Checkpoint: inbound vs outbound
Does anyone know why a Firewall Accounting report always returns a "0" in the inbound/outbound column? When I view the raw Checkpoint logs in the Event Viewer, I can clearly see which traffic is outbound and which traffic is inbound. However, there doesn't seem to be a way to run a report to filter out inbound vs outbound, unless I start parsing through the source/destination IPs for known internal addresses.
If the information is being capture in the raw logs, I imagine it must be saved somewhere to use in reporting. Has anyone ever found this location?
Thanks in advance.
- Community Thread
- Forum Thread
- RSA enVision
I've started delving into the ipaddr.tab file, but can't find it in the location that the help file says it should be in. In fact, the entire folder structure the help file specifies doesn't even exist!
The help file says: All devices on all sites can use the default IP Address file, ipaddr.tab, located in the e:\enVision\lsnode directory. For multiple appliance sites, this file is located on the D-SRV appliance, all LC appliances and all RC appliances
However, my folder structure looks like this:
I also did a search for ipaddr.tab on all 3 servers, but couldn't find it anywhere.
Hmmm... it should be on the DS, maybe on the NAS Directory... I am thinking CSD here. I do not have an LS setup that I can access here real quick at all but a windows file search always sorts me out while in the field. Check the NAS dir.
I faced the same problem. To sort it out I have created a folder "ipaddr" inside the location :\\NAS\\vol0\nic\csd
After that I had to create another folder with the name as my site name and then another sub folder with the same name as my local collector's name.
Inside this folder I have created seperate files for all my checkpoint enforcement modules, and it does works
I hope I didnt make it too confusing.
I also ran into this issue and finally got a solution after some reading.
For the Checkpoint reports it doesn't matter what you have in ipaddr.tab, instead it checks against the DNS configured in the enVision machine interfaces.
It seems that enVision asks for a reversal resolution of that IP and if the domain is local then that IP is "Local Address" and the others are "Foreign Address", so your Outbound connections appear OK. If you are using a public DNS (maybe from your ISP) or some misconfigured* DNS then you'll get all the directions as Inbound (always the first IP check marks that IP as "Foreign Address"), except the ones that are created from the Checkpoint node.
I tried that and it works, I just don't remember if I needed some kind of reboot or service restarting...
* Misconfigured for Checkpoint + enVision reports purposes