I am afraid that your question is confusing. MARS is not supposed to change the rules on any particular firewall weather its checkpoint, netscreen, pix or ASA. All you can do or find is, what rule was triggered on MARS based on a syslog message from that particular device.

MARS is sort of a passive device (until configured it for automatic mitigation, which by far till now is useless :( ) which collects the messages from all the devices in the network in the form of syslogs, correlates all the events to form sessions and presents them for rule inspection. If any of the session triggers a default of user made rules, it generate an incident.

Do let me know if i got your question wrong, otherwise plz rate if its helpful.



followurself Thu, 11/06/2008 - 07:13
User Badges:


Thanks for the response. may be my question was confusing

if you have worked on checkpoint, where you have policy rules and you push the policy.

csmars collects all logs , what i wanted to know is whether it can also track what within the checkpoint has changed.

hope this time my question is fine

joe.favia Mon, 11/10/2008 - 11:00
User Badges:


I am sure that LEA is used for the standard (traffic) logs, while what you're looking for is what CheckPoint calls the AUDIT logs.

I've used LEA successfully for importing standard logs, but haven't tried this yet. I think you must configure the CPMI parameters on the Checkpoint side to get this information.

Regards, Joe


This Discussion