Eventia Reporter Administration Guide Version NGX R65 701679 March 2007 TM © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS. Table of Contents 5 Contents Preface Who Should Use This Guide 8 Summary of Contents . 9 Appendices 9 Related Documentation 10 More Information . 13 Feedback 14 Chapter 1 Eventia Reporter The Need for Reports . 16 Eventia Reporter Solution . 17 Some Basic Concepts and Terminology . 17 Eventia Reporter — Overview . 18 Log Consolidation Process . 20 Eventia Reporter Standard Reports . 22 Eventia Reporter Express Reports . 22 Predefined Reports . 23 Eventia Reporter Considerations 26 Eventia Reporter Backward Compatibility 26 Standalone vs. Distributed Deployment . 27 Log Availability vs. Log Storage and Processing 27 Log Consolidation Phase Considerations 28 Report Generation Phase Considerations . 30 Eventia Reporter Database Management 33 Chapter 2 Getting Started Starting Eventia Reporter 40 Licenses . 45 Chapter 3 How To Use Eventia Reporter Quick Start 48 How to Generate a Report 48 How to Schedule a Report . 50 How to Customize a Report 50 Viewing Report Generation Status . 51 How to Start and Stop the Log Consolidator Engine 54 How to Configure Consolidation Settings and Sessions . 54 How to Export and Import Database Tables 60 How to Configure Database Maintenance Properties . 62 Eventia Reporter Instructions 64 Required Security Policy Configuration . 64 Express Reports Configuration 65 6 Report Output Location . 66 Using Accounting Information in Reports 67 Additional Settings for Report Generation 67 Generating Reports using the Command Line 68 Reports based on Log Files not part of the Log File Sequence . 69 Generating the Same Report using Different Settings . 69 How to Recover the Eventia Reporter Database 70 How to Interpret Report Results whose Direction is “Other” 70 How to View Report Results without the Eventia Reporter Client 70 How to Upload Reports to a Web Server 71 How to Upload Reports to an FTP Server . 73 How to Distribute Reports with a Custom Report Distribution Script . 73 How to Improve Performance . 74 How to Dynamically Update Reports . 77 How Can I Create a Report in a Single File 78 Consolidation Policy Configuration . 79 Chapter 4 Troubleshooting Common Scenarios 84 Appendix A Out of the Box Consolidation Policy Overview . 94 Out of the Box Consolidation Rules 95 Appendix B Predefined Reports Cross Products Security Reports 98 Security Reports 99 Firewall Security Reports 101 Endpoint Security Reports 102 Cross Products Network Activity Reports 104 Network Activity Reports 105 Firewall Network Activity Reports 106 VPN Reports . 108 Connectra Reports . 110 System Information Reports 111 InterSpect Reports . 112 Anti Virus Reports 113 Firewall-1 GX Reports 114 Analyzer Reports 115 My Reports . 116 Index 123 7 Preface P Preface In This Chapter Who Should Use This Guide page 8 Summary of Contents page 9 Related Documentation page 10 More Information page 13 Feedback page 14 Who Should Use This Guide 8 Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). Summary of Contents Preface 9 Summary of Contents This guide describes the Eventia Reporter solution for monitoring and auditing traffic. With the features presented in this guide you will learn how to generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense: Appendices This guide contains the following appendices : Chapter Description Chapter 1, “Eventia Reporter” provides an overview of Eventia Reporter with an in-depth explanation about Log Consolidation reports and the difference between Standard and Express reports. Chapter 2, “Getting Started” presents the prerequisites (processes and tools) necessary to begin working with Eventia Reporter (for example, Licenses, etc.). Chapter 3, “How To Use Eventia Reporter” provides a step-by-step guide that covers the basic Eventia Reporter operations, information on advanced or specific configuration scenarios and information about the Out of the Box Consolidation Policy. Chapter 4, “Troubleshooting” presents frequently asked questions and their solutions. Appendix Description Appendix A, “Out of the Box Consolidation Policy” provides the 13 predefined, Out of the Box Consolidation Policy Rules. Appendix B, “Predefined Reports” This appendix describes the predefined reports available under each subject and specifies the report ID required for command line generations. Related Documentation 10 Related Documentation The NGX R65 release includes the following documentation: TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Suite Getting Started Guide Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc. Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. SmartCenter Administration Guide Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Firewall and SmartDefense Administration Guide Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. Virtual Private Networks Administration Guide This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure. [...]... to use Eventia Reporter Eventia Reporter Backward Compatibility Prior to NGX R63 Eventia Reporter was only able to connect to SmartCenter servers of the same version: • SmartView Reporter R56 with SmartCenter R55 or SmartCenter R55 with R55W add-on • Eventia Reporter R60 with SmartCenter R60 • Eventia Reporter R60A with SmartCenter R60A • Eventia Reporter R61 with SmartCenter R61 • Eventia Reporter. .. Eventia Reporter R62 with SmartCenter R62 As of NGX R65 Eventia Reporter is able to connect to all of the above mentioned SmartCenter versions 26 Eventia Reporter Considerations Standalone vs Distributed Deployment In a standalone deployment, all Eventia Reporter server components (the Log Consolidator Engine, the Eventia Reporter Database and the Eventia Reporter server) are installed on the Check Point... much more quickly Eventia Reporter Standard Reports are supported by two Clients: • SmartDashboard Log Consolidator — manages the Log Consolidation rules • Eventia Reporter Client — generates and manages reports Figure 1-3 illustrates the Eventia Reporter architecture for Standard Reports: Figure 1-3 Eventia Reporter Standard Report Architecture Chapter 1 Eventia Reporter 19 Eventia Reporter Solution... the Eventia Reporter Chapter 1 Eventia Reporter 17 Eventia Reporter Solution Eventia Reporter — Overview Check Point Eventia Reporter delivers a user-friendly solution for monitoring and auditing traffic You can generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense Eventia. .. reports, My Reports Chapter 1 Eventia Reporter 25 Eventia Reporter Considerations Eventia Reporter Considerations In This Section Eventia Reporter Backward Compatibility page 26 Standalone vs Distributed Deployment page 27 Log Availability vs Log Storage and Processing page 27 Log Consolidation Phase Considerations page 28 Report Generation Phase Considerations page 30 Eventia Reporter s default options... the Eventia Reporter Client to use the table most relevant to your query, thereby improving the Eventia Reporter Server’s performance In addition, dividing records between tables facilitates managing the Eventia Reporter Database: you can delete outdated tables, export tables you are not currently using to a location outside of the Eventia Reporter Database and import them back when you need them Eventia. .. latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents Preface 13 Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com 14 Chapter Eventia Reporter 1 In This Chapter The Need for Reports page 16 Eventia Reporter Solution page 17 Eventia. .. latter overrides the former Chapter 1 Eventia Reporter 31 Eventia Reporter Considerations Report output (Email, FTP Upload, Web Upload, Custom) All report results are displayed on your screen and saved to the Eventia Reporter Server By default, the report is saved in HTML output in an index.htm file; and in CSV (Comma Separated Values) format in a tables.csv file The HTML file includes descriptions and... efficient tool for gathering the relevant information and displaying it in a clear and accurate format 16 Eventia Reporter Solution Eventia Reporter Solution In This Section Some Basic Concepts and Terminology page 17 Eventia Reporter — Overview page 18 Log Consolidation Process page 20 Eventia Reporter Standard Reports page 22 Predefined Reports page 23 Some Basic Concepts and Terminology • Automatic... consolidating log files close to the time of their creation will improve address-resolving accuracy Chapter 1 Eventia Reporter 21 Eventia Reporter Solution Eventia Reporter Standard Reports The Log Consolidation process results in a database of the most useful, relevant records, known as the Eventia Reporter Database The information is consolidated to an optimal level, balancing the need for data availability . Eventia Reporter Administration Guide Version NGX R65 701679 March 2007 TM © 2003-2007 Check Point Software Technologies. with Eventia Reporter (for example, Licenses, etc.). Chapter 3, “How To Use Eventia Reporter provides a step-by-step guide that covers the basic Eventia Reporter