Please login if you would like to contribute. Search | Active Topics |

Advice on seperating the audits contained in the standard Checkpoint Stateful Inspection check Options
Previous Topic · Next Topic
jcandiff
#1 Posted : Wednesday, July 11, 2012 9:29:58 AM
Rank: Newbie


Posts: 5
Basically I would like to either utilize a regex query or create an extension that will provide the same audits included in the Stateful Inspection check, but on a setting by setting basis. For example, I would like to simply check to see if TCP OUT OF STATE is logged. That is a check on the standard Stateful Inspection check, but if that one setting is properly configured, but the TCP timeout does not match, the audit will fail, thus skewing the results.

Plan B would be to modify the Stateful Inspection check (and the other Checkpoint menu audits) to allow individual checks to be turned on/off. It would also be beneficial for any value based results (like tcptimeout) to support greater than or less than symbols.

Thanks in advance.
Back to top
 Report Abusive | Report SPAM
jcandiff
#2 Posted : Wednesday, July 11, 2012 9:32:55 AM
Rank: Newbie


Posts: 5
FYI:
The java script appears to check for "fw_log_out_of_state_tcp" but I cannot decipher the name of the file it is reading to incorporate into a regex query.
Back to top
 Report Abusive | Report SPAM
eric.dennis
#3 Posted : Friday, July 13, 2012 11:37:26 AM
Rank: Newbie


Posts: 1
The stateful inspection check is looking at the first file for each config (there can be multiple). Since the file name in that position can vary depending on the device, there is not a single answer to your question. Unfortunately, the regex check targets config files only by name, not by position. This complicates what you are attempting to do.

However, there is a way to find out the name you want for each device type. When in the Device Analysis view, do the following:

select the device you want to inspect
right click on the most recent configuration
click on Properties
click on the Retrieved Files tab

You want the name of the first file in the list. Typical values I have found when testing for this value are "CheckPoint_Database" and "Standard" (for a "Check Point CMA or SmartCenter" and "Check Point Cluster Member" respectively).

Please give that a try and see if it helps any. Thanks!
Back to top
 Report Abusive | Report SPAM
jcandiff
#4 Posted : Thursday, August 2, 2012 10:03:16 AM
Rank: Newbie


Posts: 5
Eric,

I am sure I am doing this wrong, however, I discovered the name of the file by following your steps. All of the Checkpoint retrieved files following the format of <something>.config.

I then enter the above filename into a regex query (such as the Text Pattern Based COnfig CHeck 1.0.1)and enter the search pattern that is being used in the Stateful Inspection Check, and I immediately receive a java error. It does not appear to be related to my search pattern as even ascii searches for 1 common character causes the same error.

The message I received is as follows:
javax.script.ScriptException: sun.org.mozilla.javascript.internal.JavaScriptException: Null or empty data returned for file cde8c2f3-1cc2-4ba9-8a13-771cc2022cce.config (<Unknown source>#612) in <Unknown source> at line number 612
Back to top
 Report Abusive | Report SPAM
jcandiff
#5 Posted : Thursday, August 2, 2012 2:35:01 PM
Rank: Newbie


Posts: 5
Using the name listed in the first column instead of the file name worked. Thanks for your assistance Eric.
Back to top
 Report Abusive | Report SPAM
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Copyright © 2011 FireMon, LLC. All rights reserved.