000011693 - Checkpoint bandwidth report showing incorrect KBytes information

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011693
Applies ToenVision 3.5.x, 3.7.x
IssueTry to generate "Firewall-1 -Bandwidth Usage by Address" report with correct KBytes information
You are collecting logs from checkpoint firewall. However when you try to run this report, you see all the KBytes field are set to 1.
Cause

When collecting logs from the checkpoint device, the following messages ID need to be collected. They contain bandwidth information (in bytes) for enVision to calculate

  1. 031060
  2. 031080
  3. 060010
  4. 060020
  5. 060030
  6. 070500
Resolution

There could be 2 reasons why these messages are not in the database

  1. Those message have not being logged in the Checkpoint device. Please contact Checkpoint administrator to ensure these messages ID have being logged
  2. Customer is using outdated event source update and thus can~{!/~}t save these messages into the database propoerly. Please ensure to have updated with the latest event source update to see if we can save these messages properly

For reference, a sample of these messages is below:

~{!0~}

Apr 23 11:50:37 [10.10.50.32] Apr 23 2004 12:00:37: %CHKPNT-6-060010: TCP Connection src 10.10.50.129/80 gaddr 210.67.241.200 dst 210.67.241.200/23 duration 30 bytes 200

Apr 23 11:49:22 [10.10.50.32] Apr 23 2004 10:23:27: %CHKPNT-6-060020: accept,NIE-2500,inbound,E100B0,10.10.50.199,138,10.10.50.245,138,nbdatagram,udp,2,100, , , , ,enc_failure, , , , ,user,message_info, , , , , , , , , , , , ,1,VPN-1, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,"

~{!0~}

The numbers in bold show the bytes value and it~{!/~}s used by enVision to calculate the bandwidth.

Legacy Article IDa45096

Attachments

    Outcomes