checkpoint ngx even ti are porter

7/31/2019 Checkpoint NGX Even Ti Are Porter

1/90

Eventia Reporter

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at:

https://secureknowledge.checkpoint.com

See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_r60.html

Part No.: 701312

May 2005
https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttps://secureknowledge.checkpoint.com/


2/90

Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;

without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,


3/90

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No one

other than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from ".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials mustbe immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in th is document should be construed asgranting, by implication, estoppel, or otherwise, any l icense or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in

advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.


4/90

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR

ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE

INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN

THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE

ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release


5/90

Table of Contents 5

Table Of Contents

Chapter 1 Getting StartedInstalling Eventia Reporter 7

Overview 7

Standalone Installation 9

Distributed Installation 10

Installing Eventia Reporter with Provider-1/SiteManager-1 MDS 23Starting Eventia Reporter 25

Licenses 30

Chapter 2 Eventia ReporterThe Need for Reports 31

Eventia Reporter Solution 32

Some Basic Concepts and Terminology 32

Eventia Reporter Overview 33Log Consolidation Process 35

Eventia Reporter Standard Reports 36

Eventia Reporter Express Reports 37

Predefined Reports 38

Eventia Reporter Considerations 39

Standalone vs. Distributed Deployment 40

Log Availability vs. Log Storage and Processing 40

Log Consolidation Phase Considerations 40

Report Generation Phase Considerations 42Eventia Reporter Database Management 44

Chapter 3 How ToQuick Start 49

How to Generate a Report 49

How to Customize a Report 51

How to View and Collect Information about the Status of Report Generation 52

How to Start and Stop the Log Consolidator Engine 54How to Configure Consolidation Settings and Sessions 55

How to Export and Import Database Tables 58

How to Configure Database Maintenance Properties 59

Eventia Reporter Instructions 61

Required Security Policy Configuration 61

Express Reports Configuration 62

Using Accounting Information in Reports 62

Report Output Location 63

Additional Settings for Report Generation 64

Generating Reports using the Command Line 64


6/90

6

How to Generate Reports based on Log Files that are not part of the Log File Sequence 65

How to Schedule Generations of the Same Report using Different Settings (a Different

Output or Style) 65

How to Recover the Eventia Reporter Database 65

How to Interpret Report Results whose Direction is Other 66

How to View Report Results without the Eventia Reporter Client 66

How to Upload Reports to a Web Server 66

How to Upload Reports to an FTP Server 68

How to Distribute Reports with a Custom Report Distribution Script 68

How to Improve Performance 69

Consolidation Policy Configuration 72

Chapter 4 Troubleshooting

Chapter 5 Out_of_the_box Consolidation PolicyOverview 77

Out_of_the_box Consolidation Rules 78

Chapter 6 Predefined Reports

Security Reports 81Network Activity Reports 82

VPN-1 Pro Reports 85

System Information Reports 86

InterSpect 87

Firewall-1 GX Reports 88

My Reports 88

Index 89


7/90

7

CHAPTER 1

Getting Started

In This Chapter

Installing Eventia Reporter

In This Section

Overview

Eventia Reporter can be installed in either a Standalone installation, or a

Distributed installation: SmartCenter Standalone installation Eventia Reporter is installed on the

SmartCenter Server machine.

SmartCenter Distributed installation Eventia Reporter is installed on a machine

dedicated to reporting purposes. In addition, the Eventia Reporter Add-On is

installed on the SmartCenter Server or a Provider-1/SiteManager-1 machine. The

add-on contains data files with report definitions.

Installing Eventia Reporter page 7

Starting Eventia Reporter page 25

Licenses page 30

Overview page 7

Standalone Installation page 9 Distributed Installation page 10

Installing Eventia Reporter with Provider-1/SiteManager-1 MDS page 23


8/90


8

A distributed installation requires establishing Secure Internal Communication

(SIC) between the two machines. The distributed installation is recommended,

since it provides better performance.

Performance Tips

To maximize the performance of your Eventia Reporter Server, follow these guidelines:

Hardware Recommendations for SmartCenter and Provider-1/SiteManager-1

Use a computer that matches the minimum hardware requirements, as specified in

the Release Notes at:

http://www.checkpoint.com/techsupport/downloads.jsp

Configure the network connection between the Eventia Reporter Server machine

and the SmartCenter, or the Log server, to the optimal speed.

Use the fastest disk available with the highest RPM (Revolutions per Minute) anda large buffer size.

Adjust the database configuration file and consolidation memory buffers to use the

additional memory.

Increase the database and log disk size (for example, several gigabytes) to enable the

Eventia Reporter to cache information for better report generation performance. If

a report requires additional space for caching it will be noted in the reports

Generation Information section. The Generation Information section can be foundin Appendix A > View generation information of the report result.

Installation

Choose a distributed configuration, dedicating a computer to Consolidation and

Report generation operations only.

Supported PlatformsWindows, Solaris and Linux platforms support both standalone and distributed

installations.

Nokia platforms support only Eventia Reporter Add-On Installation in a distributed

configuration.

Linux and Nokia platforms do not support a Standalone Installation or a Eventia

Reporter server installation in a distributed configuration.

Note - If you expect Eventia Reporter to read logs from a distributed log server, the databasemust be installed on the log sever after the Eventia Reporter installation is complete.
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp


9/90

Standalone Installation

Chapter 1 Getting Started 9

Standalone Installation

In This Section

Windows Platform

1 In order to begin the installation, login as an Administrator and launch the Wrapperby double-clicking on the setup executable.

2 Select the products that you would like to install. The following components

represent the minimum standalone component requirements for Eventia Reporter:

SmartCenter

SmartConsole

Eventia ReporterFIGURE 1-1 Standalone Deployment - for Windows

Windows Platform page 9

Solaris / Linux Platform page 10

SecurePlatform page 10


10/90


10

Depending on the components that you have chosen to install, you may need to take

additional steps before reaching step 3.

3 Verify the default directory, or browse to new location in which Eventia Reporterwill be installed.

4 Select Local Eventia Reporter Installation in order to install Eventia Reporter on the

local machine.

5 Verify the default directory, or browse to new location in which the output files

created by Eventia Reporters output will be generated.

Click Next and reboot the machine in order to complete the installation of theEventia Reporter and to continue with the next phase of the installation.

6 Launch SmartDashboard.

7 Install the Security Policy, (Policy>Install) or install the database (Policy>Install

Database) in order to make the Eventia Reporter fully functional.

Solaris / Linux Platform

1 In order to begin the installation, mount the CD on the relevant subdirectory and

launch the wrapper as follows:

2 In the mounted directory, run the script: UnixInstallScript.

3 Read and if you accept the End-User License Agreement (EULA), click Yes.

4 Select whether you would like to perform an upgrade or create a new installation.

5 Continue from step 2 on page 9 in order to complete the process.

SecurePlatform

1 After you install SecurePlatform from the CD, select the Eventia Reporter product

from cpconfig or from the SecurePlatform Web GUI.

2 Select whether you would like to perform an upgrade or create a new installation.

3 Continue from step 2 on page 9 in order to complete the process.

Distributed Installation

In a distr ibuted installation, Eventia Reporter is installed on a different machine to that

of the SmartCenter server.


11/90



In This Section

Windows Platform

This installation process consists of three phases:

Install Eventia Reporter

Install SmartCenter and the Eventia Reporter Add-On

Prepare Eventia Reporter in SmartCenter

Phase 1 - Installing the Eventia Reporter

1 Select Eventia Reporter and SmartConsole (optionally) for installation.

Windows Platform page 11

Solaris / Linux / SecurePlatform page 16

Nokia IPSO page 18

Note - Although SmartConsole does not have to be installed on this machine, if it is, you

have direct UI access to the SmartCenter server from this machine, thereby simplifying thefinal installation steps.


12/90


12

FIGURE 1-2 Distributed deployment - for Windows


additional steps (such as installing other components and/or license management) before

reaching step 2.

2 Verify the default directory, or browse to new location in which Eventia Reporter

will be installed.

3 Select a folder in which the output files created by Eventia Reporters output will

be generated.



4 Enter the Activation Key in the specified fields. Remember the key; you will need

to enter it at a later stage.

Click Finish in order to complete the installation of the Eventia Reporter.


13/90



FIGURE 1-3 SIC activation

Phase 2 Installing SmartCenter and the Eventia Reporter Add-On

SmartCenter installation is described in the Getting Startedguide. Only the portion that

is related to Eventia Reporter is discussed in this section.

5 Install the SmartCenter server on a separate machine by selecting SmartCenter andselect Eventia Reporter, so that the Eventia Reporter Add-on is also installed during

the SmartCenter installation.


14/90


14

FIGURE 1-4 Installing SmartCenter and the Eventia Reporter Add-On on a WindowsPlatform

6 During the SmartCenter installation a window is displayed in which you will be

prompted to select the Eventia ReporterSetup Type

. SelectEventia Reporter

SmartCenter Add-on so that SmartCenter can connect to the distributed Eventia

Reporter.

7 Reboot the machine in order to complete the installation.

Phase 3 Preparing Eventia Reporter in SmartCenter

8 Launch SmartDashboard. (SmartDashboard is installed during the SmartConsole

installation).

9 Create a new host for the Eventia Reporter machine.

Note - If SmartCenter and Eventia Reporter are installed on either side of a firewall a ruleneeds to be added in the firewall to enable SIC communication.


15/90



FIGURE 1-5 Create New Eventia Reporter Host

10 In the General Properties window, select Eventia Reporter. Then click the

Communication button.

FIGURE 1-6 Selecting the Reporter Property

11 Enter the Activation Key that was created in step 4 during the Eventia Reporter

installation.


16/90


16

12 After activating the Eventia Reporter host, install the Security Policy,

(Policy>Install) or install the database (Policy>Install Database) in order to make the

Eventia Reporter fully functional.

FIGURE 1-7 Enter the Activation Key

Solaris / Linux / SecurePlatform

This installation process consists of three phases:

Install the Eventia Reporter

Install SmartCenter and the Eventia Reporter Add-On

Preparing Eventia Reporter in SmartCenter

Phase 1 Installing the Eventia Reporter

1 Select Eventia Reporter and SmartConsole (optionally) for installation.


17/90



FIGURE 1-8 Standalone Deployment - for Solaris

Depending on the components that you have chosen to install, you may need to takeadditional steps before reaching step 3.

2 Select a folder in which the output files created by Eventia Reporters output will

be generated.

FIGURE 1-9 Solaris - default directory


18/90


18



3 Enter the Activation Key in the specified fields. Remember the key; you will need

to enter it at a later stage.

Click Finish to complete the installation of the Eventia Reporter.

FIGURE 1-10 Solaris Activation Key

4 In order to complete the installation, continue from Phase 2 Installing

SmartCenter and the Eventia Reporter Add-On on page 13.

Nokia IPSO

Nokia IPSO only supports Eventia Reporter Add-On. For details on installing Eventia

Reporter machine, please refer to Phase 1 - Installing the Eventia Reporter on page11 for installation instructions.

Installing the SmartCenter Machine and the Eventia Reporter Add-On

SmartCenter installation is described in its own document. Only the portion that is

related to Eventia Reporter is discussed here.

1 After installing Check Point IPSO packages, reboot the machine and run cpconfig.

Note - Although the interface is different, the installation process performed on a Windows

platform is the same as the installation process performed on a Solaris platform.

Di t ib t dI t ll ti


19/90



FIGURE 1-11 Installing Check Point IPSO Packages

2 Login into IPSO Voyager from a web browser.

FIGURE 1-12 Login to Voyager

3 Select Config to enter the Voyager Configuration screen.

Installing EventiaReporter


20/90


20

FIGURE 1-13 Click Config to enter the Configuration screen.

4 In the Configuration screen, select Manage Installed Packages.

DistributedInstallation


21/90



FIGURE 1-14 Select Manage Installed Packages

5 Make sure that Eventia Reporter NGX R60 (and any other relevant packages) are

set to On and click Apply.



22/90

g p

22

FIGURE 1-15 Activate Eventia Reporter and other relevant packages

6 After clicking Apply, click Save.

7 From a command line terminal to the IPSO machine:

Logout and then login to the system.

Run rmdstart.

8 Reboot the machine.

9 In order to complete the installation, continue from Phase 3 Preparing Eventia

Reporter in SmartCenter on page 14.

Installing Eventia Reporter with Provider-1/SiteManager-1 MDS


23/90


Installing Eventia Reporter with Provider-1/SiteManager-1MDS

To expand the reporting abilities of Provider-1, Eventia Reporter can be produced for

customer modules (version NGX R60).

Phase 1: Installing the Eventia Reporter

1 Install Eventia Reporter Server from the Check Point NGX R60 CD on a

dedicated machine different from the MDS. (This is a distributed installation).

Refer to Distributed Installation on page 10.

Phase 2 Installing Eventia Reporter Add-On onProvider-1/SiteManager-1 MDS

2 Install a complementary package, the Eventia Reporter Add-on, on an MDS. To do

so, run SVRSetup, the SVR installation script for Provider-1, using the following

commands:

cd $MDSDIR/scripts

./SVRSetup install

3 In a multi-MDS environment, the Eventia Reporter Add-on should be installed on

the same MDS that issued the certificate for the Eventia Reporter Server. The

Eventia Reporter Client should also connect to this MDS.

4 The SVRsetup installation script will ask if you want to stop the MDS. Answeryes.

5 After the installation script is finished, the SVRsetup installation script will ask if you

want to start the MDS. Answeryes.

Phase 3 Preparing Eventia Reporter inProvider-1/SiteManager-1 MDS

6 From the MDG, open the Global Policy SmartDashboard, and create a new Check

Point host. Define it as the Eventia Reporter Server object. It will represent the

Eventia Reporter Server installed in step 1.

7 Establish SIC between the MDS and Eventia Reporter Server.

8 Click Save.



24/90

24

9 Eventia Reporter Server can connect to the CMA only afterthe Global Policy is

assigned to the customer, and the Global Eventia Reporter object appears in the

CMA database.

a) Select Global Policies.

b) Right-click the relevant customer.

c) Select Assign/Install Global Policy....

d) Select the relevant policy.

e) Click OK.

10 Install the database on each log server to allow Eventia Reporter to read its logs:

a) Select General.

b) Right-click the relevant log servers and launch SmartDashboard.

c) In SmartDashboard select Policy > Install Database....11 Define the machine that runs Eventia Reporter client as a Provider-1 GUI client.

12 Launch the Eventia Reporter Client via the MDG.

a) In Provider-1 select General > Manage > Launch Eventia Reporter....

13 Define Log Consolidation sessions.

Note - If the Customer is set to the Assign only Global Objects that are used in theassigned Global Policy (the selective assignment mode of Global objects), then the Eventia

Reporter Server object should be referred to in the Global Policy assigned.



25/90


Starting Eventia Reporter

To start Eventia Reporter, proceed as follows:

1 Launch the Eventia Reporter Client (FIGURE 1-16).FIGURE 1-16 Eventia Reporter Client Report View

2 Display the Management Selection Bar view and verify that logs are indeed being

consolidated and saved to the Eventia Reporter Database if consolidation is being

performed.



26/90

26

FIGURE 1-17 Eventia Reporter Client Management View - Consolidation

The status "processing logs" indicates that the log consolidator is working properly. If

you do not see anything in this screen, proceed to defining a consolidation session, as

explained in How to Configure Consolidation Settings and Sessions on page 55.



27/90


FIGURE 1-18 Eventia Reporter Client Management View - Database Maintenance

3 Go back to the Reports view (FIGURE 1-16 on page 25) and ensure that you

select the database tables for which to generate the report, as well as a report time

frame. Then generate the Network Activity report by selecting it in the Report Tree

and clicking in the toolbar.

4 To follow the progress of the report generation, display the Results view.

After a brief delay, the Network Activity report result is displayed through your

browser (FIGURE 1-19 on page 28). You may get an empty report if the

consolidator did not commit any data into the database yet. It may take up to an

hour before you can first see results in the reports you produce.



28/90

28

FIGURE 1-19 Example Standard Network Activity Report Result

5 Click a section title to view the results in question. The sections results are

displayed in either a graph unit, a table unit or both types of units.

FIGURE 1-20 on page 29 shows example results of section 2, Network Activity by

Date, in both a graph unit and a table unit.

Report Time Frame,Log Sources &Generation Time

ReportTitle

Sections(Hyperlinks)

ReportDescription



29/90


FIGURE 1-20 Example Standard Network Activity by Date Section Graph and TableFormats

Licenses


30/90

30

Licenses

Licenses installed on SmartCenter/MDS Server on a per gateway basis and a per CMA

basis.

When the license in installed on a per gateway basis the user must select which

gateways for which reports are generated. With Provider-1, select the customers instead

of selecting the gateways.

If I have three gateways and I bought three licenses I do not have to select the gateways

because the system knows I only have three which is the right amount.

But, if I have 4 gateways and three licenses I have to choose the gateways to which each

license belongs.

Up to 5 VPN-1 Edge devices are considered as a single gateway. Beyond 5 each VPN-1

Edge gateway is counted as an individual gateway.


31/90

31

CHAPTER 2

Eventia Reporter

In This Chapter

The Need for Reports

To manage your network effectively and to make informed decisions, you need to

gather information on the networks traffic patterns. There is a wide range of issues you

may need to address, depending on your organizations specific needs:

As a Check Point customer, you may wish to check if your expectations of theproducts are indeed met.

From a security point of view, you may be looking for suspicious activities, illegal

services, blocked connections or events that generated alerts.

As a system administrator, you may wish to sort the Security Policy based on how

often each Rule is matched, and delete obsolete Rules that are never matched.

You may be looking for general network activity information, for purposes such as

capacity planning.

From the corporate identity and values perspective, you may want to ensure your

employees surfing (such as the web sites they access) comply with your companys

policy.

From a sales and marketing point of view, you may wish to identify the most and

the least visited pages on your website or your most and least active customers.

The Need for Reports page 31

Eventia Reporter Solution page 32

Eventia Reporter Considerations page 39

Eventia Reporter Database Management page 44

Eventia Reporter Solution


32/90

32

To address these issues, you need an efficient tool for gathering the relevant information

and displaying it in a clear, accurate format.

Eventia Reporter SolutionIn This Section

Some Basic Concepts and Terminology

Automatic Maintenance- the process of automatically deleting and/or archiving older

database records into a backup file.

Consolidation - the process of reading logs, combining instances with the same keyinformation to compress data and writing it to the database.

Consolidation Policy - the rules to determine which logs the consolidator will accept

and how to consolidate them. We recommend that you use the out-of-the-box

policy without change.

Consolidation Session - an instance of the consolidation process. There can be one

active session for every log server, up to 5 sessions.

Express Reports - reports based on the SmartView Monitor counters and the

Activity Log. These reports are not as flexible as standard reports but are generated

quickly.

Log Sequence- the series of log files as specified by fw.logtrack. When a log switch

is performed, the log file is recorded in the sequence of files. The log consolidator

can follow this sequence.

Report- a high-level view of combined log information that provides meaning tousers. Reports are comprised of sections.

Standard Reports - reports based on consolidated logs.

$RTDIR- the installation directory of the Eventia Reporter.

Some Basic Concepts and Terminology page 32

Eventia Reporter Overview page 33

Log Consolidation Process page 35

Eventia Reporter Standard Reports page 36

Predefined Reports page 38

Eventia Reporter Overview


33/90

Chapter 2 Eventia Reporter 33

Eventia Reporter Overview

Check Point Eventia Reporter delivers a user-friendly solution for monitoring and

auditing traffic. You can generate detailed or summarized reports in the format of your

choice (list, vertical bar, pie chart etc.) for all events logged by Check PointVPN-1 Pro, SecureClient and SmartDefense.

Eventia Reporter implements a Consolidation Policy, which goes over your original,

raw log file, it compresses similar events and writes the compressed list of events into

a relational database (the Eventia Reporter Database). This smart, database enables

quick and efficient generation of a wide range of reports. The Eventia Reporter

solution provides a balance between keeping the smallest report database possible and

retaining the most vital information with the most flexibility.

A Consolidation Policy is similar to a Security Policy in terms of its structure and

management. For example, both Rule Bases are defined through the SmartDashboards

Rules menu and use the same network objects. In addition, just as Security Rules

determine whether to allow or deny the connections that match them, Consolidation

Rules determine whether to store or ignore the logs that match them. The key

difference is that a Consolidation Policy is based on logs, as opposed to connections, and

has no bearing on security issues.

FIGURE 2-1 illustrates the Consolidation process, defined by the Consolidation Policy.

After the VPN-1 Pro Modules send their logs to the SmartCenter Server, the Log

Consolidator Engine collects them, scans them, filters out fields defined as irrelevant,

merges records defined as similar and saves them to the Eventia Reporter Database.

FIGURE 2-1 Log Consolidation Process

The Eventia Reporter Server can then extract the consolidated records matching a

specific report definition from the Eventia Reporter Database and present them in a

report layout (FIGURE 2-2):


34/90

Log Consolidation Process

h b h l d l


35/90


The interaction between the Eventia Reporter Client and Server components applies

both to a distributed installation (as shown in FIGURE 2-3), where the SmartCenter

Server and Eventia Reporters Server components are installed on two different

machines, and to a standalone installation, in which these products are installed on thesame machine.

Log Consolidation Process

It is recommended to use the SmartView Log Consolidators predefined Consolidation

Policy, the out_of_the_box Policy, designed to filter out irrelevant logs and store the

most commonly requested ones (such as blocked connection, alert or web activity logs).

The Log Consolidator Engine scans the Consolidation Rules sequentially and processeseach log according to the first Rule it matches.

FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a log

matches a Consolidation Rule, it is either ignored or stored. If it is ignored, no record

of this log is saved in the Eventia Reporter system, so its data is not available for report

generation. If it is stored, it is either saved as is (so all log fields can later be represented

in reports), or consolidated to the level specified by the Rule.

FIGURE 2-4 Log Process Chart

The Consolidation is performed on two levels: the interval at which the log was created

and the log fields whose original values should be retained. When several logs matching

a specific Rule are recorded within a predefined interval, the values of their relevant

fields are saved as is, while the values of their irrelevant fields are merged (for

example, consolidated) together.

TABLE 2-1 provides a Consolidation example, where three logs of approved NTP

connections match the same Consolidation Rule (NTP is a time protocol that provides

access over the Internet to systems with precise clocks).


Th R l i if h l d i hi h i l h ld


36/90

36

The Rules store options specify that logs generated within a one hour interval should

be consolidated into a single record, as long as they share the same values for four fields

of interest: destination, interface, Rule name and QoS class. The values of all other

fields are either integrated into their shared value (for example, the shared RuleNumber value, 1), or replaced with the term consolidated (for example, the different

Source values). The consolidated record includes a connection number column, noting

how many logs it represents (in this case, 3).

How to interpret Computer names in DHCP enabled networks

In DHCP address mapping is used, assuming the DNS knows how to resolve dynamic

addresses, the information you see in the report reflects the correct resolving results for

the time the reported log events have been processed by the SmartDashboard Log

Consolidator and inserted into the database.

Because of the dynamic nature of DHCP address distribution, there is no guarantee that

consolidation of old log files will produce correct address name resolving.

When DHCP is in use, consolidating log files close to the time of their creation will

improve address-resolving accuracy.

Eventia Reporter Standard ReportsThe Log Consolidation process results in a database of the most useful, relevant records,

known as the Eventia Reporter Database. The information is consolidated to an

optimal level, balancing the need for data availability with the need for fast and efficient

report generation.

TABLE 2-1 Consolidation Example

Record Time Source Dest. I-face Rule

Name

Rule

No.

Class Conn

No.

Log 1 10:00 10.1.3.2

9

172.0.

0.1

hme0 NYC 1 Gold

Log 2 10:25 10.15.2.

52

172.0.

0.1

hme0 NYC 1 Gold

Log 3 10:59 10.56.60

.4

172.0.

0.1

hme0 NYC 1 Gold

Cons.Record 10:00 Consoli

dated172.0.0.1

hme0 NYC 1 Gold 3


37/90


Predefined Reports


38/90

38

Predefined Reports

The Eventia Reporter Client offers a wide selection of predefined reports for both

Standard and Express reporting, designed to cover the most common network queries

from a variety of perspectives.

Report Subjects

The reports are grouped by the following subjects, allowing you to easily locate the one

you need:

Security (Standard, Express) this subject includes reports that allow you to focus

on all security-related traffic in your network. For example, you can inspect

connections whose origin or destination is the VPN-1 Pro gateway, monitorsecurity attacks detected by SmartDefense, or analyze blocked connections and

VPN-1 Pro gateway alerts.

In addition, you can detect Policy Installations and analyze the Rule Base order on

a specific gateway. Identifying the top matched rules versus the least matched rules

allows you to sort the Security Policy in the most efficient way.

Network Activity (Standard, Express) this subject includes reports that enable you

to analyze the most popular activities in your network. You can examine your

network activity as a whole or focus on a specific direction (incoming, outgoing or

internal) or activity type (web, ftp or Email). For example, to study network traffic

inside your organization, you can investigate how your web servers, mail servers and

VPN-1 Pro gateways handle the network load; see which services use most of the

available bandwidth; and find out what are the most popular web sites. You can

detect illegal network traffic, such as connections to banned web sites or use of

prohibited services. To examine the network usage by external sources, you canexplore which sources access the corporate web site, how often and for how long.

A report dedicated to VPN-1 Pro gateway activity allows you to identify its top

services, sources and destinations. The records are organized both by their direction

and by the action taken by the VPN-1 Pro gateway. In addition, you can follow the

VPN-1 Pro gateway activitys distribution over various time frames (your working

hours, week days and the selected date range).

VPN-1 (Standard, Express) this subject includes reports that allow you to analyzevarious aspects of your encrypted traffic, such as its distribution over time, the top

services or sources, etc. You can examine your VPN-1 Pro activity as a whole, or

focus on a specific VPN Tunnel or VPN Community.

System Information (Express) this subject includes reports that allow you to

analyze various aspects of system load and operational activity, including CPU

usage, kernel usage, and memory usage.

Predefined Reports

Firewall-1 GX contains predefined reports that allow you to analyze various aspects of


39/90


Firewall 1 GX contains predefined reports that allow you to analyze various aspects of

the Firewall-1 GX product.

My Reports (Standard, Express) select predefined reports and customize to your

needs.For descriptions of each predefined report available, see Predefined Reports on

page 81.

Report Structure

Each report consists of a collection of sub-topics known as sections, which cover various

aspects of the report. For example, the User Activity report consists of sections such as

User Activity by Date, Top Users, Top Services for User Related Traffic, etc.

Customizing Predefined Reports

In case you have a specific query that is not directly addressed by the predefined reports,

you can easily customize the report that is closest to your needs (by changing its date

range, filters etc.) to provide the desired information. Changing the filters of a

predefined report constitutes a change in the nature of the report and the report must

therefore by saved in a different location or under a different name. You can save thecustomized report under a different name in the report subject dedicated to

user-defined reports, My Reports.

Eventia Reporter Considerations

In This Section

Eventia Reporters default options have been designed to address the most common

reporting needs. However, to maximize the products benefits, it is recommended that

you adapt it to your specific profile. This section describes the considerations you

should take into account before starting to use Eventia Reporter.

Standalone vs. Distributed Deployment page 40

Log Availability vs. Log Storage and Processing page 40

Log Consolidation Phase Considerations page 40

Report Generation Phase Considerations page 42


Standalone vs. Distributed Deployment


40/90

40

Sta da o e s st buted ep oy e t

In a standalone deployment, all Eventia Reporter server components (the Log

Consolidator Engine, the Eventia Reporter Database and the Eventia Reporter server)

are installed on the Check Point SmartCenter Server machine. In a distributeddeployment, the Eventia Reporter server components and the SmartCenter Server are

installed on two different machines. They communicate through standard Check Point

protocols such as LEA and CPMI machines, and through a special Log Consolidator

Add-On installed on the SmartCenter Server.

The standalone deployment saves relegating a dedicated machine for the Eventia

Reporter, but the distributed deployment significantly improves your systems

performance.

Log Availability vs. Log Storage and Processing

Since all Eventia Reporter operations are performed on the logs you have saved, the

extent to which you can benefit from this product depends on the quality of the

available logs. Therefore, you must ensure your Security Policy is indeed tracking

(logging) all events you may later wish to see in your reports.In addition, you should consider how accurately your logs represent your network

activity. If only some of your Rules are tracking events that match them, the events

proportion in your reports will be distorted. For example, if only the blocked

connections Rule is generating logs, the reports will give you the false impression that

100% of the activity in your network consisted of blocked connections.

On the other hand, tracking multiple connections results in an inflated log file, which

not only requires more storage space and additional management operations, butsignificantly slows down the Consolidation process.

Log Consolidation Phase Considerations

Record Availability vs. Database Size

Reports are a direct reflection of the records stored in the Eventia Reporter Database.

To generate detailed, wide-ranging and accurate reports, the corresponding data mustbe available in the database.

However, effective database management requires keeping the database table size from

growing too large. As the consolidated records accumulate in the database, the tables

where they are saved may become quite large. The data gradually approaches the disk

space limit, using more and more memory and slowing down the Eventia Reporter

Log Consolidation Phase Considerations

processes (especially the data retrieval for report generation). Refer to Automatically


41/90


p p y p g y

Maintaining the Size of the Database on page 47 for additional information on how

Eventia Reporter tackles database management.

Carefully consider which logs you wish to store, and to what extent you wish to

consolidate them.

Saving Consolidated Records to One vs. Multiple DatabaseTables

A report is generated based on a single table. If you save all consolidated records to the

same table, all the data is readily accessible and you are saved the trouble of moving

records between tables and selecting the appropriate source table for each report you

wish to generate.

Dividing the records between different tables reduces the report generation time and

allows you to maintain a useful database size by exporting tables you are not currentlyusing to an external location.

High Availability

Eventia Reporter supports SmartCenter High Availability.

In High Availability the Active SmartCenter Server (Active SCS) always has one or

more backup Standby SmartCenter Servers (Standby SCS) that are ready to take over

from the Active SmartCenter Server. These SmartCenter Servers must all be of thesame Operating System (for instance, all Windows NT), but do not have to be of the

same version. The existence of the Standby SCS allows for crucial backups to be in

place:

for the SmartCenter Server - the various databases in the corporate organization,

such as the database of objects and users, policy information and ICA files are

stored on both the Standby SCSs as well as the Active SCS. These SmartCenter

Servers are synchronized so data is maintained and ready to be used. If the ActiveSCS is down a Standby SCS needs to become Active in order to be able to edit and

install the Security Policy.

for the module - certain operations that are performed by the modules via the

Active SCS, such as fetching a Security Policy, or retrieving a CRL from the

SmartCenter Server, can be performed on Standby SCS.

Note - You cannot lower the maximum size of the database.


In a High Availability deployment the first installed SmartCenter Server is specified as


42/90

42

the Primary SmartCenter Server. This is a regular SmartCenter Server used by the

system administrator to manage the Security Policy. When any subsequent SmartCenter

Server is installed, these must be specified as Secondary SmartCenter Servers. Once the

Secondary SmartCenter Server has been installed and manually synchronized, the

distinctions between Primary versus Secondary is no longer significant. These servers

are now referred to according to their role in the Management High Availability

scenario as Active or Standby, where any SmartCenter Server can function as the Active

SCS.

When changes are made to report definitions (including report schedules),

consolidation sessions and their settings, automatic maintenance configuration andreport configuration, the information is stored in the active SmartCenter Server and

will be synchronized to the secondary SmartCenter Server when a user synchronizes

the SmartCenter Servers.

The report generation results are not synchronized between SmartCenter Servers. For

instance, when Eventia Reporter generates a report connected to SmartCenter Server

A, a record of its generation will be stored in SmartCenter Server A. When Eventia

Reporter generates a report connected to SmartCenter Server B, a record of itsgeneration will be stored in SmartCenter Server B. The Activity Log in SmartCenter A

will not be visible in SmartCenter B and vice versa. However, even though the Activity

Log in the inactive SmartCenter Server A is not visible, it is still possible to connect to

the inactive SmartCenter Server A in read-only mode to access the report generations

that are not visible in SmartCenter Server B.

Report Generation Phase ConsiderationsAdapting the Reports Detail Level to your Needs

When a report is very detailed, it may become difficult to sort out the most significant

results and understand it. To achieve the optimal balance between getting the right level

of detail in your reports, closely examine the reports date range, filters (source,

destination, service etc.) and filter values, and adjust them to pinpoint details.

Generating only selected sections

By default, all report sections are included in the report generation. However, to get

results faster and improve your machines performance, you can generate only selected

sections (by unchecking all others in the Content tab).

Report Generation Phase Considerations

Scheduling Reports


43/90


The Schedule feature allows you to set both delayed and periodic report generations.

If you wish to produce a detailed and lengthy report, you should consider postponing

its generation and scheduling it so that it does not run at time of peak log creationactivity since such a report generation might slow down your system.

In addition, it is useful to identify the reports you require on a regular basis (for

example, a daily alerts report or a monthly user activity report) and schedule their

periodic generations.

Report Filters

Reports are based on records of the most commonly required filters (for example,

Source, Destination etc.). Specifying the appropriate filter settings is the key to

extracting the information you are looking for.

For each filter you choose, specify the values (for example, network objects, services

etc.) to be matched out of all values available for that filter. The available values are

taken from the SmartCenter Server and are refreshed on a regular basis. If you cannot

see a value you have added through SmartDashboard in the available values list, refreshthe list by selecting a different filter and then return to the previous one.

The Eventia Reporter Client also allows you to include additional objects, by manually

adding them to the matched values list.

Filters and their values can be specified on the report level and on its section level

(Content tab). The report level settings are enforced on the section level as well (for

example, if you choose to include specific sources in the report, these sources will also

be included in its section). If you set a specific section level filter and then choose a

different report level filter, the latter overrides the former.

Eventia Reporter Database Management

Report output (display, Email, file, printer etc.).


44/90

44

All report results are displayed on your screen and saved to the Eventia Reporter Server.

By default, the report is saved in HTML output in an index.htm file; and in CSV

(Comma Separated Values) format in a tables.csv file. The HTML file includesdescriptions and graphs, but the CSV file contains only the report table units, without

a table of contents, descriptions or graphs. The tables.csv is provided in order to

enable convenient table import to applications like Excel.

Before generating a report, determine whether you want it to be saved or sent to

additional or different targets. For example, when you generate a user activity-related

report, you may wish to make it available to all managers in your organization by

sending them the output via Email or by placing it on your intranet.


All database management operations are performed through the Eventia Reporter

Database Maintenance view.

Tuning the Eventia Reporter Database

To improve performance, adjust the database cache size to match the computers

available memory. Use the relevant my.ini file for the required configuration. This

configuration file can be found in the Database/conf folder. In addition, place the

database data and log files on different hard drives (physical disks), if available.

TABLE 2-2 Report Files and Formats

File Format HTML CSV

File Name index.htm tables.csv

Includes Table of contents, tables,

descriptions, graphs.

Data only. Cell values

separated by commas.

Rows and tables separated

by lines.

Note - in a Windows platform the database configuration file can be found in

$RTDIR\Database\conf\my.ini, while in a unix platform it can be found in$RTDIR\Database\conf\my.cnf


Modifying Eventia Reporter Database Configuration


45/90


It is possible to change the Eventia Reporter Database settings by modifying the my.ini

file, located in the $RTDIR/Database/conf directory. This can be done by running the

UpdateMySQLConfig application. Note that before running this application you muststop all Eventia Reporter services by running rmdstop.

Running the UpdateMySQLConfig application creates a backup of the database

configuration file.

There are a number of factors that can improve performance of the Eventia Reporter's

database. Most of these factors can be tuned by using the UpdateMySQLConfig utility.

RAM - The database needs substantial amounts of RAM to buffer data up to 1200MB. This can be set using UpdateMySQLConfig -R

Temporary directories - The database uses temporary disk space to perform

intermediate operations (such as sorting and grouping) and may require a few GB

to generate large reports. Generating a substantial report may fail to execute the

required SQL query if there is not enough disk space for the temporary directory.

The temporary directory can be defined using UpdateMySQLConfig -T.

Log files - The database log files ensure that changes persist in the event of a systemcrash. Place these files on a device that is separate from the database's data files using

the UpdateMySQLConfig -L option.

Database data files - these files should be put on a large, fast disk. The database's

data files can be placed on several disks. Use UpdateMySQLConfig -A to add a new

file to the set of database files and use UpdateMySQLConfig -M to move an existing

file to a new location. Do not place database files on a network drive since

performance may suffer and in some instances the database will not work. Default data directory - this is the directory that contains the MySQL table

definitions and the location of temporary tables that the generator uses to optimize

report generation performance. This directory can only be changed by editing the

file /Database/conf/my.ini (my.cnf on

UNIX). Change the datadir entry to refer to the new location and copy the files

to the new location.

The following table contains the usage of the UpdateMySQLConfig application.


Syntax

U d M SQLC fi


46/90

46

Parameters

UpdateMySQLConfig[-A -f=string -s=number -auto[=true|=false] [ -m=number ] ][-R=number ]

[-M -src=string -dst=string ][-T=string ][-L=string ][-h ]

TABLE 2-3 UpdateMySQLConfig Options

option sub-option meaning-A -f - the name of the file to

add.

add a new data file to the

database.

-s -the initial size of the file

when it is created (format

[0-9]+{KIMIG})

-auto - specifies whether the

database should grow the file

on demand.

-m - the maximum size the

the file can grow (format

[0-9]+{KIMIG}). If this op-

tion is not specified, the da-

tabase will grow the file to

the available size on the disk.

-R Sets the level of database

RAM usage.

-M -src - or iginal file path Moves a database file to a

new location.-dst - destination file path

-T Changes the path to MySQL

temporary directory

-L Changes the path to MySQL

log directory and copies log

files to the new location.

-h Displays this help message.


Automatically Maintaining the Size of the Database

Th L C lid t p ti l dd d i t th d t b th


47/90


The Log Consolidator process continuously adds new records into the database as they

are generated from the VPN-1 Pro gateway. Eventually, the space allocated for the

database will fill up. Typically, users can manually archive or delete older, less pertinentrecords from the database to provide space for the newest records. Automatic

Maintenance performs this process automatically. With Automatic Maintenance, the

user selects a maintenance operation (whether it is deleting records or archiving them to

an external file) and specifies high and low watermarks to trigger when Automatic

Maintenance should occur.

The High Watermark value represents the percentage of space that can occupy the

database and/or the age of database records (that is, how many days old the records are).When the database occupies too much space or the records are older than the specified

age, then the conditions are right to trigger an Automatic Maintenance operation. The

High Watermark values are checked once a day and if the percentage of space or the

age of the database records is higher than the assigned values, the Automatic

Maintenance operation is triggered.

The Automatic Maintenance operation will delete records from the database until it

reaches the Low Watermark. For example, if you specify that the High Watermark is80% and the Low Watermark is 70% then the operation will begin to delete the oldest

records when the occupied space is over 80%.

Typically, 80% is the High Watermark, since Eventia Reporter requires the extra space

to perform generation optimizations.

In addition, it is possible to specify which database tables will participate in Automatic

Maintenance. Since some of the tables are created for special purposes (for example, atable created from an external log file), Automatic Maintenance should not be

performed on them.

When deletion of records occurs during automatic maintenance, you may see that the

database size grows at first. This is normal behavior since the database needs to keep

duplicate information in case of a server crash. The database will recover the disk space

for about an hour after the maintenance operation is complete.

Backing Up the Eventia Reporter Database

The Eventia Reporter Database system consists of a set of files that can be copied,

compressed or backed up like any other file. Backup files require the same disk space as

the original files. It is highly recommended to save backup copies of the Eventia

Reporter Database files, which can later be used to recover from an unexpected

database corruption. Proceed as follows:

1 Stop the Eventia Reporter services:


Run rmdstop.

2 F h E i R D b di i h i di


48/90

48

2 From the Eventia Reporter Database directories, copy the entire data directory

tree (as specified by the datadir parameter in the my.ini file) to the backup

location (you may compress them to save disk space). Copy any database and logfiles that may have been moved to a different location using the

UpdateMySQLConfig utility.

3 Restart the Eventia Reporter services, starting with the Check Point Reporting

Database Server service.

Windows start the Check Point Reporting Database Server service.

Solar is use rmdstart.

CHAPTER 3


49/90

49

How To

In This Chapter

Quick Start

This section is a step-by-step guide that covers the basic Eventia Reporter operations.

In This Section

How to Generate a Report

The following procedure allows you to create the most basic Eventia Reporter

configuration. Proceed as follows:

1 In the Selection Bar view, select Reports > Definitions and in the Standard tab select

Security > Blocked Connections.

Quick Start page 49

Eventia Reporter Instructions page 61

Consolidation Policy Configuration page 72

How to Generate a Report page 49

How to Customize a Report page 51

How to View and Collect Information about the Status of Report Generation page 52

How to Start and Stop the Log Consolidator Engine page 54

How to Configure Consolidation Settings and Sessions page 55

How to Export and Import Database Tables page 58

How to Configure Database Maintenance Properties page 59

Quick Start

2 Access the Period tab to determine the period over which the report will be

generated and the information that should be used to generate the report.


50/90

50

Report Period - In this area select one of the following options:

Relative Time Frame includes the time period relative to the report generation.This time period defines a proportional interval (for example, Last Week or

This Quarter).

Specific Dates includes the exact time period for which the report will be

generated.

3 Access the Input tab to determine the modules for which you would like to

generate a report. If more than one module is selected as your source, you can

generate information per module, or create a summary for all the selected modules.

Select Check Point modules- In this area select the VPN-1 Pro modules that will

participate in report generation:

Select all modules selects all the VPN-1 Pro modules that are run by the

SmartCenter server.

Select specific modules enables you to select specific VPN-1 Pro modules that

are run by the SmartCenter server, from the tree provided. Add enables you to add a module to the existing module tree.

Show Result - In this area select one of the following options:

Per module instructs the Eventia Reporter to create a report that details

information for each of the selected modules.

Summary of all modules instructs the Eventia Reporter to create a report that

summarizes the information associated with all of the selected modules.

Generation Input - In this area select the database table that contains the

information for the report you are generating. By default the CONNECTIONS table

is the primary database table.

Sample Mode provides the information for a demo mode. This option is used

when you want to see an example of the report you are creating.

Other Database Tables enables you to access the information on which you

would like your report to be based.4 Click the Generate Report button to create the Blocked Connections report.

5 Click Yes to display the results.

A new window appears containing the results of the report generation.

Scroll down this window to view the specific report output.

How to Customize a Report

How to Customize a Report

When you generate a report you generate the selected component using its default


51/90

Chapter 3 How To 51

When you generate a report, you generate the selected component using its default

properties, or adjust these properties to better address your current requirements. This

section describes the most important properties you should examine before generating areport.

In this section you will learn how to customize a new report. For example purposes

you will learn how to create a Security report about Blocked Connections.

1 In the Selection Bar view, select Reports > Definitions and in the Standard tab select

Security > Blocked Connections.

2 Select the Content tab to see the sections (that is, sub-topics) associated with thisreport.

3 Review the Blocked Connections sections by double-clicking a specific section. The

window that appears contains information about the selected section.

To remove a section from the Blocked Connections report, clear the checkbox next

to the specific sections name in the Content tab.

4 Select Blocked Connections and configure the report using the tabs available.

5 Access the Filter tab to isolate the report data by limiting the records in the database

by specific filters (that is, parameters). For each filter you select, you can specify the

values (for example, network objects, services, etc.) to be matched out of all values

available for that filter.

6 Click the Generate Report button to create the Blocked Connections report.

This process may take several seconds to several hours, depending on the amount ofdata that is currently in the database.

7 Click Yes to display the results.

A new window appears containing the results of the report generation.

Scroll down this window to view the specific reports output.

Quick Start

How to View and Collect Information about the Status ofReport Generation


52/90

52

In this section you will learn how to follow the progress of report generation using the

Reports and Management views.

To view report generation schedules:

1 In the Selection Bar view, select Reports > Schedules.

The Schedules view lists all the generation schedules of all the reports in your

system, as defined in the Schedule tab of each reports properties. In this view, you

can see a list of all the delayed reports and periodic generation schedules. In

addition, you can see the time, frequency and activation period of each scheduledreport generation.

To improve performance, schedule report generation when there is less traffic and

fewer logs are being generated, so the log consolidator is consuming fewer

resources. For example, schedule reports on nights and weekends.

To view generated reports and the status of currently active

checkpoint ngx even ti are porter

Documents