CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 11 of 11

Thread: Rule history

  1. #1
    Join Date
    2017-02-12
    Posts
    4
    Rep Power
    0

    Default Rule history

    Hi,

    I've been searching for a way to get some history on a rule (when it was inserted, changed etc) but I'm not having any luck. The doco seems to talk about an "audit" pane in tracker but I see a management pane instead.

    Also, the audit log seems to be missing a lot of entries that I know should be there. Some entries are there but not all by a long chalk.

    Our system is load balanced R77.30 management servers BTW.

    Does anyone know why our audit log would be missing entries relating to rule changes? Does each management server have it's own audit log?

    TIA

    Dave

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,208
    Rep Power
    7

    Default Re: Rule history

    Quote Originally Posted by Dave Edwards View Post
    Hi,

    I've been searching for a way to get some history on a rule (when it was inserted, changed etc) but I'm not having any luck. The doco seems to talk about an "audit" pane in tracker but I see a management pane instead.

    Also, the audit log seems to be missing a lot of entries that I know should be there. Some entries are there but not all by a long chalk.

    Our system is load balanced R77.30 management servers BTW.

    Does anyone know why our audit log would be missing entries relating to rule changes? Does each management server have it's own audit log?

    TIA

    Dave
    I've noticed some strange things with the audit log as well. Like it saying i made change xyz when I know i didn't.

    Yes, each management server will have its own audit log. And yes its viewed via the management tab. That being said only the active management server would be viewed unless maybe you failed over. Then i would assume they would be on the standby. Each CMA would also have its own and then there is a global level audit log as well in the P1 environment.

    the audit log can be viewed via cli as well from the management server

    $FWDIR/log/fwadt.log or something like that.

    fw log -l $FWDIR/log/fwadt.log > ~audit.txt

    will export it.

  3. #3
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    560
    Rep Power
    4

    Default Re: Rule history

    Quote Originally Posted by jflemingeds View Post
    I've noticed some strange things with the audit log as well. Like it saying i made change xyz when I know i didn't.

    Yes, each management server will have its own audit log. And yes its viewed via the management tab. That being said only the active management server would be viewed unless maybe you failed over. Then i would assume they would be on the standby. Each CMA would also have its own and then there is a global level audit log as well in the P1 environment.

    the audit log can be viewed via cli as well from the management server

    $FWDIR/log/fwadt.log or something like that.

    fw log -l $FWDIR/log/fwadt.log > ~audit.txt

    will export it.
    Nice info provided here; do you know how often auditlog rollsover? Every day like traffic log?

    Thanks!

  4. #4
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,066
    Rep Power
    10

    Default Re: Rule history

    Quote Originally Posted by laf_c View Post
    Nice info provided here; do you know how often auditlog rollsover? Every day like traffic log?

    Thanks!
    It does not at all.
    Regards, Maarten.
    Dual P1 R77.30, VSX, IPSO, SPLAT, GAIA mostly.

  5. #5
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    560
    Rep Power
    4

    Default Re: Rule history

    Quote Originally Posted by msjouw View Post
    It does not at all.
    Now I am puzzled: you say this file gets bigger as each day passes?

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,208
    Rep Power
    7

    Default Re: Rule history

    Quote Originally Posted by laf_c View Post
    Now I am puzzled: you say this file gets bigger as each day passes?
    yes, it should grow daily. Is this your active management server?

  7. #7
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,066
    Rep Power
    10

    Default Re: Rule history

    1 average customer, changes 1 per week, 12000 records per year, filesize 2.9MB.
    1 busier customer, changes 2-5 per week, 62000 records over 2 years and 8 months, filesize 158MB.

    so really do not see the problem here, some of our customers have multiple 2GB logfiles per day.....
    Regards, Maarten.
    Dual P1 R77.30, VSX, IPSO, SPLAT, GAIA mostly.

  8. #8
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    560
    Rep Power
    4

    Default Re: Rule history

    Quote Originally Posted by jflemingeds View Post
    I've noticed some strange things with the audit log as well. Like it saying i made change xyz when I know i didn't.

    Yes, each management server will have its own audit log. And yes its viewed via the management tab. That being said only the active management server would be viewed unless maybe you failed over. Then i would assume they would be on the standby. Each CMA would also have its own and then there is a global level audit log as well in the P1 environment.

    the audit log can be viewed via cli as well from the management server

    $FWDIR/log/fwadt.log or something like that.

    fw log -l $FWDIR/log/fwadt.log > ~audit.txt

    will export it.
    Had a look today, but it looks awful!
    Next attempted to run fw log -l $FWDIR/log/fw.adtlog > audit.txt but it took like 8 minutes and no output:
    ps aux | grep log
    admin 1507 96.6 1.9 230816 153592 pts/3 R+ 06:11 8:05 fw log -l /opt/CPsuite-R77/fw1/log/fw.adtlog


    [Expert@sflda-gratiot:0]# ls -lh /opt/CPsuite-R77/fw1/log/fw.ad*
    -rw-rw-r-- 1 admin config 50M Feb 16 06:12 /opt/CPsuite-R77/fw1/log/fw.adtlog

  9. #9
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    865
    Rep Power
    12

    Default Re: Rule history

    In my book, audit FW log does not provide enough visibility on changes. My money is on third party tools, such as Tufin or Algosec
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,955
    Rep Power
    11

    Default Re: Rule history

    Quote Originally Posted by varera View Post
    In my book, audit FW log does not provide enough visibility on changes. My money is on third party tools, such as Tufin or Algosec
    In R77.XX the SmartWorkflow feature provides some nice capabilities to compare ("diff") policies and view concise change reports.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  11. #11
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    865
    Rep Power
    12

    Default Re: Rule history

    Quote Originally Posted by ShadowPeak.com View Post
    In R77.XX the SmartWorkflow feature provides some nice capabilities to compare ("diff") policies and view concise change reports.
    I still think the named vendors do it much better, especially considering it usually comes with other orchestration and design tools.

    But yes, you can compare changes, if you maintain revision control points.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Smartdefense Update history
    By vbavbalist in forum IPS Blade (Formerly SmartDefense)
    Replies: 1
    Last Post: 2010-05-01, 23:52
  2. User Login History
    By manuadoor in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2010-04-09, 10:54
  3. Is traffic history customizable?
    By jmcgrady in forum SmartView Monitor
    Replies: 1
    Last Post: 2008-11-12, 18:55
  4. How to clear the history
    By checkpointer in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2007-10-22, 15:39
  5. How to generate link utilisation history?
    By captain-midnight in forum SmartView Monitor
    Replies: 4
    Last Post: 2007-03-19, 08:46

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •