Mail alert on ssh login or any other rule hit in Checkpoint


I once showed SSH login alert the way to send mail alert on successful login by ssh to any Linux-based machine , including Checkpoint firewalls. Now, thanks to folks at cpug.org that draw my attention to it, I will show how to get mail Alert on ANY rule in the security rulebase of the firewall, and also simplified script using Checkpoint version Of the sendmail.

First , rules alerts – on any rule in the Security Rulebase you can set in its Track column to Mail . Now all hits On such rule will be sending mail alerts to specified recipient(s) through the specified mail server (Checkpoint doesn't have a mail server of its own) . So, if you create rule that allows access by SSH you can set in Track Mail and each time this rule is used to access the firewall mail will be sent.

Now to configure mail server settings, you do it in Policy -> Global Properties -> Log and Alert -> Alert Commands , check " Send mail alert to SmartviewView Monitor" and "Run mail alert script". In the "Run mail alert script" field set to the string of form:

internal_sendmail -s [subject of the mail] -t [ip of mail server to receive mail goes here] -f [from_who_field_in_mail]     [to_whom_send_this_mail] 

e.g.

internal_sendmail -s SSH_login_alert  -t 63.161.169.140 -f yurisk@yurisk.info   president@whitehouse.gov

The mail you get on such alert looks like:

    6Jan2010  7:29:55 accept fw-tokyo  >External mail rule: 2;   
rule_uid: {85A905A7-951E-4100-A23A-E280FAAA1D29}; SmartDefense profile: Default_Protection;   service_id: ssh; src: my-management-host; dst: fw-tokyo  ;   
proto: tcp; product: VPN-1 & FireWall-1; service: ssh; s_port: 47145;

NOTE. Some don'ts

  • You can't send to multiple recepients;
  • Do not set such Mail ALert on a rule with high hits not to overload the firewall
  • The mail server you specify should be the one accepting mails for the recepient's address or be doing mail relay without authentication. And no, Checkpoint sendmail doesn't support authentication.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.