checkpoint rule changes using csmars

followurself · ‎11-06-2008

is it possible to see what rule changes were done on a checkpoint ngx firewall using csmars.

e.g. what rule was changed, added, deleted

Thanks

mohsin.khan · ‎11-06-2008

I am afraid that your question is confusing. MARS is not supposed to change the rules on any particular firewall weather its checkpoint, netscreen, pix or ASA. All you can do or find is, what rule was triggered on MARS based on a syslog message from that particular device.

MARS is sort of a passive device (until configured it for automatic mitigation, which by far till now is useless :( ) which collects the messages from all the devices in the network in the form of syslogs, correlates all the events to form sessions and presents them for rule inspection. If any of the session triggers a default of user made rules, it generate an incident.

Do let me know if i got your question wrong, otherwise plz rate if its helpful.

regards,

Mohsin

followurself · ‎11-06-2008

Hi,

Thanks for the response. may be my question was confusing

if you have worked on checkpoint, where you have policy rules and you push the policy.

csmars collects all logs , what i wanted to know is whether it can also track what within the checkpoint has changed.

hope this time my question is fine

joe.favia · ‎11-10-2008

Hi,

I am sure that LEA is used for the standard (traffic) logs, while what you're looking for is what CheckPoint calls the AUDIT logs.

I've used LEA successfully for importing standard logs, but haven't tried this yet. I think you must configure the CPMI parameters on the Checkpoint side to get this information.

Regards, Joe

zarathushtra · ‎11-13-2008

The answer is no)