Need your help in configuring reporting

[fkbr1]

I am trying to get some reports on WEB usage from my NG AI R55. In the security rule base I have a rule which allows outgoing http traffic and has "Account" in a "track" column:



In the consolidator rule base I have rules which store data for HTTP traffic, as here:



My first problem is that when I install consolidation policy, I get a warning message like this:

Starting policy installation...
Getting policy information...
Verifying policy...
Policy name: HTTP
Policy verified.

Openning policy files...
Updating policy files...
Compiling customers...
Compiling accounting schemes...
Compiling 'HTTP' policy data...
Compiling consolidation rule base...
Compiling accounting rule base...
Information: No Accounting Rules were found.
Saving policy files...
Policy installation completed successfully !
Sending Engine the new installation settings...
The Log Consolidator Engine is loading the new policy (This may take a while).
Note: You can check the progress by choosing
'Engine and Database status' option from the 'Status' menu.


As you noticed, it says "No Accounting Rules were found" when it is clearly one accounting rule and I can see it in SmartView tracker !

Anyway, I run this policy for 20 hours and in DB status I see:

Engine current status: Processing Logs
Last command: Install
(since Mon Apr 02 17:33:26 2007)

Last startup at: Mon Apr 02 17:33:26 2007
Log records processed since startup: 2482032 (Stored:239 Ignored:2481793)
Currently open consolidated records: 0
Consolidated records loaded to DB: 16 (Permanent:16 Temporary:0)
Consolidation rate: 93%

So it does consolidate something, but stored only 239 recorded ?! - it must be thousands connections ! Also, my reports are coming with "No Data available"

I obviously missing something here - but what ?

Appriciate your help.
Ali.

[Gavrilo]

Hi,

I am by no means an expert on this and actually have only just started to look at this feature so be kind if I am stating the obviouse. However, from the help file I have gleened the following:

Getting here - View > Products > Log Cosolidator > Policy >Global Properties > Advanced Settings

You can set the "Stop consolidation and commit work" time and "Maximum consolidation memory pool". As your posting did not mention you set this I wonder is it the something you missed.

I hope this helps but if not I would be interested to know the answer when you find it.

Regards

Gavrilo

[fkbr1]

Hi,

I verified those settings - they seems to be default (1 hour/32 Mb).

I also experimented with my consolidation policy and it looks like it works just fine with any other service (I tried ftp, Notes, smtp, ftp), but not with HTTP ! :(((



Ali.

[fkbr1]

OK,

what is happening here:

in my configuration all connections to internet are NATed to external FW interface in Hide mode. I guess this is a reason why in Reporter ALL HTTP connections to Internet are reported with "source" as firewall itself. I discovered it by changing "proxy1" and "proxy2" to ANY in my policy. Other protocols which I tested happened to be directed to another subnets without NATing, so they reported with correct source of workstations originated those connections.

Now, why reporter sees "source" of HTTP connections as firewall itself, then in tracker "source" is remaining correct - a workstation (the firewall is loge as "Origin" and not "Source") ! Is it behavior by design ? If so, how can I generate reports on web usage by internal IPs ? If there is somebody who knows, please help.

Thank you
Ali.

[RayPesek]

Hi Ali,

What are "proxy1" and "proxy2"? Do all HTTP connections run through these (apparent) proxy servers? If so, do the proxies NAT the traffic?

That is my configuration and all SOURCE IP's are that of the proxy, as it should be, because everything hitting the firewall is coming from the proxy server IP address. I have my reporting system reading the proxy logs.

When you see ORIGIN, it means that is the device sending the logs to the SmartCenter. If you have multiple firewalls or routers sending logs, this is a way of filtering the logs to see what is coming from just that device.

HTH,

Ray

[fkbr1]

OK, may be I confused you a little bit. Let's start from the beginning. I have the following setup:



All PCs on LAN are going to Internet via Checkpoint firewall. Then going to the internet, they are NATed using manual hide NAT rule to firewall's external IP. (Proxy1 and Proxy2 are just 2 of those LAN PCs).

For the moment I have the following policy (again - just for test purpose):



Using this policy I was expecting to be able to generate reports on HTTP usage by LAN PCs. For some reason, in reports all http connections are reported as coming from Firewall's external interface (I guess because of NATing), so there is no way to separate traffic from LAN PCs.
I wonder if there is a way to create report I need (i.e. - having LAN PCs as source of HTTP connections).

[RayPesek]

It looks like you're using the older version of SmartView Reporter, the pre-R56 one. Unfortunately I started with the R56 (MySQL) one and it doesn't have this issue, so I probably can't help you.

I can't help but think it may be your manual Hide NAT rule, though. Can you post how that is configured? Is there some reason you cannot create a network object for the LAN and apply Hide NAT to it via the NAT tab? That's what I do and the individual LAN IP's do display.

Does SmartView Tracker show the LAN address or the NAT address?

Th R56 version doesn't use consolidation rules at all (or at least not that I've found!). If it's logged, it gets dumped into MySQL. The response time to generate a report is blazingly fast as well.

I know there is no way to import the SOLID database format into MySQL, so maybe that's why you haven't moved to it yet. It does work perfectly with an R55 enforcement module, as does the newer R63 "Eventia Reporter" version.

Take care,

Ray

[fkbr1]

Hi,

yes I also thought my NATing may cause this. But I tried all the possible options - manual, static, hide, automatic (i.e. - modifying NAT tub of object properties) - still the same result. The source of HTTP connection in reports is external IP address. This is strange, because in the Tracker, no matter which type of NAT I use, source is always correct. So information is there, it is just reporter can not get it.

I am really stuck here .... :(

Ali.