log

Consolidator and inserted into the database.

Because of the dynamic nature of DHCP address distribution, there is no guarantee thatconsolidation of old log files will produce correct address name resolving.

When DHCP is in use, consolidating log files close to the time of their creation willimprove address-resolving accuracy.

Eventia Reporter Standard Reports

The Log Consolidation process results in a database of the most useful, relevant records,

known as the Eventia R eporter Database. The information is consolidated to anoptimal level, balancing the need for data availability with the need for fast and efficient

report generation.

R eports are generated based on a single database table, specified in the Reports view >Standard Reports > Input tab. By default, all consolidated records are saved to the

CONNECTIONS table and all reports use it as their data source. However, each time you

create a new consolidation session, you have the option of storing records in a different

table.

TABLE 2-1 Consolidation Example

Record Time Source Dest. I-face Rule

Name

Rule

No.

Class Conn

No.

Log 1 10:00 10.1.3.29

172.0.0.1

hme0 NYC 1 Gold

Log 2 10:25 10.15.2.

52

172.0.

0.1

hme0 NYC 1 Gold

Log 3 10:59 10.56.60.4

172.0.0.1

hme0 NYC 1 Gold

Cons.Record

10:00 Consolidated

172.0.0.1

hme0 NYC 1 Gold 3


Dividing the consolidated records between different tables allows you to set the Eventia


40/96

40

g yR eporter Client to use the table most relevant to your query, thereby improving the

Eventia Reporter Servers performance. In addition, dividing records between tables

facilitates managing the Eventia Reporter Database: you can delete outdated tables,export tables you are not currently using to a location outside of the Eventia Reporter

Database and import them back when you need them.

Eventia Reporter Express Reports

Express R eports are based on data collected by Check Point system counters and

SmartView Monitor H istory files. Standard Reports, in contrast, are based on Log

Consolidator logs. Because Express R eports present histor ical data, they cannot befiltered, but they can be generated at a faster rate.

Eventia R eporter Express Reports are supported by one Client, the Eventia Reporter.

To configure your system to generate Express R eports, see Express ReportsConfiguration on page 66.

FIGURE 2-4 illustrates the Eventia Reporter architecture for Express NetworkR eports:

FIGURE 2-5 Eventia Reporter Express Report Architecture

Predefined Reports

Predefined Reports


41/96


p

The Eventia Reporter Client offers a wide selection of predefined reports for both

Standard and Express reporting, designed to cover the most common network queries

from a variety of perspectives.

Report Subjects

The reports are grouped by the following subjects, allowing you to easily locate the oneyou need:

Security (Standard, Express) this subject includes reports that allow you to focus

on all security-related traffic in your network. For example, you can inspect

connections whose origin or destination is the VPN-1 Pro gateway, monitorsecurity attacks detected by SmartDefense, or analyze blocked connections andVPN-1 Pro gateway alerts.

In addition, you can detect Policy Installations and analyze the R ule Base order ona specific gateway. Identifying the top matched rules versus the least matched rules

allows you to sort the Security Policy in the most efficient way.

Network Activity (Standard, Express) this subject includes reports that enable you

to analyze the most popular activities in your network. You can examine yournetwork activity as a whole or focus on a specific direction (incoming, outgoing orinternal) or activity type (web, ftp or Email). For example, to study network traffic

inside your organization, you can investigate how your web servers, mail servers and

VPN-1 Pro gateways handle the network load; see which services use most of theavailable bandwidth; and find out what are the most popular web sites. You can

detect illegal network traffic, such as connections to banned web sites or use of

prohibited services. To examine the network usage by external sources, you canexplore which sources access the corporate web site, how often and for how long.

A report dedicated to VPN-1 Pro gateway activity allows you to identify its top

services, sources and destinations. The records are organized both by their directionand by the action taken by the VPN-1 Pro gateway. In addition, you can follow the

VPN-1 Pro gateway activitys distribution over various time frames (your working

hours, week days and the selected date range).

VPN-1 (Standard, Express) this subject includes reports that allow you to analyzevarious aspects of your encrypted traffic, such as its distribution over time, the top

services or sources, etc. You can examine your VPN-1 Pro activity as a whole, orfocus on a specific VPN Tunnel or VPN Community.

System Information (Express) this subject includes reports that allow you toanalyze various aspects of system load and operational activity, including CPU

usage, kernel usage, and memory usage.


Firewall-1 GX contains predefined reports that allow you to analyze various aspects of


42/96

42

the Firewall-1 GX product.

My Reports (Standard, Express) select predefined reports and customize to your

needs.For descriptions of each predefined report available, see Predefined Reports on

page 87.

Report Structure

Each report consists of a collection of sub-topics known as sections, which cover various

aspects of the report. For example, the User Activity report consists of sections such as

User Activity by Date, Top Users, Top Services for User R elated Traffic, etc.

Customizing Predefined Reports

In case you have a specific query that is not directly addressed by the predefined reports,

you can easily customize the report that is closest to your needs (by changing its daterange, filters etc.) to provide the desired information. Changing the filters of a

predefined report constitutes a change in the nature of the report and the report must

therefore by saved in a different location or under a different name. You can save thecustomized report under a different name in the report subject dedicated to

user-defined reports, My Reports.

Standalone vs. Distributed Deployment

Eventia Reporter Considerations


43/96


In This Section

Eventia Reporters default options have been designed to address the most common

reporting needs. However, to maximize the products benefits, it is recommended thatyou adapt it to your specific profile. This section describes the considerations youshould take into account before starting to use Eventia R eporter.

Standalone vs. Distributed Deployment

In a standalone deployment, all Eventia R eporter server components (the LogConsolidator Engine, the Eventia R eporter Database and the Eventia Reporter server)

are installed on the Check Point SmartCenter Server machine. In a distributed

deployment, the Eventia Reporter server components and the SmartC enter Server areinstalled on two different machines. They communicate through standard Check Point

protocols such as LEA and CPMI machines, and through a special Log Consolidator

Add-On installed on the SmartCenter Server.

The standalone deployment saves relegating a dedicated machine for the Eventia

R eporter, but the distributed deployment significantly improves your systemsperformance.

Log Availability vs. Log Storage and Processing

Since all Eventia R eporter operations are performed on the logs you have saved, the

extent to which you can benefit from this product depends on the quality of theavailable logs. Therefore, you must ensure your Security Policy is indeed tracking

(logging) all events you may later wish to see in your reports.

In addition, you should consider how accurately your logs represent your network

activity. If only some of your R ules are tracking events that match them, the eventsproportion in your reports will be distorted. For example, if only the blocked

connections Rule is generating logs, the reports will give you the false impression that

100% of the activity in your network consisted of blocked connections.

Standalone vs. Distributed Deployment page 43

Log Availability vs. Log Storage and Processing page 43

Log Consolidation Phase Considerations page 44

Report Generation Phase Considerations page 46


On the other hand, tracking multiple connections results in an inflated log file, whicht l i t d dditi l t ti b t


44/96

44

not only requires more storage space and additional management operations, but

significantly slows down the Consolidation process.

Log Consolidation Phase Considerations

Record Availability vs. Database Size

R eports are a direct reflection of the records stored in the Eventia R eporter Database.

To generate detailed, wide-ranging and accurate reports, the corresponding data mustbe available in the database.

However, effective database management requires keeping the database table size fromgrowing too large. As the consolidated records accumulate in the database, the tableswhere they are saved may become quite large. The data gradually approaches the disk

space limit, using more and more memory and slowing down the Eventia R eporter

processes (especially the data retrieval for report generation). R efer to AutomaticallyMaintaining the Size of the Database on page 51 for additional information on how

Eventia Reporter tackles database management.

Carefully consider which logs you wish to store, and to what extent you wish to

consolidate them.

Saving Consolidated Records to One vs. Multiple DatabaseTables

A report is generated based on a single table. If you save all consolidated records to the

same table, all the data is readily accessible and you are saved the trouble of movingrecords between tables and selecting the appropriate source table for each report you

wish to generate.

Dividing the records between different tables reduces the report generation time and

allows you to maintain a useful database size by exporting tables you are not currentlyusing to an external location.

High Availability

Eventia Reporter supports SmartCenter High Availability.

In High Availability the Active SmartCenter Server (Active SCS) always has one or

more backup Standby SmartCenter Servers (Standby SCS) that are ready to take over

from the Active SmartCenter Server. These SmartCenter Servers must all be of the

Note - You cannot lower the maximum size of the database.

Log Consolidation Phase Considerations

same Operating System (for instance, all Windows NT), but do not have to be of thesame version The existence of the Standby SCS allows for crucial backups to be in


45/96


same version. The existence of the Standby SCS allows for crucial backups to be in

place:

for the SmartCenter Server - the various databases in the corporate organization,such as the database of objects and users, policy information and ICA files are

stored on both the Standby SCSs as well as the Active SCS. These SmartCenter

Servers are synchronized so data is maintained and ready to be used. If the ActiveSCS is down a Standby SCS needs to become Active in order to be able to edit and

install the Security Policy.

for the module - certain operations that are performed by the modules via theActive SCS, such as fetching a Security Policy, or retrieving a CR L from theSmartCenter Server, can be performed on Standby SCS.

In a High Availability deployment the first installed SmartCenter Server is specified as

the Primary SmartCenter Server. This is a regular SmartCenter Server used by thesystem administrator to manage the Security Policy. When any subsequent SmartCenter

Server is installed, these must be specified as Secondary SmartCenter Servers. Once theSecondary SmartCenter Server has been installed and manually synchronized, the

distinctions between Primary versus Secondary is no longer significant. These serversare now referred to according to their role in the Management High Availabilityscenario as Active or Standby, where any SmartCenter Server can function as the Active

SCS.

When changes are made to report definitions (including report schedules),consolidation sessions and their settings, automatic maintenance configuration and

report configuration, the information is stored in the active SmartCenter Server and

will be synchronized to the secondary SmartCenter Server when a user synchronizesthe SmartCenter Servers.

The report generation results are not synchronized between SmartCenter Servers. For

instance, when Eventia R eporter generates a report connected to SmartCenter ServerA, a record of its generation will be stored in SmartCenter Server A. When Eventia

R eporter generates a report connected to SmartCenter Server B, a record of its

generation will be stored in SmartCenter Server B. The Activity Log in SmartCenter A

will not be visible in SmartCenter B and vice versa. However, even though the ActivityLog in the inactive SmartCenter Server A is not visible, it is still possible to connect to

the inactive SmartCenter Server A in read-only mode to access the report generationsthat are not visible in SmartCenter Server B.


Report Generation Phase Considerations


46/96

46

Adapting the Reports Detail Level to your Needs

When a report is very detailed, it may become difficult to sort out the most significantresults and understand it. To achieve the optimal balance between getting the right level

of detail in your reports, closely examine the reports date range, filters (source,

destination, service etc.) and filter values, and adjust them to pinpoint details.

Generating only selected sections

By default, all report sections are included in the report generation. However, to get

results faster and improve your machines performance, you can generate only selectedsections (by unchecking all others in the Content tab).

Scheduling Reports

The Schedule feature allows you to set both delayed and periodic report generations.

If you wish to produce a detailed and lengthy report, you should consider postponing

its generation and scheduling it so that it does not run at time of peak log creation

activity since such a report generation might slow down your system.In addition, it is useful to identify the reports you require on a regular basis (for

example, a daily alerts report or a monthly user activity report) and schedule theirperiodic generations.

Report Filters

R eports are based on records of the most commonly required filters (for example,

Source, Destination etc.). Specifying the appropriate filter settings is the key toextracting the information you are looking for.

For each filter you choose, specify the values (for example, network objects, services

etc.) to be matched out of all values available for that filter. The available values aretaken from the SmartCenter Server and are refreshed on a regular basis. If you cannot

see a value you have added through SmartDashboard in the available values list, refresh

the list by selecting a different filter and then return to the previous one.

The Eventia R eporter C lient also allows you to include additional objects, by manually

adding them to the matched values list.

Filters and their values can be specified on the report level and on its section level

(Content tab). The report level settings are enforced on the section level as well (forexample, if you choose to include specific sources in the report, these sources will also

be included in its section). If you set a specific section level filter and then choose a

different report level filter, the latter overrides the former.


Report output (display, Email, file, printer etc.).

All report results are displayed on your screen and saved to the Eventia Reporter Server


47/96


All report results are displayed on your screen and saved to the Eventia Reporter Server.

By default, the report is saved in HTML output in an index.htm file; and in CSV

(Comma Separated Values) format in a tables.csv file. The HTML file includesdescriptions and graphs, but the CSV file contains only the report table units, without

a table of contents, descriptions or graphs. The tables.csv is provided in order toenable convenient table import to applications like Excel.

Before generating a report, determine whether you want it to be saved or sent to

additional or different targets. For example, when you generate a user activity-relatedreport, you may wish to make it available to all managers in your organization by

sending them the output via Email or by placing it on your intranet.

TABLE 2-2 Report Files and Formats

File Format HTML CSV

File Name index.htm tables.csv

Includes Table of contents, tables,

descriptions, graphs.

Data only. Cell values

separated by commas.R ows and tables

separated by lines.

Eventia Reporter Database Management


All d t b t ti f d th h th E ti R t


48/96

48

All database management operations are performed through the Eventia ReporterDatabase Maintenance view.

Tuning the Eventia Reporter Database

To improve performance, adjust the database cache size to match the computers

available memory. Use the relevant my.ini file for the required configuration. Thisconfiguration file can be found in the Database/conf folder. In addition, place the

database data and log files on different hard drives (physical disks), if available.

Modifying Eventia Reporter Database Configuration

It is possible to change the Eventia R eporter Database settings by modifying the my.ini

file, located in the $RTDIR/Database/conf directory. This can be done by running the

UpdateMySQLConfig application. Note that before running this application you muststop all Eventia R eporter services by running rmdstop.

Running the UpdateMySQLConfig application creates a backup of the databaseconfiguration file.

There are a number of factors that can improve performance of the Eventia Reporter'sdatabase. Most of these factors can be tuned by using the UpdateMySQLConfig utility.

R AM - The database needs substantial amounts of R AM to buffer data up to 1200

MB. This can be set using UpdateMySQLConfig -R

Temporary directories - The database uses temporary disk space to perform

intermediate operations (such as sorting and grouping) and may require a few GBto generate large reports. Generating a substantial report may fail to execute the

required SQL query if there is not enough disk space for the temporary directory.

The temporary directory can be defined using UpdateMySQLConfig -T.

Log files - The database log files ensure that changes persist in the event of a system

crash. Place these files on a device that is separate from the database's data files using

the UpdateMySQLConfig -L option.

Database data files - these files should be put on a large, fast disk. The database's

data files can be placed on several disks. Use UpdateMySQLConfig -A to add a newfile to the set of database files and use UpdateMySQLConfig -M to move an existing

file to a new location. Do not place database files on a network drive sinceperformance may suffer and in some instances the database will not work.

Note - in a Windows platform the database configuration file can be found in

$RTDIR\Database\conf\my.ini, while in a unix platform it can be found in

$RTDIR\Database\conf\my.cnf


The default database file is ibdata1. If this file needs to be moved to a newabsolute directory (for example, d:/Database/data), verify that the directory exists


49/96


and run:

UpdateMySQLConfig -M -src=ibdata1 -dst="d:/Database/data/ibdata1"

If you want to remove an absolute directory (for example, d:/Database/data2 to

d:/Database/data2), verify that the directory exists and run the following:UpdateMySQLConfig -M -src="d:/Database/data/ibdata1"

-dst="d:/Database/data2/ibdata1"

Default data directory - this is the directory that contains the MySQL table

definitions and the location of temporary tables that the generator uses to optimize

report generation performance. This directory can only be changed by editing the

file /Database/conf/my.ini (my.cnf onUNIX). Change the datadir entry to refer to the new location and copy the filesto the new location.

The following table contains the usage of the UpdateMySQLConfig application.


Syntax

UpdateMySQLConfig


50/96

50

Parameters

[-A -f=string -s=number -auto[=true|=false] [ -m=number ] ]

[-R=number ]

[-M -src=string -dst=string ][-T=string ]

[-L=string ]

[-h ]

TABLE 2-3 UpdateMySQLConfig Options

option sub-option meaning-A -f - the name of the file to

add.add a new data file to thedatabase.

-s -the initial size of the filewhen it is created (format

[0-9]+{KIMIG})

-auto - specifies whether the

database should grow the fileon demand.

-m - the maximum size the

the file can grow (format[0-9]+{KIMIG}). If this op-tion is not specified, the da-

tabase will grow the file to

the available size on the disk.

-R Sets the level of databaseR AM usage.

-M -src - original file path Moves a database file to a

new location.-dst - destination file path

-T Changes the path to MySQL

temporary directory

-L Changes the path to MySQLlog directory and copies log

files to the new location.

-h Displays this help message.


Automatically Maintaining the Size of the Database

The Log Consolidator process continuously adds new records into the database as they


51/96


g p y y

are generated from the VPN-1 Pro gateway. Eventually, the space allocated for the

database will fill up. Typically, users can manually archive or delete older, less pertinentrecords from the database to provide space for the newest records. Automatic

Maintenance performs this process automatically. With Automatic Maintenance, theuser selects a maintenance operation (whether it is deleting records or archiving them toan external file) and specifies high and low watermarks to trigger when Automatic

Maintenance should occur.

The High Watermark value represents the percentage of space that can occupy the

database and/ or the age of database records (that is, how many days old the records are).When the database occupies too much space or the records are older than the specifiedage, then the conditions are right to trigger an Automatic Maintenance operation. The

High Watermark values are checked once a day and if the percentage of space or the

age of the database records is higher than the assigned values, the AutomaticMaintenance operation is triggered.

The Automatic Maintenance operation will delete records from the database until it

reaches the Low Watermark. For example, if you specify that the High Watermark is80% and the Low Watermark is 70% then the operation will begin to delete the oldest

records when the occupied space is over 80%.

Typically, 80% is the High Watermark, since Eventia R eporter requires the extra space

to perform generation optimizations.

In addition, it is possible to specify which database tables will participate in AutomaticMaintenance. Since some of the tables are created for special purposes (for example, a

table created from an external log file), Automatic Maintenance should not beperformed on them.

When deletion of records occurs during automatic maintenance, you may see that thedatabase size grows at first. This is normal behavior since the database needs to keep

duplicate information in case of a server crash. The database will recover the disk space

for about an hour after the maintenance operation is complete.

Backing Up the Eventia Reporter Database

The Eventia Reporter Database system consists of a set of files that can be copied,

compressed or backed up like any other file. Backup files require the same disk space as

the original files. It is highly recommended to save backup copies of the EventiaR eporter Database files, which can later be used to recover from an unexpected

database corruption. Proceed as follows:

1 Stop the Eventia Reporter services:


R un rmdstop.

2 From the Eventia R eporter Database directories, copy the entire data directory


52/96

52

p , py y

tree (as specified by the datadir parameter in the my.ini file) to the backup

location (you may compress them to save disk space). Copy any database and logfiles that may have been moved to a different location using the

UpdateMySQLConfig utility.

3 R estart the Eventia Reporter services, starting with the Check Point ReportingDatabase Server service.

Windows start the Check Point Reporting Database Server service.

Solaris use rmdstart.

CHAPTER 3


53/96

53

How To

In This Chapter

Quick Start

This section is a step-by-step guide that covers the basic Eventia R eporter operations.

In This Section

Quick Start page 53

Eventia Reporter Instructions page 65

Consolidation Policy Configuration page 77

How to Generate a Report page 54

How to Customize a Report page 55

How to View and Collect Information about the Status of R eport Generation page 56

How to Start and Stop the Log Consolidator Engine page 58

How to Configure Consolidation Settings and Sessions page 59

How to Export and Import Database Tables page 62

How to Configure Database Maintenance Properties page 63

Quick Start

How to Generate a Report

The following procedure allows you to create the most basic Eventia R eporter


54/96

54

configuration. Proceed as follows:

1 In the Selection Bar view, select Reports > Definitions and in the Standard tab selectSecurity > Blocked Connections.

2 Access the Period tab to determine the period over which the report will be

generated and the information that should be used to generate the report.

Report Period - In this area select one of the following options:

Relative Time Frame includes the time period relative to the report generation.

This time period defines a proportional interval (for example, Last Week orThis Quarter).

Specific Dates includes the exact time period for which the report will be

generated.

3 Access the Input tab to determine the modules for which you would like togenerate a report. If more than one module is selected as your source, you can

generate information per module, or create a summary for all the selected modules.

Select Check Point modules - In this area select the VPN-1 Pro modules that will

participate in report generation:

Select all modules selects all the VPN-1 Pro modules that are run by the

SmartCenter server.

Select specific modules enables you to select specific VPN-1 Pro modules thatare run by the SmartCenter server, from the tree provided.

Add enables you to add a module to the existing module tree. Show Result - In this area select one of the following options:

Per module instructs the Eventia Reporter to create a report that details

information for each of the selected modules.

Summary of all modules instructs the Eventia R eporter to create a report thatsummarizes the information associated with all of the selected modules.

Generation Input - In this area select the database table that contains theinformation for the report you are generating. By default the CONNECTIONS table

is the primary database table.

Sample Mode provides the information for a demo mode. This option is used

when you want to see an example of the report you are creating.

Other Database Tables enables you to access the information on which youwould like your report to be based.

4 Click the Generate Report button to create the Blocked Connections report.

How to Customize a Report

5 Click Yes to display the results.

A new window appears containing the results of the report generation.

S ll d thi i d t i th ifi t t t

7/31/2019 Checkpoint NGX Eve

Date post:	05-Apr-2018
Category:	Documents
Upload:	hemrsud
View:	235 times
Download:	0 times

Checkpoint NGX Even Ti Are Porter User Guide

Documents