|
Rank: Newbie
Posts: 5
|
Basically I would like to either utilize a regex query or create an extension that will provide the same audits included in the Stateful Inspection check, but on a setting by setting basis. For example, I would like to simply check to see if TCP OUT OF STATE is logged. That is a check on the standard Stateful Inspection check, but if that one setting is properly configured, but the TCP timeout does not match, the audit will fail, thus skewing the results.
Plan B would be to modify the Stateful Inspection check (and the other Checkpoint menu audits) to allow individual checks to be turned on/off. It would also be beneficial for any value based results (like tcptimeout) to support greater than or less than symbols.
Thanks in advance.
|
|
Rank: Newbie
Posts: 5
|
FYI: The java script appears to check for "fw_log_out_of_state_tcp" but I cannot decipher the name of the file it is reading to incorporate into a regex query.
|
|
Rank: Newbie
Posts: 1
|
The stateful inspection check is looking at the first file for each config (there can be multiple). Since the file name in that position can vary depending on the device, there is not a single answer to your question. Unfortunately, the regex check targets config files only by name, not by position. This complicates what you are attempting to do.
However, there is a way to find out the name you want for each device type. When in the Device Analysis view, do the following:
select the device you want to inspect right click on the most recent configuration click on Properties click on the Retrieved Files tab
You want the name of the first file in the list. Typical values I have found when testing for this value are "CheckPoint_Database" and "Standard" (for a "Check Point CMA or SmartCenter" and "Check Point Cluster Member" respectively).
Please give that a try and see if it helps any. Thanks!
|
|
Rank: Newbie
Posts: 5
|
Eric,
I am sure I am doing this wrong, however, I discovered the name of the file by following your steps. All of the Checkpoint retrieved files following the format of <something>.config.
I then enter the above filename into a regex query (such as the Text Pattern Based COnfig CHeck 1.0.1)and enter the search pattern that is being used in the Stateful Inspection Check, and I immediately receive a java error. It does not appear to be related to my search pattern as even ascii searches for 1 common character causes the same error.
The message I received is as follows: javax.script.ScriptException: sun.org.mozilla.javascript.internal.JavaScriptException: Null or empty data returned for file cde8c2f3-1cc2-4ba9-8a13-771cc2022cce.config (<Unknown source>#612) in <Unknown source> at line number 612
|
|
Rank: Newbie
Posts: 5
|
Using the name listed in the first column instead of the file name worked. Thanks for your assistance Eric.
|
|