Smart viewreporter

SmartView Reporter

NG with Application Intelligence (R55)

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at

http://support.checkpoint.com/kb/

See the latest version of this document in the User Center at:
http://www.checkpoint.com/support/technical/documents/docs_r55.html

Part No.: 700727
October 2003

© 2002-2004 Check Point Software Technologies Ltd. CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
All rights reserved. This product and related documentation are protected by copyright SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
and distributed under licensing restricting their use, copying, distribution, and
decompilation. No part of this product or related documentation may be reproduced in
The following statements refer to those portions of the software copyrighted by The
any form or by any means without prior written authorization of Check Point. While
OpenSSL Project. This product includes software developed by the OpenSSL Project for
every precaution has been taken in the preparation of this book, Check Point assumes
use in the OpenSSL Toolkit (http://www.openssl.org/).* THIS SOFTWARE IS PROVIDED BY
no responsibility for errors or omissions. This publication and features described herein
THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES,
are subject to change without notice.
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
RESTRICTED RIGHTS LEGEND: IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE
Use, duplication, or disclosure by the government is subject to restrictions as set forth FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
at DFARS 252.227-7013 and FAR 52.227-19. SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
TRADEMARKS: WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL,
FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension,
The following statements refer to those portions of the software copyrighted by Eric Young.
OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1,
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR
SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM,
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter,
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
SmartView Status, SmartView Tracker, SmartConsole, TurboCard, Application
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
Intelligence, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote,
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registered
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
names mentioned herein are trademarks or registered trademarks of their respective
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
owners.
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
The products described in this document are protected by U.S. Patent No. 6,496,935, ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open
5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, Group.
foreign patents, or pending applications.
The following statements refer to those portions of the software copyrighted by
THIRD PARTIES: Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and
Mark Adler. This software is provided 'as-is', without any express or implied
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and warranty. In no event will the authors be held liable for any damages arising from
other countries. Entrust’s logos and Entrust product and service names are also trademarks the use of this software. Permission is granted to anyone to use this software for
of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of any purpose, including commercial applications, and to alter it and redistribute it
Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management freely, subject to the following restrictions:
technology from Entrust.
1. The origin of this software must not be misrepresented; you must not claim that
you wrote the original software. If you use this software in a product, an
Verisign is a trademark of Verisign Inc. acknowledgment in the product documentation would be appreciated but is not
required.
The following statements refer to those portions of the software copyrighted by University of
2. Altered source versions must be plainly marked as such, and must not be
Michigan. Portions of the software copyright © 1992-1996 Regents of the University of
misrepresented as being the original software.
Michigan. All rights reserved. Redistribution and use in source and binary forms are
permitted provided that this notice is preserved and that due credit is given to the University 3. This notice may not be removed or altered from any source distribution.
of Michigan at Ann Arbor. The name of the University may not be used to endorse or
promote products derived from this software without specific prior written permission. This
software is provided “as is” without express or implied warranty. Copyright © Sax Software The following statements refer to those portions of the software copyrighted by the
(terminal emulation only). Gnu Public License. This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your option) any
The following statements refer to those portions of the software copyrighted by Carnegie later version. This program is distributed in the hope that it will be useful, but
Mellon University. WITHOUT ANY WARRANTY; without even the implied warranty of
Copyright 1997 by Carnegie Mellon University. All Rights Reserved. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Permission to use, copy, modify, and distribute this software and its documentation for any General Public License for more details.You should have received a copy of the
purpose and without fee is hereby granted, provided that the above copyright notice appear GNU General Public License along with this program; if not, write to the Free
in all copies and that both that copyright notice and this permission notice appear in Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
supporting documentation, and that the name of CMU not be used in advertising or publicity
pertaining to distribution of the software without specific, written prior permission.CMU The following statements refer to those portions of the software copyrighted by Thai Open
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers.
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL Permission is hereby granted, free of charge, to any person obtaining a copy of this
CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR software and associated documentation files (the "Software"), to deal in the Software
ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, without restriction, including without limitation the rights to use, copy, modify, merge,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE whom the Software is furnished to do so, subject to the following conditions: The above
OF THIS SOFTWARE. copyright notice and this permission notice shall be included in all copies or substantial
portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY
The following statements refer to those portions of the software copyrighted by The Open OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
Group. WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.com
International Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

Table Of Contents

Chapter 1 Getting Started
Installing SmartView Reporter 5
Overview 5
Standalone Installation 6
Distributed Installation 9
Starting SmartView Reporter 21

Chapter 2 SmartView Reporter
The Need for Reports 27
SmartView Reporter Solution 28
SmartView Reporter — Overview 28
Log Consolidation Process 30
SmartView Reporter Standard Reports 32
SmartView Reporter Express Reports 33
Predefined Reports 33
SmartView Reporter Considerations 35
Standalone vs. Distributed Deployment 35
Log Availability vs. Log Storage and Processing 36
Log Consolidation Phase Considerations 36
Report Generation Phase Considerations 37
SmartView Reporter Configuration 38
Basic Configuration Scenario 38
Required Security Policy Configuration 39
Express Reports Configuration 40
Report Generation Configuration 40
Consolidation Policy Configuration 45
SmartView Reporter Database Management 49

Chapter 3 How To
SmartView Reporter Instructions 55
How to re-consolidate logs according to a different Consolidation Policy 55
How to generate reports based on data unavailable in the Database 56
How to include URL information in web activity reports 56
How to retain log fields not listed in the Store Properties window 57
How to adapt reports to your specific needs 57
How to schedule generations of the same report using different settings (a different output or
style) 58
How to recover the SmartView Reporter Database 58
How to interpret report results whose direction is “other” 58
How to view report results without the SmartView Reporter Client 58
How to upload reports to a web server 59

Table of Contents 3

How to upload reports to an FTP server 60
How to improve performance 61

Appendix A Out_of_the_box Consolidation Policy
Overview 65
Out_of_the_box Consolidation Rules 66

Appendix B Predefined Reports
Executive Reports 69
Network Activity Reports 71
Security Reports 74
VPN-1 Reports 74
User Activity Reports 75
System Information Reports 76
My Reports 76

Index 77

4

CHAPTER 1

Getting Started

In This Chapter

Installing SmartView Reporter page 5
Starting SmartView Reporter page 21

Installing SmartView Reporter
In This Section

Overview page 5
Standalone Installation page 6
Distributed Installation page 9

Overview
SmartView Reporter can be installed in either a “Standalone” installation, or a
“Distributed” installation:
• Standalone installation — SmartView Reporter is installed on the SmartCenter
Server machine.
• Distributed installation — SmartView Reporter is installed on a machine dedicated
to reporting purposes. In addition, SmartView Reporter Add-on is installed on the
SmartCenter Server machine. The add-on contains both data files (with report
definitions) and a component that allows SmartDashboard to connect to SmartView
Reporter Server.
A distributed installation requires establishing Secure Internal Communication
(SIC) between the two machines. The distributed installation is recommended,
since it provides better performance.

5


Performance Tips
To maximize the performance of your SmartView Reporter Server, follow these
guidelines:

Hardware Recommendations
• Use a computer that matches the minimum hardware requirements, as specified in
the Release Notes at:
http://www.checkpoint.com/techsupport/installation/ng/release_notes.html
• Configure the network connection between the SmartView Reporter Server
machine and the SmartCenter, or the Log server, to the optimal speed.
• Use the fastest disk available with the highest RPM (Revolutions per Minute).
• Increase computer memory. It significantly improves performance.

Installation

Choose a distributed configuration, dedicating a computer to Consolidation and
Report generation operations only.

Supported Platforms
Windows and Solaris platforms support both standalone and distributed installations.
Linux and Nokia platforms support only SmartView Reporter Add-on Installation in a
distributed configuration. Linux and Nokia platforms do not support a Standalone
Installation or a SmartView Reporter server in a distributed configuration.

Standalone Installation

In This Section

Windows Platform page 6
Solaris Platform page 9

Windows Platform
1 In order to begin the installation, login as an Administrator and launch the Wrapper
by double-clicking on the setup executable.
2 Select the products that you would like to install. The following components
represent the minimum standalone component requirements for SmartView
Reporter:

6

Standalone Installation

• SmartCenter
• SmartConsole
• SmartView Reporter
FIGURE 1-1 Standalone Deployment - for Windows

Depending on the components that you have chosen to install, you may need to take
additional steps before reaching step 3.
3 Verify the default directory, or browse to new location in which SmartView
Reporter will be installed.
4 Select Local SmartView Reporter Installation in order to install SmartView Reporter
on the local machine.
5 Verify the default directory, or browse to new location in which the output files
created by SmartView Reporter’s output will be generated.
Click Next and reboot the machine in order to complete the installation of the
SmartView Reporter and to continue with the next phase of the installation.
6 Launch SmartDashboard.
7 Edit the host properties for the SmartView Reporter machine.

Chapter 1 Getting Started 7


FIGURE 1-2 Edit the Host properties

8 Deselect and reselect the SmartView Reporter checkbox. Without explicitly
selecting this field, the SmartView Reporter will not function. To end off, click OK.
FIGURE 1-3 Select SmartView Reporter in the listbox

8

Distributed Installation

9 After activating the SmartView Reporter host, install the Security Policy,
(Policy>Install) or install the database (Policy>Install Database) in order to make the
SmartView Reporter fully functional.

Solaris Platform
1 In order to begin the installation, mount the CD on the relevant subdirectory and
launch the wrapper as follows:
2 In the mounted directory, run the script: UnixInstallScript.
3 Read and if you accept the End-User License Agreement (EULA), click Yes.

4 Select whether you would like to perform an upgrade or create a new installation.
5 Continue from step 2 on page 6 in order to complete the process.
FIGURE 1-4 Standalone Deployment - for Solaris

In a distributed installation, SmartView Reporter is installed on a different machine to
that of the SmartCenter server.



In This Section

Windows Platform page 10
Solaris Platform page 14
Linux page 16
Nokia IPSO page 17

Windows Platform
This installation process consists of three phases:
• Install SmartView Reporter
• Install SmartCenter and the SmartView Reporter Add-On
• Prepare SmartView Reporter in SmartCenter

Phase 1 - Installing the SmartView Reporter

1 Select SmartView Reporter and SmartConsole (optionally) for installation.

Note - Although SmartConsole does not have to be installed on this machine, if it is, you
have direct UI access to the SmartCenter server from this machine, thereby simplifying the
final installation steps.

FIGURE 1-5 Distributed deployment - for Windows

10


additional steps (such as installing other components and/or license management) before
reaching step 2.
2 Verify the default directory, or browse to new location in which SmartView
Reporter will be installed.
3 Select a folder in which the output files created by SmartView Reporter’s output
will be generated.
4 Enter the Activation Key in the specified fields. Remember the key; you will need
to enter it at a later stage.
Click Finish in order to complete the installation of the SmartView Reporter.
FIGURE 1-6 SIC activation

Phase 2 – Installing SmartCenter and the SmartView Reporter Add-On

SmartCenter installation is described in the Getting Started guide. Only the portion that
is related to SmartView reporter is discussed in this section.



5 Install the SmartCenter server on a separate machine by selecting SmartCenter and
select SmartView Reporter, so that the SmartView Reporter Add-on is also installed
during the SmartCenter installation.
FIGURE 1-7 Installing SmartCenter and the SmartView Reporter Add-On on a Windows
Platform

6 During the SmartCenter installation a window is displayed in which you will be
prompted to select the SmartView Reporter Setup Type. Select SmartView Reporter
SmartCenter Add-on so that SmartCenter can connect to the distributed SmartView
Reporter.
7 Reboot the machine in order to complete the installation.

Phase 3 – Preparing SmartView Reporter in SmartCenter

8 Launch SmartDashboard. (SmartDashboard is installed during the SmartConsole
installation).
9 Create a new host for the SmartView Reporter machine.

12


FIGURE 1-8 Create New SmartView Reporter Host

10 In the General Properties window, select SmartView Reporter. Then click the
Communication button.
FIGURE 1-9 Initialize SIC

11 Enter the Activation Key that was created in step 4 during the SmartView Reporter
installation.
12 After activating the SmartView Reporter host, install the Security Policy,
(Policy>Install) or install the database (Policy>Install Database) in order to make the
SmartView Reporter fully functional.



FIGURE 1-10Enter the Activation Key

Solaris Platform
This installation process consists of three phases:
• Install the SmartView Reporter
• Install SmartCenter and the SmartView Reporter Add-On
• Preparing SmartView Reporter in SmartCenter

Phase 1 – Installing the SmartView Reporter

1 Select SmartView Reporter and SmartConsole (optionally) for installation.
FIGURE 1-11Standalone Deployment - for Solaris

14


2 Select a folder in which the output files created by SmartView Reporter’s output
will be generated.
FIGURE 1-12Solaris - default directory

3 Enter the Activation Key in the specified fields. Remember the key; you will need
to enter it at a later stage.
Click Finish to complete the installation of the SmartView Reporter.



FIGURE 1-13Solaris Activation Key

4 In order to complete the installation, continue from “Phase 2 – Installing
SmartCenter and the SmartView Reporter Add-On” on page 11.

Note - Although the interface is different, the installation process performed on a Windows
platform is the same as the installation process performed on a Solaris platform.

Linux
The SmartView Reporter machine can be installed either on Solaris or Windows. For
details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing
the SmartView Reporter” on page 10 for installation instructions.

Installing the SmartCenter Machine and the SmartView Reporter Add-On

SmartCenter installation is described in its own document. Only the portion that is
related to SmartView reporter is discussed here.
1 When installing SmartCenter select SmartView Reporter, so that the SmartView
Reporter Add-on can be installed during as part of the SmartCenter installation.

16


FIGURE 1-14Install SmartView Reporter on Linux

2 SmartView Reporter installation type will be automatically set as SmartView
Reporter SmartCenter Add-on, so that SmartCenter can connect to the distributed
SmartView Reporter.
3 In order to complete the installation, continue from “Phase 3 – Preparing
SmartView Reporter in SmartCenter” on page 12.

Nokia IPSO
The SmartView Reporter machine can be installed either on Solaris or Windows. For
details on installing SmartView Reporter machine, please refer to “Phase 1 - Installing
the SmartView Reporter” on page 10 for installation instructions.

Installing the SmartCenter Machine and the SmartView Reporter Add-On

SmartCenter installation is described in its own document. Only the portion that is
related to SmartView reporter is discussed here.
1 After installing Check Point IPSO packages, reboot the machine and run cpconfig.



FIGURE 1-15Installing Check Point IPSO Packages

2 Login into IPSO Voyager from a web browser.
FIGURE 1-16Login to Voyager

3 Select Config to enter the Voyager Configuration screen.

18


FIGURE 1-17Click Config to enter the Configuration screen.

4 In the Configuration screen, select Manage Installed Packages.



FIGURE 1-18Select Manage Installed Packages

5 Make sure that SmartView Reporter NG with Application Intelligence R55 (and
any other relevant packages) are set to On and click Apply.

20


FIGURE 1-19Activate SmartView Reporter and other relevant packages

6 After clicking Apply, click Save.

7 From a command line terminal to the IPSO machine:
• Logout and then login to the system.
• Run rmdstart.
8 Reboot the machine.
9 In order to complete the installation, continue from “Phase 3 – Preparing
SmartView Reporter in SmartCenter” on page 12.

Starting SmartView Reporter
To start using SmartView Reporter, proceed as follows:
1 Launch the SmartView Reporter Client (FIGURE 1-20).



FIGURE 1-20SmartView Reporter Client — Main window

2 Display the Management Selection Bar view and verify that logs are indeed being
consolidated and saved to the SmartView Reporter Database.

22


FIGURE 1-21SmartView Reporter Client — Management Selection Bar view

3 Go back to the Reports Selection Bar view (FIGURE 1-20 on page 22) and ensure
that you select the database tables for which to generate the report, as well as a
report time frame. Then generate the Standard Network Activity report by selecting
it in the Report Tree pane and clicking in the toolbar.
4 To follow the progress of the report generation, display the Report Generation
Selection Bar view (FIGURE 1-22).



FIGURE 1-22SmartView Reporter Client — Report Generation Selection Bar view

After a brief delay, the Standard Network Activity report result is displayed through
your browser
(FIGURE 1-23 on page 25).

24


FIGURE 1-23Example Standard Network Activity Report Result

Report
Title
Report Time Frame,
Log Sources &
Generation Time

Report
Description

Sections
(Hyperlinks)

5 Click a section title to view the results in question. The section’s results are
displayed in either a graph unit, a table unit or both types of units.
FIGURE 1-24 on page 26 shows example results of section 2, Network Activity by
Date, in both a graph unit and a table unit.



FIGURE 1-24Example Standard Network Activity by Date Section — Graph and Table
Formats

Section Section
Title Description

Unit Unit
Title Description

Unit Results:
Graph Format

Unit
Legend
Unit Unit
Title Description

Unit Results:
Table Format

Unit
Terminology

26

CHAPTER 2

SmartView Reporter

In This Chapter

The Need for Reports page 27
SmartView Reporter Solution page 28
SmartView Reporter Configuration page 38

The Need for Reports
To manage your network effectively and to make informed decisions, you need to
gather information on the network’s traffic patterns. There is a wide range of issues you
may need to address, depending on your organization’s specific needs:
• As a Check Point customer, you may wish to check if your expectations of the
products are indeed met.
• From a security point of view, you may be looking for suspicious activities, illegal
services, blocked connections or events that generated alerts.
• As a system administrator, you may wish to sort the Security Policy based on how
often each Rule is matched, and delete obsolete Rules that are never matched.
• You may be looking for general network activity information, for purposes such as
capacity planning.
• From the corporate identity and values perspective, you may want to ensure your
employees’ surfing patterns comply with your company’s policy, in terms of their
surfing patterns (such as the web sites they access).
• From a sales and marketing point of view, you may wish to identify the most and
the least visited pages on your website or your most and least active customers.
To address these issues, you need an efficient tool for gathering the relevant information
and displaying it in a clear, accurate format.

27

SmartView Reporter Solution

In This Section

SmartView Reporter — Overview page 28
Log Consolidation Process page 30
SmartView Reporter Standard Reports page 32
Predefined Reports page 33

SmartView Reporter — Overview
Check Point SmartView Reporter delivers a user-friendly solution for monitoring and
auditing traffic. You can generate detailed or summarized reports in the format of your
choice (list, vertical bar, pie chart etc.) for all events logged by Check Point
VPN-1 Pro, SecureClient and SmartDefense.
SmartView Reporter implements a Consolidation Policy, which goes over your
original, “raw” log file, it identifies events of interest and copies their relevant details
into a special, report-specific database (the SmartView Reporter Database). This smart,
succinct database enables quick and efficient generation of a wide range of reports. The
SmartView Reporter solution provides the optimal balance between keeping the
smallest report database possible and retaining the most vital information.
A Consolidation Policy is similar to a Security Policy in terms of its structure and
management. For example, both Rule Bases are defined through the SmartDashboard’s
Rules menu and use the same network objects. In addition, just as Security Rules
determine whether to allow or deny the connections that match them, Consolidation
Rules determine whether to store or ignore the logs that match them. The key
difference is that a Consolidation Policy is based on logs, as opposed to connections, and
has no bearing on security issues.
FIGURE 2-1 illustrates the Consolidation process, defined by the Consolidation Policy.
After the VPN-1 Pro Modules send their logs to the SmartCenter Server, the Log
Consolidator Engine collects them, scans them, filters out fields defined as irrelevant,
merges records defined as similar and saves them to the SmartView Reporter Database.

28

SmartView Reporter — Overview

FIGURE 2-1 Log Consolidation Process

The SmartView Reporter Server can then extract the consolidated records matching a
specific report definition from the SmartView Reporter Database and present them in a
report layout (FIGURE 2-2):
FIGURE 2-2 Report Generation Process

Two types of reports can be created: Standard Reports and Express Reports. The
Standard Reports are generated from information in log files through the Consolidation
process to yield relevant analysis of activity. Express Reports are generated from
SmartView Monitor history files and are produced much more quickly. Express Reports
also support Provider-1 setups.
SmartView Reporter Standard Reports are supported by two Clients:
• SmartDashboard Log Consolidator — manages the Log Consolidator Engine and
the SmartView Reporter Database via the SmartCenter Server. This Client is
displayed by launching SmartDashboard and selecting
View > Products > Log Consolidator.

• SmartView Reporter Client — generates and manages reports.
FIGURE 2-3 illustrates the SmartView Reporter architecture for Standard Reports:

Chapter 2 SmartView Reporter 29


FIGURE 2-3 SmartView Reporter Standard Report Architecture

The interaction between the SmartView Reporter Client and Server components
applies both to a distributed installation (as shown in FIGURE 2-3), where the
SmartCenter Server and SmartView Reporter’s server components are installed on two
different machines, and to a standalone installation, in which these products are installed
on the same machine.

Log Consolidation Process
It is recommended to use the SmartView Log Consolidator’s predefined Consolidation
Policy, the out_of_the_box Policy, designed to filter out irrelevant logs (such as control
messages) and store the most commonly requested ones (such as blocked connection,
alert or web activity logs). The Log Consolidator Engine scans the Consolidation Rules
sequentially and processes each log according to the first Rule it matches.
FIGURE 2-4 illustrates how the Consolidation Policy processes logs: when a log
matches a Consolidation Rule, it is either ignored or stored. If it is ignored, no record
of this log is saved in the SmartView Reporter system, so its data is not available for
report generation. If it is stored, it is either saved as is (so all log fields can later be
represented in reports), or consolidated to the level specified by the Rule.

30

Log Consolidation Process

FIGURE 2-4 Log Process Chart

The Consolidation is performed on two levels: the interval at which the log was created
and the log fields whose original values should be retained. When several logs matching
a specific Rule are recorded within a predefined interval, the values of their relevant
fields are saved “as is”, while the values of their irrelevant fields are merged (i.e.
“consolidated”) together.
TABLE 2-1 provides a Consolidation example, where three logs of approved NTP
connections match the same Consolidation Rule (NTP is a time protocol that provides
access over the Internet to systems with precise clocks).
The Rule’s store options specify that logs generated within a one hour interval should
be consolidated into a single record, as long as they share the same values for four fields
of interest: destination, interface, Rule name and QoS class. The values of all other
fields are either integrated into their shared value (e.g. the shared Rule Number value,
1), or replaced with the term “consolidated” (e.g. the different Source values). The
consolidated record includes a connection number column, noting how many logs it
represents (in this case, 3).
TABLE 2-1 Consolidation Example

Recor Tim Source Dest. I-fac Rule Rule Clas Conn
d e e Name No. s No.
Log 1 10:0 10.1.3.2 172.0. hme NYC 1 Gol
0 9 0.1 0 d



TABLE 2-1 Consolidation Example

Recor Tim Source Dest. I-fac Rule Rule Clas Conn
d e e Name No. s No.
Log 2 10:2 10.15.2. 172.0. hme NYC 1 Gol
5 52 0.1 0 d
Log 3 10:5 10.56.60 172.0. hme NYC 1 Gol
9 .4 0.1 0 d
Cons. 10:0 Consoli 172.0. hme NYC 1 Gol 3
Record
0 dated 0.1 0 d

How to interpret User names in DHCP enabled networks
In DHCP address mapping is used, assuming the DNS knows how to resolve dynamic
addresses, the information you see in the report reflects the correct resolving results for
the time the reported log events have been processed by the SmartDashboard Log
Consolidator and inserted into the database.
Because of the dynamic nature of DHCP address distribution, there is no guaranty that
consolidation of old log files will produce correct address name resolving.
When DHCP is in use, consolidating log files close to the time of their creation will
improve address-resolving accuracy.

SmartView Reporter Standard Reports
The Log Consolidation process results in a database of the most useful, relevant records,
known as the SmartView Reporter Database. The information is consolidated to an
optimal level, balancing the need for data availability with the need for fast and efficient
report generation.
Reports are generated based on a single database table, specified in the Reports
Selection Bar view > Standard Reports > Report tab. By default, all consolidated records
are saved to the CONNECTIONS table and all reports use it as their data source. However,
each time you install and start the Consolidation Policy, you have the option of storing
records in a different table. You can further organize these tables by moving records
between them as needed and deleting outdated records.
Dividing the consolidated records between different tables allows you to set the
SmartView Reporter Client to use the table most relevant to your query, thereby
improving the SmartView Reporter Server’s performance. In addition, dividing records
between tables facilitates managing the SmartView Reporter Database: you can delete
outdated tables, export tables you are not currently using to a location outside of the
SmartView Reporter Database and import them back when you need them.

32

SmartView Reporter Express Reports

SmartView Reporter Express Reports
Express Reports are based on data collected by Check Point system counters and
SmartView Monitor history files. Standard Reports, in contrast, are based on Log
Consolidator logs. Because Express Reports present historical data, they can be
generated more quickly.
SmartView Reporter Express Reports are supported by one Client, the SmartView
Reporter. To configure your system to generate Express Reports, see “Express Reports
Configuration” on page 40.
FIGURE 2-4 illustrates the SmartView Reporter architecture for Express Network
Reports:
FIGURE 2-5 SmartView Reporter Express Report Architecture

Predefined Reports
The SmartView Reporter Client offers a wide selection of predefined reports for both
Standard and Express reporting, designed to cover the most common network queries
from a variety of perspectives.

Report Subjects

The reports are grouped by the following subjects, allowing you to easily locate the one
you need:
• Network Activity (Standard, Express) — this subject includes reports that enable you
to analyze the most popular activities in your network. You can examine your
network activity as a whole or focus on a specific direction (incoming, outgoing or
internal) or activity type (web, ftp or Email). For example, to study network traffic
inside your organization, you can investigate how your web servers, mail servers
and firewalled gateways handle the network load; see which services use most of
the available bandwidth; and find out what are the most popular web sites. You can



detect illegal network traffic, such as connections to banned web sites or use of
prohibited services. To examine the network usage by external sources, you can
explore which sources access the corporate web site, how often and for how long.
A report dedicated to FireWall-1 activity allows you to identify its top services,
sources and destinations. The records are organized both by their direction and by
the action taken by the firewall. In addition, you can follow the firewall activity’s
distribution over various time frames (your working hours, week days and the
selected date range).
• Security (Standard, Express) — this subject includes reports that allow you to focus
on all security-related traffic in your network. For example, you can inspect
connections whose origin or destination is the FireWall-1 machine, monitor
security attacks detected by SmartDefense, or analyze blocked connections and
FireWall-1 alerts.
In addition, you can detect Policy Installations and analyze the Rule Base order on
a specific gateway. Identifying the top matched rules versus the least matched rules
allows you to sort the Security Policy in the most efficient way.
• User Activity (Standard) — this subject includes reports that provide you with
information on how users inside your organization, as well as remote, SecureClient
users, utilize your network resources. You can identify peak activity patterns, in
terms of the most active users, the most commonly used services, the most active
working hours or week days etc.
• VPN-1 (Standard, Express) — this subject includes reports that allow you to analyze
various aspects of your encrypted traffic, such as its distribution over time, the top
services or sources etc. You can examine your VPN-1 activity as a whole, or focus
on a specific VPN Tunnel or VPN Community.
• Executive (Standard, Express) — offers a selection of reports from various subjects
that are of special interest to executives, such as the Network Activity or User
Activity reports.
• System Info (Express) — this subject includes reports that allow you to analyze
various aspects of system load and operational activity, including CPU usage, kernel
usage, and memory usage.
• My Reports (Standard, Express) — select predefined reports and customize to your
needs.
For descriptions of each predefined report available, see Appendix B, “Predefined
Reports”.

34

Standalone vs. Distributed Deployment

Report Structure

Each report consists of a collection of sub-topics known as sections, which cover various
aspects of the report. For example, the User Activity report consists of sections such as
User Activity by Date, Top Users, Top User Activity Services etc.
Each section consists of units, which display the same results in different formats, for
your convenience. For example, the User Activity by Date section displays the same
data in two units: a graph and a table.

Customizing Predefined Reports

In case you have a specific query that is not directly addressed by the predefined reports,
you can easily customize the report that is closest to your needs (by changing its date
range, filters etc.) to provide the desired information. You can save the customized
report under a different name in the report subject dedicated to
user-defined reports, My Reports.

SmartView Reporter Considerations
In This Section

Standalone vs. Distributed Deployment page 35
Log Availability vs. Log Storage and Processing page 36
Log Consolidation Phase Considerations page 36
Report Generation Phase Considerations page 37

SmartView Reporter’s default options have been designed to address the most common
reporting needs. However, to maximize the product’s benefits, it is recommended that
you adapt it to your specific profile. This section describes the considerations you
should take into account before starting to use SmartView Reporter.

Standalone vs. Distributed Deployment
In a standalone deployment, all SmartView Reporter server components (the Log
Consolidator Engine, the SmartView Reporter Database and the SmartView Reporter
Server) are installed on the Check Point SmartCenter Server machine. In a distributed
deployment, the SmartView Reporter server components and the SmartCenter Server
are installed on two different machines and communicate through a special Log
Consolidator Add-on installed on the SmartCenter Server.


SmartView Reporter Considerations

The standalone deployment saves relegating a dedicated machine for the SmartView
Reporter, but the distributed deployment significantly improves your system’s
performance.

Log Availability vs. Log Storage and Processing
Since all SmartView Reporter operations are performed on the logs you have saved, the
extent to which you can benefit from this product depends on the quality of the
available logs. Therefore, you must ensure your Security Policy is indeed tracking
(logging) all events you may later wish to see in your reports.
In addition, you should consider how accurately your logs represent your network
activity. If only some of your Rules are tracking events that match them, the events’
proportion in your reports will be distorted. For example, if only the blocked
connections Rule is generating logs, the reports will give you the false impression that
100% of the activity in your network consisted of blocked connections.
On the other hand, tracking multiple connections results in an inflated log file, which
not only requires more storage space and additional management operations, but
significantly slows down the Consolidation process.

Log Consolidation Phase Considerations

Record Availability vs. Database Size
Reports are a direct reflection of the records stored in the SmartView Reporter
Database. To generate detailed, wide-ranging and accurate reports, the corresponding
data must be available in the Database.
However, effective database management requires keeping the database size under
20 GB. As the consolidated records accumulate in the Database, the tables where they
are saved may become quite large. The data gradually approaches the disk space limit,
using more and more memory and slowing down the SmartView Reporter processes
(especially the data retrieval for report generation).
Carefully consider which logs you wish to store, and to what extent you wish to
consolidate them.

Saving Consolidated Records to One vs. Multiple Database
Tables
A report is generated based on a single table. If you save all consolidated records to the
same table, all the data is readily accessible and you are saved the trouble of moving
records between tables and selecting the appropriate source table for each report you
wish to generate.

36

Report Generation Phase Considerations

Dividing the records between different tables reduces the report generation time and
allows you to maintain a useful Database size by exporting tables you are not currently
using to an external location.

Report Generation Phase Considerations

Adapting the Report’s Detail Level to your Needs
When a report is very detailed, it may become difficult to sort out the most significant
results and understand network’s status. To achieve the optimal balance between getting
all the information you need and excluding excessive records, closely examine the
report’s date range, filters (source, destination, service etc.) and filter values, and adjust
them to pinpoint details.

Generating only selected sections and units
By default, all report sections and their unit are included in the report generation.
However, to get results faster and improve your machine’s performance, you can
generate only selected sections and units (by unchecking all others in the Report Tree
pane).

Scheduling reports
The Schedule feature allows you to set both delayed and periodic report generations.
If you wish to produce a detailed and lengthy report, you should consider postponing
its generation and scheduling it so that it does not interfere with your employees’
working hours or with times of peak network activity, since such a report generation
might slow down your system.
In addition, it is useful to identify the reports you require on a regular basis (e.g. a daily
alerts report or a monthly user activity report) and schedule their periodic generations.

Report output (display, Email, file, printer etc.).
All predefined report results are displayed on your screen and saved to the SmartView
Reporter Server.


SmartView Reporter Configuration

By default, the report is saved in HTML output in an index.htm file; and in CSV
(Comma Separated Values) format in a tables.csv file. The HTML file includes
descriptions and graphs, but the CSV file contains only the report table units, without
a table of contents, descriptions or graphs. The tables.csv is provided in order to
enable convenient table import to applications like Excel.
TABLE 2-2 Report Files and Formats

File Format HTML CSV
File Name index.htm tables.csv
Includes Table of contents, tables, Data only. Cell values
descriptions, graphs. separated by commas.
Rows and tables separated
by lines.
Before generating a report, determine whether you want it to be saved or sent to
additional or different targets. For example, when you generate a user activity-related
report, you may wish to make it available to all managers in your organization by
sending them the output via Email or by placing it on your intranet.

In This Section

Basic Configuration Scenario page 38
Express Reports Configuration page 40
Required Security Policy Configuration page 39
Report Generation Configuration page 40
Consolidation Policy Configuration page 45
SmartView Reporter Database Management page 49

Basic Configuration Scenario
The following procedure allows you to create the most basic SmartView Reporter
configuration. Proceed as follows:
1 In the SmartDashboard, set the relevant Security Policy Rules to track connections
of interest (set each Rule’s Track column to either Log or Account).

38

Required Security Policy Configuration

2 Launch the SmartView Reporter Client and display the selection bar’s Management
view, to verify that consolidated records have been loaded to the SmartView
Reporter Database.
3 Display the Reports view, select the database tables to be examined and the time
frame for the report, choose the report type, then generate the report.
This general procedure can be used to provide you with any report you are interested
in. For example, to generate a report on illegal attempts to connect to your network,
proceed as follows:
1 In the SmartDashboard, add the following Rule (TABLE 2-3) at the bottom of
your Rule Base:
TABLE 2-3 Security Rule Tracking Illegal Attempts to Connect to the Local Network

Sour Destinat VP Servi Actio Trac Install Tim Comment
ce ion N ce n k On e
Any Company An Any Drop Log Policy Any A rule
_network y Targets tracking
illegal
attempts to
connect to
the local
network

2 Launch the SmartView Reporter Client and display the selection bar’s Management
view, to verify that consolidated records have been loaded to the SmartView
Reporter Database.
3 Display the Reports view and generate the Blocked Connections by Date report.

Required Security Policy Configuration
For a Security Rule to generate logs for connections that match it, the Rule’s Track
column should be set to any value other than None (for example, Log generates a
standard log, while Account generates an accounting log).
Note that in order to obtain accounting information (the number of bytes transferred
and the duration of the connection), the value of the Rule’s Track column must be
Account.

To utilize direction information (“incoming”, “outgoing”, “internal” or “other”), the
organization’s topology must be configured properly. If this is the case, “other” can be
used as a security tool, indicating there were connections whose destination was the
firewall itself.



Express Reports Configuration
The following procedure sets the SmartView Monitor to collect complete system data
in order to produce SmartView Reporter Express Reports. SmartView Monitor settings
are enabled through the SmartDashboard. Proceed as follows:
1 In the SmartDashboard network objects tab of the object tree, select a gateway of
interest. Double click the gateway to open the Check Point Gateway properties
window.
2 You will need to enable the SmartView Monitor to collect data for reporting
purposes through the SmartDashboard.
[If you do not see SmartView Monitor in the selection to the left, enable it through
the General Properties tab. Click General Properties, then in the scroll-down
window of Check Point Products, click Smart View Monitor. It will appear at left.]
Select Smart View Monitor, and in the Smart View Monitor tab, click all the
checkboxes to ensure that SmartView Monitor is collecting every type of data for
reporting purposes.
3 To finish this procedure, in SmartDashboard select Policy > Install Database.

Report Generation Configuration

In This Section

Adapting the Report Properties to your Needs — Overview page 41
SmartView Reporter Database Table page 41
Report Period page 41
Report Filters page 41
Result Calculation and Resolution page 42
Input location page 43
Output location page 43
Scheduling page 44
Preview page 44
Monitoring the Report Status page 44
Displaying Generated Reports page 45
Additional Settings page 45
Report Generation Command Line page 45

40


Adapting the Report Properties to your Needs — Overview
When you generate a report, you can either use the report as a whole or run a specific
section or a unit.
You can generate the selected component using its default properties, or adjust these
properties to better address your current requirements. This section describes the most
important properties you should examine before generating a report.

SmartView Reporter Database Table
By default, consolidated records are retrieved from the SmartView Reporter Database’s
CONNECTIONS table. If you have divided your records between several tables, choose the
table containing the records you require, e.g. a special table dedicated to records
originating from a specific log server, or a table covering the time frame you are
interested in. To see which table contains the relevant records, display the Management
Selection Bar view.
Select the relevant tables through the Standard Reports view’s Reports tab, by selecting
the tables in the Other Database Tables drop-down list.

Report Period
All predefined reports are set to cover a default time range for a week to a month. You
must change this period to reflect the data’s actual dates and times, and the time period
that you wish to examine.

Tuning Report Time Frame

To improve SmartView Reporter Server performance, when setting a user-defined time
frame for the report, specify a time frame in whole days. When setting a report period,
note that the following settings will slow down the report generation speed:
• Relative Time Frame: Today, Yesterday, Last X hours, This week.
• Specific dates: Limit by hour checkbox.
• Reports for short time periods are generated faster than reports for long time
periods. A weekly report will be generated much faster than a monthly report.

Report Filters
Reports are based on records of the most commonly required filters (e.g. Source,
Destination etc.). Specifying the appropriate filter settings is the key to extracting the
information you are looking for.



For each filter you choose, specify the values (e.g. network objects, services etc.) to be
matched out of all values available for that filter. The available values are taken from the
SmartCenter Server and are refreshed on a regular basis. If you cannot see a value you
have added through SmartDashboard in the available values list, refresh the list by
selecting a different filter and then return to the previous one.
The SmartView Reporter Client also allows you to include additional objects, by
manually adding them to the matched values list.
Filters and their values can be specified both on the report level and on its unit level.
The report level settings are enforced on the unit level as well (for example, if you
choose to include specific sources in the report, these sources will also be included in
its units). If you set a specific unit-level filter and then choose a different report-level
filter, the latter overrides the former.

Tuning Report Filters

If you define different filters for different units that share the same cached SQL, the
SQL caching will no longer be viable and the report generation time will significantly
increase. It is recommended that you define filters at the report level only.

Result Calculation and Resolution
Data Calculation Scheme

By default, report calculations are based on the number of events logged. If you have
logged accounting data (done by setting the Security Rule’s Track column to Account),
you can base the report calculations on the number of bytes transferred.

Sort Parameter

You may sort the results by one of two parameters: the number of bytes transferred and
the number of events logged. Note that an event takes on different meanings,
depending on its context. In most cases, the number of events refers to the number of
connections. Access this through the Tools > Options menu.
The number of bytes transferred can be calculated only if the Security Rules’ Track
column is set to Account. The number of events logged can be calculated as long as the
Track column is set to Log or Account.

If both types of information are available, they will both be displayed in the sort order
you have specified. For example, a table listing the most active sources in your system
can first specify the number of events each source generated and then note the number
of bytes related to its activity.
In addition, The unit’s Unit tab allows you to select the resolution type (byte or time)
and its level.

42


Format

If user names are stored in an LDAP server, the names will include the full LDAP path
in the FireWall-1 log files. The way the report shows the user name can be changed
through the Tools menu > Options >General tab. By default, the Show abbreviated LDAP
user name check box is selected, so that generated reports display only the user name
part of the full LDAP name. To see the name with full LDAP path, uncheck this box.

Input location
The modules from which you collect data can modified by using the report’s Input tab
to let you select the following:
• the module or modules of origin
• whether to collect data per module or as a group, if you have selected more than
one module

Output location
Report results are saved in subdirectories of the Results subdirectory of the SmartView
Reporter Server as follows:
ResultNG_AIbin<Report Name><Generation Date & Time>

For each report, a directory with the report’s name “<Report Name>” is created in
bin, with a subdirectory named with the generation date and time “<Generation
Date & Time>.” The report is generated into this “<Generation Date & Time>”
subdirectory.
The Result location can modified by selecting Tools > Options from the menu and
specifying the desired location in the Result Location field of the Options window’s
Generation page.

In addition to saving the result to the SmartView Reporter Server, you can send it to
any of the following:
• The Client’s display (the default setting).
• Email recipients.
• An ftp or a web server. See “How to upload reports to an FTP server” on page 60.
The Mail Information page of the Options window allows you to specify both the
sender’s Email address and the mail server to be used. It also allows you to specify the
degree of message severity (Information, Warning or Error) that is to be sent to the
administrator.



The Mail Information page of the Tools > Options window allows you to specify that an
administrator receive warnings about errors. To enable this option, fill in the
Administrator email address, and choose the severity factor for which an error message
will be sent, by checking one or more of the severity levels in the Specify the severity
of the administrator email notification section.

Scheduling
Schedules are managed through the Report’s Schedule tab. All schedules of all reports
defined in the system can be viewed through the Schedules option of the Selection Bar’s
Management view.

To improve performance, schedule report generation when there is less traffic and fewer
logs are being generated, so the log consolidator is consuming fewer resources. For
example, schedule reports on nights and weekends.

History
The reporting server can store a limited amount of Report-generation status records. In
order to modify the amount of information stored, go to the Tools > Options window,
and select the History page. Modify the amount in Report history size.
When the quantity of the status reports passes the limit, the oldest status record is
deleted. You can decide whether you would like the associated generated Report to be
deleted as well by changing the Report output delete method setting.
In addition, you can also specify the maximum number of Consolidation Status records
that are displayed in the Management view, by modifying the Consolidation history size.

Preview
If the report you wish to generate covers a wide time frame (e.g. a quarterly network
activity report), its generation may be time consuming. To verify you choose the
appropriate settings, you can test the output by generating a partial preview of the
report (select Actions > Preview Report from the menu).
The Preview option (set by selecting Tools > Options... from the menu) specifies the
percentage (1 to 20) of the report time frame to be included in the preview. For
example, if the report period covers 30 days and you set the preview to 10%, it will
only show records logged during the first three days of that time frame.

Monitoring the Report Status
The Selection Bar’s Report Generation view’s Currently Active option allows you to
follow the report generation progress. Once the generation is complete, it is recorded in
the view’s History option.

44

Consolidation Policy Configuration

Displaying Generated Reports
The Selection Bar’s Report Generation view’s History option lists all past report
generations. Double click any generation record to display the report it describes.

Additional Settings
The Options window allows you to specify additional settings including the name and
the location of the logo to be displayed in the report header, as well as where to Email
reports, and report-sorting settings.
By default, the logo file is saved in the SmartViewReporterNGbin directory.

Report Generation Command Line
For your convenience, it is possible to generate reports both through the SmartView
Reporter Client and through the command line.
Generating reports using the command line GeneratorApp has the following
limitations:
• No report status updates in the Report Generation view’s Currently Active window.
• No distribution of the report result.
To generate reports through the command line, go to the SmartViewReporterNGbin
directory on the SmartView Reporter Server machine and run the following command:
Usage: GeneratorApp.exe [Directory/""] {ReportID}

For example, to generate the Security report, whose ID is
{475AD890-2AC0-11d6-A330-0002B3321334}, run the following command:
GeneratorApp.exe c:reportsSecurity
{475AD890-2AC0-11d6-A330-0002B3321334}

If the directory is empty (""),
<Result directory><Report Name><Generation Date & Time>

would be used as the directory. The default location is:
c:Program FilesCheckPointSmartViewReporterNGResults

For a list of all Report IDs, see Appendix B, “Predefined Reports.”




In This Section

Overview page 46
Customizing Predefined Consolidation Rules page 48
Setting the Log Consolidator Engine to Scan Specific Logs page 48
Committing Consolidated Logs to a Specific Database Table page 49
Configuring the Log Consolidator Engine’s DNS Settings page 49
Monitoring the Log Consolidator Engine and Database Statuses page 49

Overview
The out_of_the_box Consolidation Policy has been designed to address the most
common Consolidation needs. However, in case you have specific Consolidation needs
that are not covered by this Policy, the Consolidation Rules can be modified as needed.
To modify the Consolidation settings, proceed as follows:
1 Display the SmartDashboard’s Log Consolidator View, by selecting
View > Products > Log Consolidator from the menu.

2 Modify the out_of_the_box Policy’s Consolidation Rules as needed.
3 Save the modified Policy under a different name (select File > Save As from the
menu and specify the modified Policy’s name).
4 Install the modified Consolidation Policy and start the SmartDashboard Log
Consolidator (by selecting Policy > Install and Start... from the menu), using the
following default settings:
• Fetch logs from the Primary SmartCenter Server.
• Continue the Consolidation from its last run (which in this case is the beginning
of the fw.log file).
• Save the consolidated records to the default table (CONNECTIONS).

Starting and Stopping the Log Consolidator Engine
Starting the Log Consolidation Engine

If the Log Consolidation Engine is not running, you can start the Engine according to
the Consolidation Policy that was last installed.
To start the Log Consolidation Engine, choose Start from the Engine menu. The Log
Consolidation Engine begins running according to the most recently installed
Consolidation Policy.

46


Stopping the Log Consolidation Engine

To stop the Log Consolidation Engine, choose Stop from the Engine menu, or click
in the toolbar. The Stop Engine window is displayed.
Choose one of the following:
• Shutdown — This option stops the Log Consolidation Engine in an orderly way.
All data that has been consolidated up to this point is stored in the Database.
Shutdown may take several minutes to an hour.
• Terminate — This option stops the Log Consolidation Engine immediately. Data
that has been consolidated but not yet stored in the Database is not saved.

Specifying the Consolidation Rule’s Store Options
To specify whether logs matching a Consolidation Rule should be skipped or copied to
the SmartView Reporter Database, right click the Rule’s Action column and choose
Ignore or Store (respectively).

In general, it is recommended to place “Ignore” Rules at the beginning of the Rule
Bases, especially for services that are logged frequently but are not of interest for
reports. “Ignore” Rules do not require Consolidation processes and, therefore, enable
the Log Consolidator Engine to move quickly through the logs. The Log Consolidator
Engine does not have to consolidate and store an event that matches an “Ignore” Rule
and can quickly move to the next entry in the Log file.
The Rule order is also based on how frequently services are used. Rules regarding the
most common services are defined before those addressing less common services. In this
way, the Log Consolidator Engine does not have to scan a lengthy Rule Base in order
to process most of your log data.
If you choose to store the logs, double click the Action cell to specify their storage
format in the Store Options window. Choose one of the following:
• As Is — all log fields will be stored in the SmartView Reporter Database and will
be available for report generation. This is the default storage option.
• Consolidated — specify the following Consolidation parameters:
• The interval at which logs matching this Rule are consolidated (e.g. all logs
generated within a 10 minute interval). Hourly intervals are measured.
• The log fields whose original values are retained (in addition to the Product,
Origin, Date and Customer log fields, whose values are always saved). The other
fields’ values are merged (consolidated) with the corresponding values of the logs
included in this interval (see “Log Consolidation Process” on page 30).



If you wish to save all stored connections as is, you can disable the Consolidation
settings of the entire Policy by selecting Policy > Global Properties... from the menu,
displaying the Advanced settings tab of the Log Consolidator Policy Properties window
and unchecking Consolidate log entries.
By default, the Log Consolidator Engine loads the consolidated records to the
SmartView Reporter Database once an hour. Display the Advanced Settings tab of the
Log Consolidator Policy Properties window and choose a different value from the Stop
consolidation and commit work to database every drop-down list.

Customizing Predefined Consolidation Rules
This section provides instructions on modifying specific out_of_the_box Rules to better
address your specific consolidation requirements. For a detailed description of the
out_of_the_box Rules, see Appendix A, “Out_of_the_box Consolidation Policy.”
If you wish to filter out all broadcast messages (both allowed and disallowed), proceed as
follows:
1 In the Security Policy, define a group of objects with broadcast IP addresses.
2 In the out_of_the_box Consolidation Policy, activate the broadcast Rule and add
the broadcast group to its Destination column.
If your network uses a mail server group, you can split the SMTP Rule into the
following two Rules that collect data on how mail resources are used:
• A Rule consolidating connections from the mail server group.
Records consolidated by this Rule can be used for reports on how mail
connections are balanced between the servers. This Rule’s Store Options retain the
original values of the Authenticated User, Destination, and Service log fields.
• A Rule consolidating connections to the mail server group.
Records consolidated by this Rule can be used for reports on how local users access
the mail servers. This Rule’s Store Options retain the original values for the
Authenticated User, Source, and Service log fields.

Setting the Log Consolidator Engine to Scan Specific Logs
The Consolidation Policy is installed and started through the Install and Start window
(FIGURE 1-7), accessed by selecting Policy > Install and Start...
To set the Log Consolidator Engine to scan specific logs, specify the following
parameters:
1 Log Server — select the log server providing the logs for Consolidation from the
drop-down list and click Fetch data from log server.

48

SmartView Reporter Database Management

2 Log File — choose the log file to be scanned. If you have copied log files from
other log servers to the SmartCenter Server, these external log files will be
available.
3 Log Entry — the specific log entry within the selected log file, from which the Log
Consolidator Engine starts running.

Committing Consolidated Logs to a Specific Database Table
In the above Install and Start window, select the SmartView Reporter Database table to
which the consolidated logs are to be saved from the Target Table options.

Configuring the Log Consolidator Engine’s DNS Settings
Resolving the source and destination names slows down the Consolidation process. You
can balance the need for name availability in your consolidated records with the need
for a satisfactory performance level, by adapting the Log Consolidator Engine’s DNS
setting to your specific needs: select Policy > Global Properties... from the menu and
specify the appropriate settings in the DNS settings tab of the Log Consolidator
SmartDashboard window. This setting will come into effect after a Log Consolidator
policy is installed, or even if the Log Consolidator Engine is stopped and started.

Monitoring the Log Consolidator Engine and Database Statuses
The Log Consolidator Engine and SmartView Reporter Database statuses can be
monitored through either one of the SmartView Reporter clients.
The SmartView Log Consolidator provides a detailed account of these statuses (as well
as DNS statistics) through the Engine and Database status window, displayed by
selecting Engine and Database status from the SmartView Log Consolidator’s Status
menu. If this information cannot be obtained, the window specifies the reason for the
problem (for example: the Log Consolidation Engine service is not started).
The SmartView Reporter Client offers more basic Consolidation information (such as
the names of the log file scanned and the target SmartView Reporter Database table)
through its Management view.
It is recommended to check these statuses before you begin generating reports, to verify
that the Log Consolidator Engine is indeed processing logs and that it had already saved
the consolidated records to the SmartView Reporter Database.

All database management operations are performed through the SmartView Log
Consolidator’s Database menu.



Tuning the SmartView Reporter Database
To improve performance, adjust the database cache size to match the computer’s
available memory. Place the database data and log files on different hard drives (physical
disks), if available.

Modifying SmartView Reporter Database Configuration
It is possible to change the SmartView Reporter Database settings by editing the
solid.ini file, located in the CheckPointSmartViewReporterNG_AIDatabase
directory. Note that before editing the solid.ini file, you must:
1 Stop all SmartView Reporter services (such as the Log Consolidator, Reporter
Database and Reporter Server services) by running rmdstop.
2 Back up the solid.ini file before modifying it.

Note - Although it is possible to give the file(s) any name, the naming convention cannot be
changed. The file name must contain a *.db extension.

When editing a value in solid.ini file, do not add any spaces or tabs before or after
the '=' sign on each row.
After completing your editing, ensure that you restart SmartView Reporter services by
running rmdstart.

Changing the SmartView Reporter Database Cache Size
To change the Database cache size, modify the CacheSize value in the solid.ini file.
CacheSize represents the size of the memory cache in bytes, and is always a multiple of
1024. Ensure that you do not set the cache size too large to fit into the computer’s
available memory.

Increasing the SmartView Reporter Database Size
The default size of the database is 20 GB, allocated in 10 separate files of 2 GB each.
You can increase the allocated size of the database by adding more files. To increase the
Reporting Database size limit, proceed as follows:

Warning - Make sure all the SmartView Reporter services are stopped before
editingsolid.ini.

50


1 In the IndexFile section of the solid.ini file, add lines with FileSpec_#.
Each of these lines enlarges the Database size limit by 2 GB, which is the maximum
byte size per line.

Warning - Do not change the size of an existing database file in order to increase database
space.

For example, the following default configuration amounts to a 20 GB limit:
[IndexFile]
...
FileSpec_1=./Database/RT_Database.db 2147483647
FileSpec_2=./Database/RT_Database2.db 2147483647
………
………
CacheSize=33554432
Adding the following line will enlarge the database size limit to 22 GB:

2 Restart the SmartView Reporter services.

Changing the SmartView Reporter Database Data and Log Files
Location
Disk contention occurs when multiple processes try to access the same disk
simultaneously. To avoid this, move files from heavily accessed disks to less active disks
until they all have roughly the same amount of load. To improve performance, use a
separate disk for Database Log files. To distribute the SmartView Reporter database files
between different physical disks, proceed as follows:



1 Use a separate disk for Database Log files:
Under the [Logging]section in the solid.ini file, specify the new location of the log
files by modifying the line:
FileNameTemplate=./Log/sol#####.log
For example:
FileNameTemplate=F:/ReporterLogs/sol#####.log
Do not change the original log file name, and ensure that the specified folder (e.g.
W:/ReporterLogs) exists.

2 Divide Database files between several disks:
Under the [IndexFile] section, specify a new location for Database files by
modifying the relevant Database file line (e.g. FileSpec_1, FileSpec_2 etc.).
For example:
FileSpec_1=E:/RT_Database.db 2147483647
You must then physically move these files to their new locations.
3 Use a separate disk for the Sort folder:
Under the [Sorter] section, specify the new location of the Sort folder by
modifying the line:
TmpDir_1=./Sort
For example:
TmpDir_1=D:/Sort
Make sure the specified location (e.g. D:/Sort) exists.

Backing Up the SmartView Reporter Database
The SmartView Reporter Database system consists of a set of files that can be copied,
compressed or backed up like any other file. Backup files require the same disk space as
the original files. It is highly recommended to save backup copies of the SmartView
Reporter Database files, which can later be used to recover from an unexpected
database corruption. Proceed as follows:
1 Stop the SmartView Reporter services:
• Windows — in the Services window (accessed from the Start menu, by selecting
Settings > Control Panel > Services), select the Check Point Reporting
Database Server service and click Stop.
This automatically stops the Check Point SmartView Log Consolidator and
the Check Point Reporting Database Server services as well.
• Solaris — use rmdstop.

52


2 From the SmartView Reporter Database directories, copy RT_Database.db
through RT_Database10.db to the backup location (you may compress them to
save disk space).
3 Restart the SmartView Reporter services, starting with the Check Point
Reporting Database Server service.



54

Smart viewreporter

Recomendados

Recomendados

Más contenido relacionado

Similar a Smart viewreporter

Similar a Smart viewreporter (20)

Último

Último (20)

Smart viewreporter