Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Checkpoint Firewall Manager information not showing correctly on LEM

Checkpoint Firewall Manager information not showing correctly on LEM

Created by Ezgi Muderrisoglu, last modified by MindTouch on Jun 23, 2016

Views: 44 Votes: 1 Revisions: 4

Overview

Checkpoint Firewall Manager information not showing correctly on LEM.

The information appears on the Monitor > filters section as arriving with a new event every minute, however in the ndepth search, this does not appear to be the case.

 

If Checkpoint Firewall Manager has been setup to gather logs from other firewalls in the environment and send the logs to LEM, this issue will occur. The Checkpoint Firewall Manager is sending information straight to LEM, but not in any particular order.

The following example scenario shows that there is a log entry sent by a checkpoint firewall to the checkpoint firewall manager, that has the following timeframe inside its log entry: 14:15 17th of March 2016 xxxxxxxxxx

  • Other Checkpoint Firewalls > send logs to > Checkpoint Firewall Manager
  • Checkpoint Firewall Manager > sends these logs to (in no particular order) [in this example, it sends the logs at 16:15 17th of March 2016] > LEM
  • LEM > processes the logs themselves through it's configured connectors. > translates the information, and saves them to it's database. [In this example, it places the log entry accordingly with what timeframe is mentioned in the log itself, so on 17th of March 2016, 14:15]
  • LEM > shows in the LEM console Monitor section, what time it has received the logs. [In this example, LEM received the logs at 16:15 17th of March 2016, so in the insertion time, this is the time that will be displayed]

 

Following this scenario, if you search in NDepth for the logs, in the timeframe 16:15 17th of March 2016, you will not see an event/log entry. This is because the log itself had a different timeframe. What you should be looking for in the NDepth search is: 14:15 17th of March 2016.

Environment

  • LEM 6.2
  • Checkpoint Firewall Manager

Cause 

This is due to the Checkpoint Firewall Manager. There is no particular order that the manager is sending the logs to LEM. LEM both makes a note of the time that it received the logs, but also makes a note of what timeframe is within the log itself. This is where the confusion is occurring when searching for the logs in LEM on the console.

Resolution

It is recommended to contact your Checkpoint Firewall Manager vendor to further troubleshoot this issue as LEM is behaving as expected.

 

Last modified
19:55, 22 Jun 2016

Tags

Classifications

Public