This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-08-14 03:57 PM

Checkpoint: inbound vs outbound

Does anyone know why a Firewall Accounting report always returns a "0" in the inbound/outbound column?  When I view the raw Checkpoint logs in the Event Viewer, I can clearly see which traffic is outbound and which traffic is inbound. However, there doesn't seem to be a way to run a report to filter out inbound vs outbound, unless I start parsing through the source/destination IPs for known internal addresses.

If the information is being capture in the raw logs, I imagine it must be saved somewhere to use in reporting.  Has anyone ever found this location?


Thanks in advance.

0 Likes
Reply
6 Replies
AlanLaurencelle
Employee
Employee
‎2008-08-21 10:29 AM

You need to invstigate the use of the ipaddr.tab file.  This will also give you the added benefit of using departments and categories.  There is documenation embedded in the help system. 
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to AlanLaurencelle
‎2008-08-21 10:35 AM

Thanks Alan.

I've started delving into the ipaddr.tab file, but can't find it in the location that the help file says it should be in.  In fact, the entire folder structure the help file specifies doesn't even exist!

 

The help file says: All devices on all sites can use the default IP Address file, ipaddr.tab, located in the e:\enVision\lsnode directory. For multiple appliance sites, this file is located on the D-SRV appliance, all LC appliances and all RC appliances

 

However, my folder structure looks like this:

e:\nic\3501\SERVERNAME\

 

I also did a search for ipaddr.tab on all 3 servers, but couldn't find it anywhere. 

Any ideas?

0 Likes
Reply
AlanLaurencelle
Employee
Employee
In response to RSAAdmin
‎2008-08-21 10:43 AM

Hmmm... it should be on the DS, maybe on the NAS Directory... I am thinking CSD here.  I do not have an LS setup that I can access here real quick at all but a windows file search always sorts me out while in the field.  Check the NAS dir.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to AlanLaurencelle
‎2008-08-21 10:44 AM

Ah, nice call!  Found it on the NAS, under vol0\nic\csd.


Thanks!!

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-09-26 09:39 AM

Hi Bashiri,

 

I faced the same problem. To sort it out I have created a folder "ipaddr" inside the location :\\NAS\\vol0\nic\csd

 

After that I had to create another folder with the name as my site name and then another sub folder with the same name as my local collector's name.

 

Inside this folder I have created seperate files for all my checkpoint enforcement modules, and it does works

 

I hope I didnt make it too confusing.

 

Thanks

MJ

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2008-11-12 09:55 AM

I also ran into this issue and finally got a solution after some reading.

 

For the Checkpoint reports it doesn't matter what you have in ipaddr.tab, instead it checks against the DNS configured in the enVision machine interfaces.

 

It seems that enVision asks for a reversal resolution of that IP and if the domain is local then that IP is "Local Address" and the others are "Foreign Address", so your Outbound connections appear OK. If you are using a public DNS (maybe from your ISP) or some misconfigured* DNS then you'll get all the directions as Inbound (always the first IP check marks that IP as "Foreign Address"), except the ones that are created from the Checkpoint node.

 

I tried that and it works, I just don't remember if I needed some kind of reboot or service restarting...

 

* Misconfigured for Checkpoint + enVision reports purposes :smileyhappy:

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.