The Best Damn Firewall Book Period

The Log Viewer is your interface to the log data recorded by VPN-1/FW-1. Log data is created by your rule base, by firewall activities, by your own actions (accounting log), and by several other sources. Viewing this data regularly is a key to good security enforcement, and this GUI will make the task of observing the log data much more pleasant.

Upon startup, the Log Viewer begins display of the active security log. You can also use the GUI to view older logs, which may have been rotated out and placed into archive for later review. Note that the name of the log file being viewed is displayed in the upper-left portion of window title bar, as shown in Figure 13.38. This is helpful in the aforementioned case where you are viewing archived data.

Figure 13.38: Check Point Log Viewer

The log viewer has three modes of operation, which are accessed by the drop-down menu shown in the figure, or alternatively, via the Mode menu option. These modes are Log, Active, and Audit.

• Active mode displays currently active connections being tracked by the firewall. The active mode is most often used when performing real–time monitoring of traffic, or when you wish to block a connection via SAM.

• Audit mode is very handy for keeping track of who did what on your firewall. The "who," in this case, is your group of firewall administrators, and the "what" are administrative actions. Examples of these are logging in, creating or deleting objects, and so on. You can also view specific details for any log entry by right-clicking that entry and selecting Show Details. Note that the audit data is stored in a separate file, fw.adtlog stored in the $FWDIR/log directory of the firewall installation.

• Log mode is the most common method of interacting with the log data, and is the most comprehensive way to view the security events. You can select events to view using the Selection Criteria. These criteria define which data is extracted from the log data and displayed to you. You can save your favorite selections and reuse them frequently, or you may opt to use one of the built-in views.

The default views are available via the toolbar or via the View menu. These views select some of the more commonly accessed information for display. For example, there is a predefined selection for VPN-1 data, which shows you such entries as Key IDs, encryption method, VPN peer gateway, and so forth. But the real power of the Log Viewer is in its ability for customization. We see the log viewer GUI in Figure 13.38.

Column Selections

In order to alter the data displayed, click Selection | Customize. You will be presented with the window shown in Figure 13.39. Using this window enables you to select or deselect any of the available data fields. You can also change the column width using this window. By clicking the Selection button, you have access to very granular methods of defining information. We highly recommend that you spend a few minutes exploring this feature on your firewall.

Figure 13.39: Column Options Window

Of course, you probably are looking at the Log Viewer and noticing some familiarity to most common spreadsheet applications. If you feel comfortable with that, then you should feel instantly comfortable interacting with the Log Viewer itself. You can resize columns not only from the options window, but also directly from the viewer main menu.

Right-clicking anywhere within the column you want to modify will bring up a context menu, which enables you to do things like hide that column and resize the width. You can also resize the width by dragging the border of the title header. Once you have tailored the view to your liking, you can begin gathering the information.

The Log Viewer features a very handy search utility, accessed by selecting Edit | Find. This enables you to specify the column or columns you want to search through, and the entry of the search criteria. You can also specify a search direction.