Firewall / IPS / IDS Configuration Tips and Tricks and more..
This is Blog is created to excel our knowledge in Checkpoint, Nokia IP, Nortel Switched Firewalls, Fortigate, Juniper, IBM ISS SiteProtector, IPS/IDS and more...
Friday, May 28, 2010
Configuring SSH login mail alert on checkpoint secureplatform..
I once SSH login alert presented the way to send mail alert after successful login by ssh to any Linux-based machine , including Checkpoint firewalls. Now, thanks to folks at cpug.orgthat draw my attention to it, I will show how to get mail Alert on ANY rule in the security rulebase of the firewall, and also simplified script using Checkpoint version Of the sendmail. First , rules alerts – on any rule in the Security Rulebase you can set in its Track column toMail . Now all hits On such rule will be sending mail alerts to specified recipient(s) through the specified mail server (Checkpoint doesn't have a mail server of its own) . So, if you create rule that allows access by SSH you can set in Track Mail and each time this rule is used to access the firewall mail will be sent. Now how to configure mail server settings, you do it in Policy -> Global Properties -> Log and Alert -> Alert Commands , check " Send mail alert to SmartviewView Monitor" and "Run mail alert script" . In the "Run mail alert script" field set to the string of form:
internal_sendmail -s [subject of the mail] -t [ip of mail server to receive mail goes here] -f [from_who_field_in_mail] [to_whom_send_this_mail]
e.g. internal_sendmail -s SSH_login_alert -t 126.96.36.199 -f firstname.lastname@example.org email@example.com
NOTE. Some don'ts - You can't send to multiple recepients; - You can't send using IP of the firewall for the mail server - The mail server you specify should be the one accepting mails for the recepient's address or be doing mail relay without authentication. And no, Checkpoint sendmail doesn't support authentication.