Thursday, September 28, 2006

Checkpoint FW-1 log exporting

The thing I didn't mention that you quickly find out when importing Checkpoint logs into a database is that Checkpoint have a non-fixed format for exporting logs - only those fields that have values appear in the export, and as for the order of those fields - I'm pretty certain it depends on the phase of the moon ;-) I'll post the little script that gets around that with some Perl later - it's quite simple, but not everyone who might need to load FW-1 logs into a database wants to learn Perl (or any scripting/text-processing language) in order to do so.

Volumes of Network metadata

So I'm doing a firewall ruleset review for a customer and decide to create a toy database just to play around with some queries on the logs...~55 million rows and 19G later...this is why people who ask for full event correlation usually don't know what they're asking for. The volumes of data involved are large. And I'm not not talking about session captures above. That's just "this ip address tried talking to this ip address on this udp port and was dropped on this interface of this firewall at this time"...On the plus side, iPods are now up to 80G!


powered by performancing firefox