1. SmartView Reporter
NG with Application Intelligence (R55)
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at
http://support.checkpoint.com/kb/
See the latest version of this document in the User Center at:
http://www.checkpoint.com/support/technical/documents/docs_r55.html
Part No.: 700727
October 2003
3. Table Of Contents
Chapter 1 Getting Started
Installing SmartView Reporter 5
Overview 5
Standalone Installation 6
Distributed Installation 9
Starting SmartView Reporter 21
Chapter 2 SmartView Reporter
The Need for Reports 27
SmartView Reporter Solution 28
SmartView Reporter — Overview 28
Log Consolidation Process 30
SmartView Reporter Standard Reports 32
SmartView Reporter Express Reports 33
Predefined Reports 33
SmartView Reporter Considerations 35
Standalone vs. Distributed Deployment 35
Log Availability vs. Log Storage and Processing 36
Log Consolidation Phase Considerations 36
Report Generation Phase Considerations 37
SmartView Reporter Configuration 38
Basic Configuration Scenario 38
Required Security Policy Configuration 39
Express Reports Configuration 40
Report Generation Configuration 40
Consolidation Policy Configuration 45
SmartView Reporter Database Management 49
Chapter 3 How To
SmartView Reporter Instructions 55
How to re-consolidate logs according to a different Consolidation Policy 55
How to generate reports based on data unavailable in the Database 56
How to include URL information in web activity reports 56
How to retain log fields not listed in the Store Properties window 57
How to adapt reports to your specific needs 57
How to schedule generations of the same report using different settings (a different output or
style) 58
How to recover the SmartView Reporter Database 58
How to interpret report results whose direction is “other” 58
How to view report results without the SmartView Reporter Client 58
How to upload reports to a web server 59
Table of Contents 3
4. How to upload reports to an FTP server 60
How to improve performance 61
Appendix A Out_of_the_box Consolidation Policy
Overview 65
Out_of_the_box Consolidation Rules 66
Appendix B Predefined Reports
Executive Reports 69
Network Activity Reports 71
Security Reports 74
VPN-1 Reports 74
User Activity Reports 75
System Information Reports 76
My Reports 76
Index 77
4
5. CHAPTER 1
Getting Started
In This Chapter
Installing SmartView Reporter page 5
Starting SmartView Reporter page 21
Installing SmartView Reporter
In This Section
Overview page 5
Standalone Installation page 6
Distributed Installation page 9
Overview
SmartView Reporter can be installed in either a “Standalone” installation, or a
“Distributed” installation:
• Standalone installation — SmartView Reporter is installed on the SmartCenter
Server machine.
• Distributed installation — SmartView Reporter is installed on a machine dedicated
to reporting purposes. In addition, SmartView Reporter Add-on is installed on the
SmartCenter Server machine. The add-on contains both data files (with report
definitions) and a component that allows SmartDashboard to connect to SmartView
Reporter Server.
A distributed installation requires establishing Secure Internal Communication
(SIC) between the two machines. The distributed installation is recommended,
since it provides better performance.
5
6. Installing SmartView Reporter
Performance Tips
To maximize the performance of your SmartView Reporter Server, follow these
guidelines:
Hardware Recommendations
• Use a computer that matches the minimum hardware requirements, as specified in
the Release Notes at:
http://www.checkpoint.com/techsupport/installation/ng/release_notes.html
• Configure the network connection between the SmartView Reporter Server
machine and the SmartCenter, or the Log server, to the optimal speed.
• Use the fastest disk available with the highest RPM (Revolutions per Minute).
• Increase computer memory. It significantly improves performance.
Installation
Choose a distributed configuration, dedicating a computer to Consolidation and
Report generation operations only.
Supported Platforms
Windows and Solaris platforms support both standalone and distributed installations.
Linux and Nokia platforms support only SmartView Reporter Add-on Installation in a
distributed configuration. Linux and Nokia platforms do not support a Standalone
Installation or a SmartView Reporter server in a distributed configuration.
Standalone Installation
In This Section
Windows Platform page 6
Solaris Platform page 9
Windows Platform
1 In order to begin the installation, login as an Administrator and launch the Wrapper
by double-clicking on the setup executable.
2 Select the products that you would like to install. The following components
represent the minimum standalone component requirements for SmartView
Reporter:
6
7. Standalone Installation
• SmartCenter
• SmartConsole
• SmartView Reporter
FIGURE 1-1 Standalone Deployment - for Windows
Depending on the components that you have chosen to install, you may need to take
additional steps before reaching step 3.
3 Verify the default directory, or browse to new location in which SmartView
Reporter will be installed.
4 Select Local SmartView Reporter Installation in order to install SmartView Reporter
on the local machine.
5 Verify the default directory, or browse to new location in which the output files
created by SmartView Reporter’s output will be generated.
Click Next and reboot the machine in order to complete the installation of the
SmartView Reporter and to continue with the next phase of the installation.
6 Launch SmartDashboard.
7 Edit the host properties for the SmartView Reporter machine.
Chapter 1 Getting Started 7
8. Installing SmartView Reporter
FIGURE 1-2 Edit the Host properties
8 Deselect and reselect the SmartView Reporter checkbox. Without explicitly
selecting this field, the SmartView Reporter will not function. To end off, click OK.
FIGURE 1-3 Select SmartView Reporter in the listbox
8
9. Distributed Installation
9 After activating the SmartView Reporter host, install the Security Policy,
(Policy>Install) or install the database (Policy>Install Database) in order to make the
SmartView Reporter fully functional.
Solaris Platform
1 In order to begin the installation, mount the CD on the relevant subdirectory and
launch the wrapper as follows:
2 In the mounted directory, run the script: UnixInstallScript.
3 Read and if you accept the End-User License Agreement (EULA), click Yes.
4 Select whether you would like to perform an upgrade or create a new installation.
5 Continue from step 2 on page 6 in order to complete the process.
FIGURE 1-4 Standalone Deployment - for Solaris
Distributed Installation
In a distributed installation, SmartView Reporter is installed on a different machine to
that of the SmartCenter server.
Chapter 1 Getting Started 9
10. Installing SmartView Reporter
In This Section
Windows Platform page 10
Solaris Platform page 14
Linux page 16
Nokia IPSO page 17
Windows Platform
This installation process consists of three phases:
• Install SmartView Reporter
• Install SmartCenter and the SmartView Reporter Add-On
• Prepare SmartView Reporter in SmartCenter
Phase 1 - Installing the SmartView Reporter
1 Select SmartView Reporter and SmartConsole (optionally) for installation.
Note - Although SmartConsole does not have to be installed on this machine, if it is, you
have direct UI access to the SmartCenter server from this machine, thereby simplifying the
final installation steps.
FIGURE 1-5 Distributed deployment - for Windows
10
11. Distributed Installation
Depending on the components that you have chosen to install, you may need to take
additional steps (such as installing other components and/or license management) before
reaching step 2.
2 Verify the default directory, or browse to new location in which SmartView
Reporter will be installed.
3 Select a folder in which the output files created by SmartView Reporter’s output
will be generated.
Depending on the components that you have chosen to install, you may need to take
additional steps before reaching step 4.
4 Enter the Activation Key in the specified fields. Remember the key; you will need
to enter it at a later stage.
Click Finish in order to complete the installation of the SmartView Reporter.
FIGURE 1-6 SIC activation
Phase 2 – Installing SmartCenter and the SmartView Reporter Add-On
SmartCenter installation is described in the Getting Started guide. Only the portion that
is related to SmartView reporter is discussed in this section.
Chapter 1 Getting Started 11
12. Installing SmartView Reporter
5 Install the SmartCenter server on a separate machine by selecting SmartCenter and
select SmartView Reporter, so that the SmartView Reporter Add-on is also installed
during the SmartCenter installation.
FIGURE 1-7 Installing SmartCenter and the SmartView Reporter Add-On on a Windows
Platform
6 During the SmartCenter installation a window is displayed in which you will be
prompted to select the SmartView Reporter Setup Type. Select SmartView Reporter
SmartCenter Add-on so that SmartCenter can connect to the distributed SmartView
Reporter.
7 Reboot the machine in order to complete the installation.
Phase 3 – Preparing SmartView Reporter in SmartCenter
8 Launch SmartDashboard. (SmartDashboard is installed during the SmartConsole
installation).
9 Create a new host for the SmartView Reporter machine.
12
13. Distributed Installation
FIGURE 1-8 Create New SmartView Reporter Host
10 In the General Properties window, select SmartView Reporter. Then click the
Communication button.
FIGURE 1-9 Initialize SIC
11 Enter the Activation Key that was created in step 4 during the SmartView Reporter
installation.
12 After activating the SmartView Reporter host, install the Security Policy,
(Policy>Install) or install the database (Policy>Install Database) in order to make the
SmartView Reporter fully functional.
Chapter 1 Getting Started 13
14. Installing SmartView Reporter
FIGURE 1-10Enter the Activation Key
Solaris Platform
This installation process consists of three phases:
• Install the SmartView Reporter
• Install SmartCenter and the SmartView Reporter Add-On
• Preparing SmartView Reporter in SmartCenter
Phase 1 – Installing the SmartView Reporter
1 Select SmartView Reporter and SmartConsole (optionally) for installation.
FIGURE 1-11Standalone Deployment - for Solaris
14
15. Distributed Installation
Depending on the components that you have chosen to install, you may need to take
additional steps before reaching step 3.
2 Select a folder in which the output files created by SmartView Reporter’s output
will be generated.
FIGURE 1-12Solaris - default directory
Depending on the components that you have chosen to install, you may need to take
additional steps before reaching step 3.
3 Enter the Activation Key in the specified fields. Remember the key; you will need
to enter it at a later stage.
Click Finish to complete the installation of the SmartView Reporter.
Chapter 1 Getting Started 15
16. Installing SmartView Reporter
FIGURE 1-13Solaris Activation Key
4 In order to complete the installation, continue from “Phase 2 – Installing
SmartCenter and the SmartView Reporter Add-On” on page 11.
Note - Although the interface is different, the installation process performed on a Windows
platform is the same as the installation process performed on a Solaris platform.
Linux
The SmartView Reporter machine can be installed either on Solaris or Windows. For
details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing
the SmartView Reporter” on page 10 for installation instructions.
Installing the SmartCenter Machine and the SmartView Reporter Add-On
SmartCenter installation is described in its own document. Only the portion that is
related to SmartView reporter is discussed here.
1 When installing SmartCenter select SmartView Reporter, so that the SmartView
Reporter Add-on can be installed during as part of the SmartCenter installation.
16
17. Distributed Installation
FIGURE 1-14Install SmartView Reporter on Linux
2 SmartView Reporter installation type will be automatically set as SmartView
Reporter SmartCenter Add-on, so that SmartCenter can connect to the distributed
SmartView Reporter.
3 In order to complete the installation, continue from “Phase 3 – Preparing
SmartView Reporter in SmartCenter” on page 12.
Nokia IPSO
The SmartView Reporter machine can be installed either on Solaris or Windows. For
details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing
the SmartView Reporter” on page 10 for installation instructions.
Installing the SmartCenter Machine and the SmartView Reporter Add-On
SmartCenter installation is described in its own document. Only the portion that is
related to SmartView reporter is discussed here.
1 After installing Check Point IPSO packages, reboot the machine and run cpconfig.
Chapter 1 Getting Started 17
18. Installing SmartView Reporter
FIGURE 1-15Installing Check Point IPSO Packages
2 Login into IPSO Voyager from a web browser.
FIGURE 1-16Login to Voyager
3 Select Config to enter the Voyager Configuration screen.
18
19. Distributed Installation
FIGURE 1-17Click Config to enter the Configuration screen.
4 In the Configuration screen, select Manage Installed Packages.
Chapter 1 Getting Started 19
20. Installing SmartView Reporter
FIGURE 1-18Select Manage Installed Packages
5 Make sure that SmartView Reporter NG with Application Intelligence R55 (and
any other relevant packages) are set to On and click Apply.
20
21. Distributed Installation
FIGURE 1-19Activate SmartView Reporter and other relevant packages
6 After clicking Apply, click Save.
7 From a command line terminal to the IPSO machine:
• Logout and then login to the system.
• Run rmdstart.
8 Reboot the machine.
9 In order to complete the installation, continue from “Phase 3 – Preparing
SmartView Reporter in SmartCenter” on page 12.
Starting SmartView Reporter
To start using SmartView Reporter, proceed as follows:
1 Launch the SmartView Reporter Client (FIGURE 1-20).
Chapter 1 Getting Started 21
22. Starting SmartView Reporter
FIGURE 1-20SmartView Reporter Client — Main window
2 Display the Management Selection Bar view and verify that logs are indeed being
consolidated and saved to the SmartView Reporter Database.
22
23. Distributed Installation
FIGURE 1-21SmartView Reporter Client — Management Selection Bar view
3 Go back to the Reports Selection Bar view (FIGURE 1-20 on page 22) and ensure
that you select the database tables for which to generate the report, as well as a
report time frame. Then generate the Standard Network Activity report by selecting
it in the Report Tree pane and clicking in the toolbar.
4 To follow the progress of the report generation, display the Report Generation
Selection Bar view (FIGURE 1-22).
Chapter 1 Getting Started 23
24. Starting SmartView Reporter
FIGURE 1-22SmartView Reporter Client — Report Generation Selection Bar view
After a brief delay, the Standard Network Activity report result is displayed through
your browser
(FIGURE 1-23 on page 25).
24
25. Distributed Installation
FIGURE 1-23Example Standard Network Activity Report Result
Report
Title
Report Time Frame,
Log Sources &
Generation Time
Report
Description
Sections
(Hyperlinks)
5 Click a section title to view the results in question. The section’s results are
displayed in either a graph unit, a table unit or both types of units.
FIGURE 1-24 on page 26 shows example results of section 2, Network Activity by
Date, in both a graph unit and a table unit.
Chapter 1 Getting Started 25
26. Starting SmartView Reporter
FIGURE 1-24Example Standard Network Activity by Date Section — Graph and Table
Formats
Section Section
Title Description
Unit Unit
Title Description
Unit Results:
Graph Format
Unit
Legend
Unit Unit
Title Description
Unit Results:
Table Format
Unit
Terminology
26
27. CHAPTER 2
SmartView Reporter
In This Chapter
The Need for Reports page 27
SmartView Reporter Solution page 28
SmartView Reporter Configuration page 38
The Need for Reports
To manage your network effectively and to make informed decisions, you need to
gather information on the network’s traffic patterns. There is a wide range of issues you
may need to address, depending on your organization’s specific needs:
• As a Check Point customer, you may wish to check if your expectations of the
products are indeed met.
• From a security point of view, you may be looking for suspicious activities, illegal
services, blocked connections or events that generated alerts.
• As a system administrator, you may wish to sort the Security Policy based on how
often each Rule is matched, and delete obsolete Rules that are never matched.
• You may be looking for general network activity information, for purposes such as
capacity planning.
• From the corporate identity and values perspective, you may want to ensure your
employees’ surfing patterns comply with your company’s policy, in terms of their
surfing patterns (such as the web sites they access).
• From a sales and marketing point of view, you may wish to identify the most and
the least visited pages on your website or your most and least active customers.
To address these issues, you need an efficient tool for gathering the relevant information
and displaying it in a clear, accurate format.
27
28. SmartView Reporter Solution
SmartView Reporter Solution
In This Section
SmartView Reporter — Overview page 28
Log Consolidation Process page 30
SmartView Reporter Standard Reports page 32
Predefined Reports page 33
SmartView Reporter — Overview
Check Point SmartView Reporter delivers a user-friendly solution for monitoring and
auditing traffic. You can generate detailed or summarized reports in the format of your
choice (list, vertical bar, pie chart etc.) for all events logged by Check Point
VPN-1 Pro, SecureClient and SmartDefense.
SmartView Reporter implements a Consolidation Policy, which goes over your
original, “raw” log file, it identifies events of interest and copies their relevant details
into a special, report-specific database (the SmartView Reporter Database). This smart,
succinct database enables quick and efficient generation of a wide range of reports. The
SmartView Reporter solution provides the optimal balance between keeping the
smallest report database possible and retaining the most vital information.
A Consolidation Policy is similar to a Security Policy in terms of its structure and
management. For example, both Rule Bases are defined through the SmartDashboard’s
Rules menu and use the same network objects. In addition, just as Security Rules
determine whether to allow or deny the connections that match them, Consolidation
Rules determine whether to store or ignore the logs that match them. The key
difference is that a Consolidation Policy is based on logs, as opposed to connections, and
has no bearing on security issues.
FIGURE 2-1 illustrates the Consolidation process, defined by the Consolidation Policy.
After the VPN-1 Pro Modules send their logs to the SmartCenter Server, the Log
Consolidator Engine collects them, scans them, filters out fields defined as irrelevant,
merges records defined as similar and saves them to the SmartView Reporter Database.
28
29. SmartView Reporter — Overview
FIGURE 2-1 Log Consolidation Process
The SmartView Reporter Server can then extract the consolidated records matching a
specific report definition from the SmartView Reporter Database and present them in a
report layout (FIGURE 2-2):
FIGURE 2-2 Report Generation Process
Two types of reports can be created: Standard Reports and Express Reports. The
Standard Reports are generated from information in log files through the Consolidation
process to yield relevant analysis of activity. Express Reports are generated from
SmartView Monitor history files and are produced much more quickly. Express Reports
also support Provider-1 setups.
SmartView Reporter Standard Reports are supported by two Clients:
• SmartDashboard Log Consolidator — manages the Log Consolidator Engine and
the SmartView Reporter Database via the SmartCenter Server. This Client is
displayed by launching SmartDashboard and selecting
View > Products > Log Consolidator.
• SmartView Reporter Client — generates and manages reports.
FIGURE 2-3 illustrates the SmartView Reporter architecture for Standard Reports:
Chapter 2 SmartView Reporter 29
30. SmartView Reporter Solution
FIGURE 2-3 SmartView Reporter Standard Report Architecture
The interaction between the SmartView Reporter Client and Server components
applies both to a distributed installation (as shown in FIGURE 2-3), where the
SmartCenter Server and SmartView Reporter’s server components are installed on two
different machines, and to a standalone installation, in which these products are installed
on the same machine.
Log Consolidation Process
It is recommended to use the SmartView Log Consolidator’s predefined Consolidation
Policy, the out_of_the_box Policy, designed to filter out irrelevant logs (such as control
messages) and store the most commonly requested ones (such as blocked connection,
alert or web activity logs). The Log Consolidator Engine scans the Consolidation Rules
sequentially and processes each log according to the first Rule it matches.
FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a log
matches a Consolidation Rule, it is either ignored or stored. If it is ignored, no record
of this log is saved in the SmartView Reporter system, so its data is not available for
report generation. If it is stored, it is either saved as is (so all log fields can later be
represented in reports), or consolidated to the level specified by the Rule.
30
31. Log Consolidation Process
FIGURE 2-4 Log Process Chart
The Consolidation is performed on two levels: the interval at which the log was created
and the log fields whose original values should be retained. When several logs matching
a specific Rule are recorded within a predefined interval, the values of their relevant
fields are saved “as is”, while the values of their irrelevant fields are merged (i.e.
“consolidated”) together.
TABLE 2-1 provides a Consolidation example, where three logs of approved NTP
connections match the same Consolidation Rule (NTP is a time protocol that provides
access over the Internet to systems with precise clocks).
The Rule’s store options specify that logs generated within a one hour interval should
be consolidated into a single record, as long as they share the same values for four fields
of interest: destination, interface, Rule name and QoS class. The values of all other
fields are either integrated into their shared value (e.g. the shared Rule Number value,
1), or replaced with the term “consolidated” (e.g. the different Source values). The
consolidated record includes a connection number column, noting how many logs it
represents (in this case, 3).
TABLE 2-1 Consolidation Example
Recor Tim Source Dest. I-fac Rule Rule Clas Conn
d e e Name No. s No.
Log 1 10:0 10.1.3.2 172.0. hme NYC 1 Gol
0 9 0.1 0 d
Chapter 2 SmartView Reporter 31
32. SmartView Reporter Solution
TABLE 2-1 Consolidation Example
Recor Tim Source Dest. I-fac Rule Rule Clas Conn
d e e Name No. s No.
Log 2 10:2 10.15.2. 172.0. hme NYC 1 Gol
5 52 0.1 0 d
Log 3 10:5 10.56.60 172.0. hme NYC 1 Gol
9 .4 0.1 0 d
Cons. 10:0 Consoli 172.0. hme NYC 1 Gol 3
Record
0 dated 0.1 0 d
How to interpret User names in DHCP enabled networks
In DHCP address mapping is used, assuming the DNS knows how to resolve dynamic
addresses, the information you see in the report reflects the correct resolving results for
the time the reported log events have been processed by the SmartDashboard Log
Consolidator and inserted into the database.
Because of the dynamic nature of DHCP address distribution, there is no guaranty that
consolidation of old log files will produce correct address name resolving.
When DHCP is in use, consolidating log files close to the time of their creation will
improve address-resolving accuracy.
SmartView Reporter Standard Reports
The Log Consolidation process results in a database of the most useful, relevant records,
known as the SmartView Reporter Database. The information is consolidated to an
optimal level, balancing the need for data availability with the need for fast and efficient
report generation.
Reports are generated based on a single database table, specified in the Reports
Selection Bar view > Standard Reports > Report tab. By default, all consolidated records
are saved to the CONNECTIONS table and all reports use it as their data source. However,
each time you install and start the Consolidation Policy, you have the option of storing
records in a different table. You can further organize these tables by moving records
between them as needed and deleting outdated records.
Dividing the consolidated records between different tables allows you to set the
SmartView Reporter Client to use the table most relevant to your query, thereby
improving the SmartView Reporter Server’s performance. In addition, dividing records
between tables facilitates managing the SmartView Reporter Database: you can delete
outdated tables, export tables you are not currently using to a location outside of the
SmartView Reporter Database and import them back when you need them.
32
33. SmartView Reporter Express Reports
SmartView Reporter Express Reports
Express Reports are based on data collected by Check Point system counters and
SmartView Monitor history files. Standard Reports, in contrast, are based on Log
Consolidator logs. Because Express Reports present historical data, they can be
generated more quickly.
SmartView Reporter Express Reports are supported by one Client, the SmartView
Reporter. To configure your system to generate Express Reports, see “Express Reports
Configuration” on page 40.
FIGURE 2-4 illustrates the SmartView Reporter architecture for Express Network
Reports:
FIGURE 2-5 SmartView Reporter Express Report Architecture
Predefined Reports
The SmartView Reporter Client offers a wide selection of predefined reports for both
Standard and Express reporting, designed to cover the most common network queries
from a variety of perspectives.
Report Subjects
The reports are grouped by the following subjects, allowing you to easily locate the one
you need:
• Network Activity (Standard, Express) — this subject includes reports that enable you
to analyze the most popular activities in your network. You can examine your
network activity as a whole or focus on a specific direction (incoming, outgoing or
internal) or activity type (web, ftp or Email). For example, to study network traffic
inside your organization, you can investigate how your web servers, mail servers
and firewalled gateways handle the network load; see which services use most of
the available bandwidth; and find out what are the most popular web sites. You can
Chapter 2 SmartView Reporter 33
34. SmartView Reporter Solution
detect illegal network traffic, such as connections to banned web sites or use of
prohibited services. To examine the network usage by external sources, you can
explore which sources access the corporate web site, how often and for how long.
A report dedicated to FireWall-1 activity allows you to identify its top services,
sources and destinations. The records are organized both by their direction and by
the action taken by the firewall. In addition, you can follow the firewall activity’s
distribution over various time frames (your working hours, week days and the
selected date range).
• Security (Standard, Express) — this subject includes reports that allow you to focus
on all security-related traffic in your network. For example, you can inspect
connections whose origin or destination is the FireWall-1 machine, monitor
security attacks detected by SmartDefense, or analyze blocked connections and
FireWall-1 alerts.
In addition, you can detect Policy Installations and analyze the Rule Base order on
a specific gateway. Identifying the top matched rules versus the least matched rules
allows you to sort the Security Policy in the most efficient way.
• User Activity (Standard) — this subject includes reports that provide you with
information on how users inside your organization, as well as remote, SecureClient
users, utilize your network resources. You can identify peak activity patterns, in
terms of the most active users, the most commonly used services, the most active
working hours or week days etc.
• VPN-1 (Standard, Express) — this subject includes reports that allow you to analyze
various aspects of your encrypted traffic, such as its distribution over time, the top
services or sources etc. You can examine your VPN-1 activity as a whole, or focus
on a specific VPN Tunnel or VPN Community.
• Executive (Standard, Express) — offers a selection of reports from various subjects
that are of special interest to executives, such as the Network Activity or User
Activity reports.
• System Info (Express) — this subject includes reports that allow you to analyze
various aspects of system load and operational activity, including CPU usage, kernel
usage, and memory usage.
• My Reports (Standard, Express) — select predefined reports and customize to your
needs.
For descriptions of each predefined report available, see Appendix B, “Predefined
Reports”.
34
35. Standalone vs. Distributed Deployment
Report Structure
Each report consists of a collection of sub-topics known as sections, which cover various
aspects of the report. For example, the User Activity report consists of sections such as
User Activity by Date, Top Users, Top User Activity Services etc.
Each section consists of units, which display the same results in different formats, for
your convenience. For example, the User Activity by Date section displays the same
data in two units: a graph and a table.
Customizing Predefined Reports
In case you have a specific query that is not directly addressed by the predefined reports,
you can easily customize the report that is closest to your needs (by changing its date
range, filters etc.) to provide the desired information. You can save the customized
report under a different name in the report subject dedicated to
user-defined reports, My Reports.
SmartView Reporter Considerations
In This Section
Standalone vs. Distributed Deployment page 35
Log Availability vs. Log Storage and Processing page 36
Log Consolidation Phase Considerations page 36
Report Generation Phase Considerations page 37
SmartView Reporter’s default options have been designed to address the most common
reporting needs. However, to maximize the product’s benefits, it is recommended that
you adapt it to your specific profile. This section describes the considerations you
should take into account before starting to use SmartView Reporter.
Standalone vs. Distributed Deployment
In a standalone deployment, all SmartView Reporter server components (the Log
Consolidator Engine, the SmartView Reporter Database and the SmartView Reporter
Server) are installed on the Check Point SmartCenter Server machine. In a distributed
deployment, the SmartView Reporter server components and the SmartCenter Server
are installed on two different machines and communicate through a special Log
Consolidator Add-on installed on the SmartCenter Server.
Chapter 2 SmartView Reporter 35
36. SmartView Reporter Considerations
The standalone deployment saves relegating a dedicated machine for the SmartView
Reporter, but the distributed deployment significantly improves your system’s
performance.
Log Availability vs. Log Storage and Processing
Since all SmartView Reporter operations are performed on the logs you have saved, the
extent to which you can benefit from this product depends on the quality of the
available logs. Therefore, you must ensure your Security Policy is indeed tracking
(logging) all events you may later wish to see in your reports.
In addition, you should consider how accurately your logs represent your network
activity. If only some of your Rules are tracking events that match them, the events’
proportion in your reports will be distorted. For example, if only the blocked
connections Rule is generating logs, the reports will give you the false impression that
100% of the activity in your network consisted of blocked connections.
On the other hand, tracking multiple connections results in an inflated log file, which
not only requires more storage space and additional management operations, but
significantly slows down the Consolidation process.
Log Consolidation Phase Considerations
Record Availability vs. Database Size
Reports are a direct reflection of the records stored in the SmartView Reporter
Database. To generate detailed, wide-ranging and accurate reports, the corresponding
data must be available in the Database.
However, effective database management requires keeping the database size under
20 GB. As the consolidated records accumulate in the Database, the tables where they
are saved may become quite large. The data gradually approaches the disk space limit,
using more and more memory and slowing down the SmartView Reporter processes
(especially the data retrieval for report generation).
Carefully consider which logs you wish to store, and to what extent you wish to
consolidate them.
Saving Consolidated Records to One vs. Multiple Database
Tables
A report is generated based on a single table. If you save all consolidated records to the
same table, all the data is readily accessible and you are saved the trouble of moving
records between tables and selecting the appropriate source table for each report you
wish to generate.
36
37. Report Generation Phase Considerations
Dividing the records between different tables reduces the report generation time and
allows you to maintain a useful Database size by exporting tables you are not currently
using to an external location.
Report Generation Phase Considerations
Adapting the Report’s Detail Level to your Needs
When a report is very detailed, it may become difficult to sort out the most significant
results and understand network’s status. To achieve the optimal balance between getting
all the information you need and excluding excessive records, closely examine the
report’s date range, filters (source, destination, service etc.) and filter values, and adjust
them to pinpoint details.
Generating only selected sections and units
By default, all report sections and their unit are included in the report generation.
However, to get results faster and improve your machine’s performance, you can
generate only selected sections and units (by unchecking all others in the Report Tree
pane).
Scheduling reports
The Schedule feature allows you to set both delayed and periodic report generations.
If you wish to produce a detailed and lengthy report, you should consider postponing
its generation and scheduling it so that it does not interfere with your employees’
working hours or with times of peak network activity, since such a report generation
might slow down your system.
In addition, it is useful to identify the reports you require on a regular basis (e.g. a daily
alerts report or a monthly user activity report) and schedule their periodic generations.
Report output (display, Email, file, printer etc.).
All predefined report results are displayed on your screen and saved to the SmartView
Reporter Server.
Chapter 2 SmartView Reporter 37
38. SmartView Reporter Configuration
By default, the report is saved in HTML output in an index.htm file; and in CSV
(Comma Separated Values) format in a tables.csv file. The HTML file includes
descriptions and graphs, but the CSV file contains only the report table units, without
a table of contents, descriptions or graphs. The tables.csv is provided in order to
enable convenient table import to applications like Excel.
TABLE 2-2 Report Files and Formats
File Format HTML CSV
File Name index.htm tables.csv
Includes Table of contents, tables, Data only. Cell values
descriptions, graphs. separated by commas.
Rows and tables separated
by lines.
Before generating a report, determine whether you want it to be saved or sent to
additional or different targets. For example, when you generate a user activity-related
report, you may wish to make it available to all managers in your organization by
sending them the output via Email or by placing it on your intranet.
SmartView Reporter Configuration
In This Section
Basic Configuration Scenario page 38
Express Reports Configuration page 40
Required Security Policy Configuration page 39
Report Generation Configuration page 40
Consolidation Policy Configuration page 45
SmartView Reporter Database Management page 49
Basic Configuration Scenario
The following procedure allows you to create the most basic SmartView Reporter
configuration. Proceed as follows:
1 In the SmartDashboard, set the relevant Security Policy Rules to track connections
of interest (set each Rule’s Track column to either Log or Account).
38
39. Required Security Policy Configuration
2 Launch the SmartView Reporter Client and display the selection bar’s Management
view, to verify that consolidated records have been loaded to the SmartView
Reporter Database.
3 Display the Reports view, select the database tables to be examined and the time
frame for the report, choose the report type, then generate the report.
This general procedure can be used to provide you with any report you are interested
in. For example, to generate a report on illegal attempts to connect to your network,
proceed as follows:
1 In the SmartDashboard, add the following Rule (TABLE 2-3) at the bottom of
your Rule Base:
TABLE 2-3 Security Rule Tracking Illegal Attempts to Connect to the Local Network
Sour Destinat VP Servi Actio Trac Install Tim Comment
ce ion N ce n k On e
Any Company An Any Drop Log Policy Any A rule
_network y Targets tracking
illegal
attempts to
connect to
the local
network
2 Launch the SmartView Reporter Client and display the selection bar’s Management
view, to verify that consolidated records have been loaded to the SmartView
Reporter Database.
3 Display the Reports view and generate the Blocked Connections by Date report.
Required Security Policy Configuration
For a Security Rule to generate logs for connections that match it, the Rule’s Track
column should be set to any value other than None (for example, Log generates a
standard log, while Account generates an accounting log).
Note that in order to obtain accounting information (the number of bytes transferred
and the duration of the connection), the value of the Rule’s Track column must be
Account.
To utilize direction information (“incoming”, “outgoing”, “internal” or “other”), the
organization’s topology must be configured properly. If this is the case, “other” can be
used as a security tool, indicating there were connections whose destination was the
firewall itself.
Chapter 2 SmartView Reporter 39
40. SmartView Reporter Configuration
Express Reports Configuration
The following procedure sets the SmartView Monitor to collect complete system data
in order to produce SmartView Reporter Express Reports. SmartView Monitor settings
are enabled through the SmartDashboard. Proceed as follows:
1 In the SmartDashboard network objects tab of the object tree, select a gateway of
interest. Double click the gateway to open the Check Point Gateway properties
window.
2 You will need to enable the SmartView Monitor to collect data for reporting
purposes through the SmartDashboard.
[If you do not see SmartView Monitor in the selection to the left, enable it through
the General Properties tab. Click General Properties, then in the scroll-down
window of Check Point Products, click Smart View Monitor. It will appear at left.]
Select Smart View Monitor, and in the Smart View Monitor tab, click all the
checkboxes to ensure that SmartView Monitor is collecting every type of data for
reporting purposes.
3 To finish this procedure, in SmartDashboard select Policy > Install Database.
Report Generation Configuration
In This Section
Adapting the Report Properties to your Needs — Overview page 41
SmartView Reporter Database Table page 41
Report Period page 41
Report Filters page 41
Result Calculation and Resolution page 42
Input location page 43
Output location page 43
Scheduling page 44
Preview page 44
Monitoring the Report Status page 44
Displaying Generated Reports page 45
Additional Settings page 45
Report Generation Command Line page 45
40
41. Report Generation Configuration
Adapting the Report Properties to your Needs — Overview
When you generate a report, you can either use the report as a whole or run a specific
section or a unit.
You can generate the selected component using its default properties, or adjust these
properties to better address your current requirements. This section describes the most
important properties you should examine before generating a report.
SmartView Reporter Database Table
By default, consolidated records are retrieved from the SmartView Reporter Database’s
CONNECTIONS table. If you have divided your records between several tables, choose the
table containing the records you require, e.g. a special table dedicated to records
originating from a specific log server, or a table covering the time frame you are
interested in. To see which table contains the relevant records, display the Management
Selection Bar view.
Select the relevant tables through the Standard Reports view’s Reports tab, by selecting
the tables in the Other Database Tables drop-down list.
Report Period
All predefined reports are set to cover a default time range for a week to a month. You
must change this period to reflect the data’s actual dates and times, and the time period
that you wish to examine.
Tuning Report Time Frame
To improve SmartView Reporter Server performance, when setting a user-defined time
frame for the report, specify a time frame in whole days. When setting a report period,
note that the following settings will slow down the report generation speed:
• Relative Time Frame: Today, Yesterday, Last X hours, This week.
• Specific dates: Limit by hour checkbox.
• Reports for short time periods are generated faster than reports for long time
periods. A weekly report will be generated much faster than a monthly report.
Report Filters
Reports are based on records of the most commonly required filters (e.g. Source,
Destination etc.). Specifying the appropriate filter settings is the key to extracting the
information you are looking for.
Chapter 2 SmartView Reporter 41
42. SmartView Reporter Configuration
For each filter you choose, specify the values (e.g. network objects, services etc.) to be
matched out of all values available for that filter. The available values are taken from the
SmartCenter Server and are refreshed on a regular basis. If you cannot see a value you
have added through SmartDashboard in the available values list, refresh the list by
selecting a different filter and then return to the previous one.
The SmartView Reporter Client also allows you to include additional objects, by
manually adding them to the matched values list.
Filters and their values can be specified both on the report level and on its unit level.
The report level settings are enforced on the unit level as well (for example, if you
choose to include specific sources in the report, these sources will also be included in
its units). If you set a specific unit-level filter and then choose a different report-level
filter, the latter overrides the former.
Tuning Report Filters
If you define different filters for different units that share the same cached SQL, the
SQL caching will no longer be viable and the report generation time will significantly
increase. It is recommended that you define filters at the report level only.
Result Calculation and Resolution
Data Calculation Scheme
By default, report calculations are based on the number of events logged. If you have
logged accounting data (done by setting the Security Rule’s Track column to Account),
you can base the report calculations on the number of bytes transferred.
Sort Parameter
You may sort the results by one of two parameters: the number of bytes transferred and
the number of events logged. Note that an event takes on different meanings,
depending on its context. In most cases, the number of events refers to the number of
connections. Access this through the Tools > Options menu.
The number of bytes transferred can be calculated only if the Security Rules’ Track
column is set to Account. The number of events logged can be calculated as long as the
Track column is set to Log or Account.
If both types of information are available, they will both be displayed in the sort order
you have specified. For example, a table listing the most active sources in your system
can first specify the number of events each source generated and then note the number
of bytes related to its activity.
In addition, The unit’s Unit tab allows you to select the resolution type (byte or time)
and its level.
42
43. Report Generation Configuration
Format
If user names are stored in an LDAP server, the names will include the full LDAP path
in the FireWall-1 log files. The way the report shows the user name can be changed
through the Tools menu > Options >General tab. By default, the Show abbreviated LDAP
user name check box is selected, so that generated reports display only the user name
part of the full LDAP name. To see the name with full LDAP path, uncheck this box.
Input location
The modules from which you collect data can modified by using the report’s Input tab
to let you select the following:
• the module or modules of origin
• whether to collect data per module or as a group, if you have selected more than
one module
Output location
Report results are saved in subdirectories of the Results subdirectory of the SmartView
Reporter Server as follows:
ResultNG_AIbin<Report Name><Generation Date & Time>
For each report, a directory with the report’s name “<Report Name>” is created in
bin, with a subdirectory named with the generation date and time “<Generation
Date & Time>.” The report is generated into this “<Generation Date & Time>”
subdirectory.
The Result location can modified by selecting Tools > Options from the menu and
specifying the desired location in the Result Location field of the Options window’s
Generation page.
In addition to saving the result to the SmartView Reporter Server, you can send it to
any of the following:
• The Client’s display (the default setting).
• Email recipients.
• An ftp or a web server. See “How to upload reports to an FTP server” on page 60.
The Mail Information page of the Options window allows you to specify both the
sender’s Email address and the mail server to be used. It also allows you to specify the
degree of message severity (Information, Warning or Error) that is to be sent to the
administrator.
Chapter 2 SmartView Reporter 43
44. SmartView Reporter Configuration
The Mail Information page of the Tools > Options window allows you to specify that an
administrator receive warnings about errors. To enable this option, fill in the
Administrator email address, and choose the severity factor for which an error message
will be sent, by checking one or more of the severity levels in the Specify the severity
of the administrator email notification section.
Scheduling
Schedules are managed through the Report’s Schedule tab. All schedules of all reports
defined in the system can be viewed through the Schedules option of the Selection Bar’s
Management view.
To improve performance, schedule report generation when there is less traffic and fewer
logs are being generated, so the log consolidator is consuming fewer resources. For
example, schedule reports on nights and weekends.
History
The reporting server can store a limited amount of Report-generation status records. In
order to modify the amount of information stored, go to the Tools > Options window,
and select the History page. Modify the amount in Report history size.
When the quantity of the status reports passes the limit, the oldest status record is
deleted. You can decide whether you would like the associated generated Report to be
deleted as well by changing the Report output delete method setting.
In addition, you can also specify the maximum number of Consolidation Status records
that are displayed in the Management view, by modifying the Consolidation history size.
Preview
If the report you wish to generate covers a wide time frame (e.g. a quarterly network
activity report), its generation may be time consuming. To verify you choose the
appropriate settings, you can test the output by generating a partial preview of the
report (select Actions > Preview Report from the menu).
The Preview option (set by selecting Tools > Options... from the menu) specifies the
percentage (1 to 20) of the report time frame to be included in the preview. For
example, if the report period covers 30 days and you set the preview to 10%, it will
only show records logged during the first three days of that time frame.
Monitoring the Report Status
The Selection Bar’s Report Generation view’s Currently Active option allows you to
follow the report generation progress. Once the generation is complete, it is recorded in
the view’s History option.
44
45. Consolidation Policy Configuration
Displaying Generated Reports
The Selection Bar’s Report Generation view’s History option lists all past report
generations. Double click any generation record to display the report it describes.
Additional Settings
The Options window allows you to specify additional settings including the name and
the location of the logo to be displayed in the report header, as well as where to Email
reports, and report-sorting settings.
By default, the logo file is saved in the SmartViewReporterNGbin directory.
Report Generation Command Line
For your convenience, it is possible to generate reports both through the SmartView
Reporter Client and through the command line.
Generating reports using the command line GeneratorApp has the following
limitations:
• No report status updates in the Report Generation view’s Currently Active window.
• No distribution of the report result.
To generate reports through the command line, go to the SmartViewReporterNGbin
directory on the SmartView Reporter Server machine and run the following command:
Usage: GeneratorApp.exe [Directory/""] {ReportID}
For example, to generate the Security report, whose ID is
{475AD890-2AC0-11d6-A330-0002B3321334}, run the following command:
GeneratorApp.exe c:reportsSecurity
{475AD890-2AC0-11d6-A330-0002B3321334}
If the directory is empty (""),
<Result directory><Report Name><Generation Date & Time>
would be used as the directory. The default location is:
c:Program FilesCheckPointSmartViewReporterNGResults
For a list of all Report IDs, see Appendix B, “Predefined Reports.”
Consolidation Policy Configuration
Chapter 2 SmartView Reporter 45
46. SmartView Reporter Configuration
In This Section
Overview page 46
Customizing Predefined Consolidation Rules page 48
Setting the Log Consolidator Engine to Scan Specific Logs page 48
Committing Consolidated Logs to a Specific Database Table page 49
Configuring the Log Consolidator Engine’s DNS Settings page 49
Monitoring the Log Consolidator Engine and Database Statuses page 49
Overview
The out_of_the_box Consolidation Policy has been designed to address the most
common Consolidation needs. However, in case you have specific Consolidation needs
that are not covered by this Policy, the Consolidation Rules can be modified as needed.
To modify the Consolidation settings, proceed as follows:
1 Display the SmartDashboard’s Log Consolidator View, by selecting
View > Products > Log Consolidator from the menu.
2 Modify the out_of_the_box Policy’s Consolidation Rules as needed.
3 Save the modified Policy under a different name (select File > Save As from the
menu and specify the modified Policy’s name).
4 Install the modified Consolidation Policy and start the SmartDashboard Log
Consolidator (by selecting Policy > Install and Start... from the menu), using the
following default settings:
• Fetch logs from the Primary SmartCenter Server.
• Continue the Consolidation from its last run (which in this case is the beginning
of the fw.log file).
• Save the consolidated records to the default table (CONNECTIONS).
Starting and Stopping the Log Consolidator Engine
Starting the Log Consolidation Engine
If the Log Consolidation Engine is not running, you can start the Engine according to
the Consolidation Policy that was last installed.
To start the Log Consolidation Engine, choose Start from the Engine menu. The Log
Consolidation Engine begins running according to the most recently installed
Consolidation Policy.
46
47. Consolidation Policy Configuration
Stopping the Log Consolidation Engine
To stop the Log Consolidation Engine, choose Stop from the Engine menu, or click
in the toolbar. The Stop Engine window is displayed.
Choose one of the following:
• Shutdown — This option stops the Log Consolidation Engine in an orderly way.
All data that has been consolidated up to this point is stored in the Database.
Shutdown may take several minutes to an hour.
• Terminate — This option stops the Log Consolidation Engine immediately. Data
that has been consolidated but not yet stored in the Database is not saved.
Specifying the Consolidation Rule’s Store Options
To specify whether logs matching a Consolidation Rule should be skipped or copied to
the SmartView Reporter Database, right click the Rule’s Action column and choose
Ignore or Store (respectively).
In general, it is recommended to place “Ignore” Rules at the beginning of the Rule
Bases, especially for services that are logged frequently but are not of interest for
reports. “Ignore” Rules do not require Consolidation processes and, therefore, enable
the Log Consolidator Engine to move quickly through the logs. The Log Consolidator
Engine does not have to consolidate and store an event that matches an “Ignore” Rule
and can quickly move to the next entry in the Log file.
The Rule order is also based on how frequently services are used. Rules regarding the
most common services are defined before those addressing less common services. In this
way, the Log Consolidator Engine does not have to scan a lengthy Rule Base in order
to process most of your log data.
If you choose to store the logs, double click the Action cell to specify their storage
format in the Store Options window. Choose one of the following:
• As Is — all log fields will be stored in the SmartView Reporter Database and will
be available for report generation. This is the default storage option.
• Consolidated — specify the following Consolidation parameters:
• The interval at which logs matching this Rule are consolidated (e.g. all logs
generated within a 10 minute interval). Hourly intervals are measured.
• The log fields whose original values are retained (in addition to the Product,
Origin, Date and Customer log fields, whose values are always saved). The other
fields’ values are merged (consolidated) with the corresponding values of the logs
included in this interval (see “Log Consolidation Process” on page 30).
Chapter 2 SmartView Reporter 47
48. SmartView Reporter Configuration
If you wish to save all stored connections as is, you can disable the Consolidation
settings of the entire Policy by selecting Policy > Global Properties... from the menu,
displaying the Advanced settings tab of the Log Consolidator Policy Properties window
and unchecking Consolidate log entries.
By default, the Log Consolidator Engine loads the consolidated records to the
SmartView Reporter Database once an hour. Display the Advanced Settings tab of the
Log Consolidator Policy Properties window and choose a different value from the Stop
consolidation and commit work to database every drop-down list.
Customizing Predefined Consolidation Rules
This section provides instructions on modifying specific out_of_the_box Rules to better
address your specific consolidation requirements. For a detailed description of the
out_of_the_box Rules, see Appendix A, “Out_of_the_box Consolidation Policy.”
If you wish to filter out all broadcast messages (both allowed and disallowed), proceed as
follows:
1 In the Security Policy, define a group of objects with broadcast IP addresses.
2 In the out_of_the_box Consolidation Policy, activate the broadcast Rule and add
the broadcast group to its Destination column.
If your network uses a mail server group, you can split the SMTP Rule into the
following two Rules that collect data on how mail resources are used:
• A Rule consolidating connections from the mail server group.
Records consolidated by this Rule can be used for reports on how mail
connections are balanced between the servers. This Rule’s Store Options retain the
original values of the Authenticated User, Destination, and Service log fields.
• A Rule consolidating connections to the mail server group.
Records consolidated by this Rule can be used for reports on how local users access
the mail servers. This Rule’s Store Options retain the original values for the
Authenticated User, Source, and Service log fields.
Setting the Log Consolidator Engine to Scan Specific Logs
The Consolidation Policy is installed and started through the Install and Start window
(FIGURE 1-7), accessed by selecting Policy > Install and Start...
To set the Log Consolidator Engine to scan specific logs, specify the following
parameters:
1 Log Server — select the log server providing the logs for Consolidation from the
drop-down list and click Fetch data from log server.
48
49. SmartView Reporter Database Management
2 Log File — choose the log file to be scanned. If you have copied log files from
other log servers to the SmartCenter Server, these external log files will be
available.
3 Log Entry — the specific log entry within the selected log file, from which the Log
Consolidator Engine starts running.
Committing Consolidated Logs to a Specific Database Table
In the above Install and Start window, select the SmartView Reporter Database table to
which the consolidated logs are to be saved from the Target Table options.
Configuring the Log Consolidator Engine’s DNS Settings
Resolving the source and destination names slows down the Consolidation process. You
can balance the need for name availability in your consolidated records with the need
for a satisfactory performance level, by adapting the Log Consolidator Engine’s DNS
setting to your specific needs: select Policy > Global Properties... from the menu and
specify the appropriate settings in the DNS settings tab of the Log Consolidator
SmartDashboard window. This setting will come into effect after a Log Consolidator
policy is installed, or even if the Log Consolidator Engine is stopped and started.
Monitoring the Log Consolidator Engine and Database Statuses
The Log Consolidator Engine and SmartView Reporter Database statuses can be
monitored through either one of the SmartView Reporter clients.
The SmartView Log Consolidator provides a detailed account of these statuses (as well
as DNS statistics) through the Engine and Database status window, displayed by
selecting Engine and Database status from the SmartView Log Consolidator’s Status
menu. If this information cannot be obtained, the window specifies the reason for the
problem (for example: the Log Consolidation Engine service is not started).
The SmartView Reporter Client offers more basic Consolidation information (such as
the names of the log file scanned and the target SmartView Reporter Database table)
through its Management view.
It is recommended to check these statuses before you begin generating reports, to verify
that the Log Consolidator Engine is indeed processing logs and that it had already saved
the consolidated records to the SmartView Reporter Database.
SmartView Reporter Database Management
All database management operations are performed through the SmartView Log
Consolidator’s Database menu.
Chapter 2 SmartView Reporter 49
50. SmartView Reporter Configuration
Tuning the SmartView Reporter Database
To improve performance, adjust the database cache size to match the computer’s
available memory. Place the database data and log files on different hard drives (physical
disks), if available.
Modifying SmartView Reporter Database Configuration
It is possible to change the SmartView Reporter Database settings by editing the
solid.ini file, located in the CheckPointSmartViewReporterNG_AIDatabase
directory. Note that before editing the solid.ini file, you must:
1 Stop all SmartView Reporter services (such as the Log Consolidator, Reporter
Database and Reporter Server services) by running rmdstop.
2 Back up the solid.ini file before modifying it.
Note - Although it is possible to give the file(s) any name, the naming convention cannot be
changed. The file name must contain a *.db extension.
When editing a value in solid.ini file, do not add any spaces or tabs before or after
the '=' sign on each row.
After completing your editing, ensure that you restart SmartView Reporter services by
running rmdstart.
Changing the SmartView Reporter Database Cache Size
To change the Database cache size, modify the CacheSize value in the solid.ini file.
CacheSize represents the size of the memory cache in bytes, and is always a multiple of
1024. Ensure that you do not set the cache size too large to fit into the computer’s
available memory.
Increasing the SmartView Reporter Database Size
The default size of the database is 20 GB, allocated in 10 separate files of 2 GB each.
You can increase the allocated size of the database by adding more files. To increase the
Reporting Database size limit, proceed as follows:
Warning - Make sure all the SmartView Reporter services are stopped before
editingsolid.ini.
50
51. SmartView Reporter Database Management
1 In the IndexFile section of the solid.ini file, add lines with FileSpec_#.
Each of these lines enlarges the Database size limit by 2 GB, which is the maximum
byte size per line.
Warning - Do not change the size of an existing database file in order to increase database
space.
For example, the following default configuration amounts to a 20 GB limit:
[IndexFile]
...
FileSpec_1=./Database/RT_Database.db 2147483647
FileSpec_2=./Database/RT_Database2.db 2147483647
FileSpec_3=./Database/RT_Database3.db 2147483647
………
………
FileSpec_10=./Database/RT_Database4.db 2147483647
CacheSize=33554432
Adding the following line will enlarge the database size limit to 22 GB:
FileSpec_11=./Database/RT_Database11.db 2147483647
2 Restart the SmartView Reporter services.
Changing the SmartView Reporter Database Data and Log Files
Location
Disk contention occurs when multiple processes try to access the same disk
simultaneously. To avoid this, move files from heavily accessed disks to less active disks
until they all have roughly the same amount of load. To improve performance, use a
separate disk for Database Log files. To distribute the SmartView Reporter database files
between different physical disks, proceed as follows:
Chapter 2 SmartView Reporter 51
52. SmartView Reporter Configuration
1 Use a separate disk for Database Log files:
Under the [Logging]section in the solid.ini file, specify the new location of the log
files by modifying the line:
FileNameTemplate=./Log/sol#####.log
For example:
FileNameTemplate=F:/ReporterLogs/sol#####.log
Do not change the original log file name, and ensure that the specified folder (e.g.
W:/ReporterLogs) exists.
2 Divide Database files between several disks:
Under the [IndexFile] section, specify a new location for Database files by
modifying the relevant Database file line (e.g. FileSpec_1, FileSpec_2 etc.).
For example:
FileSpec_1=E:/RT_Database.db 2147483647
You must then physically move these files to their new locations.
3 Use a separate disk for the Sort folder:
Under the [Sorter] section, specify the new location of the Sort folder by
modifying the line:
TmpDir_1=./Sort
For example:
TmpDir_1=D:/Sort
Make sure the specified location (e.g. D:/Sort) exists.
Backing Up the SmartView Reporter Database
The SmartView Reporter Database system consists of a set of files that can be copied,
compressed or backed up like any other file. Backup files require the same disk space as
the original files. It is highly recommended to save backup copies of the SmartView
Reporter Database files, which can later be used to recover from an unexpected
database corruption. Proceed as follows:
1 Stop the SmartView Reporter services:
• Windows — in the Services window (accessed from the Start menu, by selecting
Settings > Control Panel > Services), select the Check Point Reporting
Database Server service and click Stop.
This automatically stops the Check Point SmartView Log Consolidator and
the Check Point Reporting Database Server services as well.
• Solaris — use rmdstop.
52
53. SmartView Reporter Database Management
2 From the SmartView Reporter Database directories, copy RT_Database.db
through RT_Database10.db to the backup location (you may compress them to
save disk space).
3 Restart the SmartView Reporter services, starting with the Check Point
Reporting Database Server service.
Chapter 2 SmartView Reporter 53