Administrative activity on Firewalls - which table/fields?
I cannot seem to find 'administrative activity' on any of my firewalls. Which table(s)/fields have this information? I do not manage the firewalls, but I've been told and have looked at the configuration of the firewalls. We are either pulling all logs from Checkpoint or receiving them from our PIX.
Scenario: Firewall admin named Joe decides to log on to a firewall and make a change to a rule. He then logs off. Of course Joe has permission as he has gone through the proper change management procedure.
What I'd like to pull out of enVision: I would like to see Joe's ID, the time he logged on, the rule he made the change to, the time he logged off. (Now I can compare his change and the time to the change management request Joe made).
I cannot find the firewall rule change information anywhere.
For the PIX firewalls, you can check the Firewall System Table.
For Checkpoint you can check the Firewall System Table and the Checkpoint Audit Logs Table.
Ultimately, you can find all events within the Global Table.
Additionaly, you can also check the parsers for both the Cisco PIX and Checkpoint Firewalls to see what events (sorted by Event Categories) you may be interested in, and also which tables the events are being sent to.
Hope this helps.
Don't know if you managed to resolve your problem, but here's a thought for you.
As a former CheckPoint administrator, I remember that the audit log is kept separate from the traffic logs. Double check that it is being copied accross to Envision.