Page Comparison

Table of Contents

maxLevel	2
minLevel	2
type	flat

Info
Check the reference vendor documentation here.

Introduction

The tags beginning with firewall.checkpoint identify log events generated by the Check Point firewall.

...

The full tag must have four levels. The first two are fixed as firewall.checkpoint. The third level identifies the tool used to forward the events and the fourth is required but you are free to define it as you like (we suggest using it to identify the location of the machine that is the event source, for example, dmz).

Technology	Brand	Tool	Group
`firewall`	`checkpoint`	`fw`	`<group>`
		`gaia`	`a` `group1` `sal`
		`lea`	`<group>`
		`log_exporter`	`group1` `noncsv` `generic`
		`gaia_system`	`<group>`

These are the valid tags and corresponding data tables that will receive the parsers' data:

fw

Tag	Data table
`firewall.checkpoint.`log_exporter`fw.`group1`<group>`	`firewall.checkpoint.`log_exporter`fw`
`firewall.checkpoint.`log_exporter`gaia.`noncsv`<group>`	`firewall.checkpoint.`log_exporter`gaia`
`firewall.checkpoint.`log_exporter.generic	firewall.checkpoint.log_exporter	firewall.checkpoint.gaia.`gaia_system.<group>`	`firewall.checkpoint.gaia_system`
`firewall.checkpoint.lea.<group>`	`firewall.checkpoint.lea`
`firewall.checkpoint.`fw`log_exporter.`<group>`group1`	`firewall.checkpoint.`	`log_exporter`
`firewall.checkpoint.`gaia`log_`system`exporter.`<group>`noncsv`
`firewall.checkpoint.`gaia`log_`system`exporter.generic`

These tags are designed to accommodate the different ways that the firewall events can be exported to Devo.

If you use the Check Point Log Exporter, then it is the firewall.checkpoint.log_exporter.<group> tag. This is the recommended option.
If you use the ArcSight SmartConnector for Check Point, then it is the firewall.checkpoint.gaia.<group> tag.
If you use OPSEC LEA, then it is the firewall.checkpoint.lea.<group> tag.
If you use any other method, then it is the firewall.checkpoint.fw.<group> tag.

Regardless of the third level of the tag, all firewall log events will be saved in the firewall.checkpoint.fw fw data table. The fourth level of the tag will appear in the data table in a column labeled group.

How is the data sent to Devo?

...

Source Port → any free port you can dedicate to the incoming events
Target Tag → the target tag depends on the method used to export the events (we recommend you to use the Check Point Log Exporter)
- firewall.checkpoint.log_exporter.<group>
- firewall.checkpoint.gaia.<group>
- firewall.checkpoint.lea.<group>
- firewall.checkpoint.fw.<group>
- firewall.checkpoint.gaia_system.<group>
Check the Sent without syslog tag option.

Table structure

These are the fields displayed in these tables:

Rw ui tabs macro

Rw tab

title	1-3

firewall.checkpoint.fw
firewall.checkpoint.gaia
firewall.checkpoint.gaia_system

Anchor
tag1
tag1
firewall.checkpoint.fw

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`	vmachine
fwname	`str`
serverdate	`str`
action	`str`
fwIp	`ip4`
direction	`str`
iface	`str`
inZone	`str`
outZone	`str`
rule	`int4`
ruleUID	`str`
ruleName	`str`
serviceId	`str`
srcIp	`ip4`
srcIp_str	`str`
dstIp	`ip4`
dstIp_str	`str`
srcMachine	`str`
dstMachine	`str`
srcUser	`str`
dstUser	`str`
user	`str`
proto	`str`
product	`str`
productFamily	`str`
service	`str`
rpcProg	`str`
srcPort	`str`
logError	`str`
msgInfo	`str`
startTime	`str`
segmentTime	`str`
elapsed	`str`
pkts	`int4`
bytes	`int8`
cliInPkts	`int4`
cliOutPkts	`int4`
srvInPkts	`int4`
srvOutPkts	`int4`
cliInBytes	`int8`
cliOutBytes	`int8`
srvInBytes	`int8`
srvOutBytes	`int8`
cliInIface	`str`
cliOutIface	`str`
srvInIface	`str`
srvOutIface	`str`
xlatSrc	`ip4`
xlatDst	`ip4`
xlatSrcPort	`str`
xlatDstPort	`str`
natRule	`int4`
natAddtnlRule	`int4`
icmp	`str`
icmpType	`int4`
icmpCode	`int4`
tcpOutState	`str`
tcpFlags	`str`
dcerpcUUID	`str`
isAlert	`bool`
activity	`str`
updateStatus	`str`
updateSrc	`str`
reason	`str`
logSysMsg	`str`
sysMsg	`str`
stormAgentName	`str`
stormAgentAction	`str`
clusterInfo	`str`
sysAlertMsg	`str`
obj	`str`
event	`str`
param	`str`
condition	`str`
currValue	`str`
info	`str`
internalCA	`str`
peerGw	`ip4`
scheme	`str`
ike	`str`
cookieI	`str`
cookieR	`str`
cookies	`str`
msgid	`str`
methods	`str`
community	`str`
subProduct	`str`
vpnFeature	`str`
logid	`str`
encryptFail	`str`
encryptFail2	`str`
smartDefenseProfile	`str`
cvpnCat	`str`
cvpnResource	`str`
esodRuleName	`str`
esodRuleAction	`str`
esodRuleType	`str`
esodNoncomplianceReason	`str`
esodAssociatedPolicies	`str`
esodScanStatus	`str`
esodaccessStatus	`str`
clientType	`str`
authMethod	`str`
authStatus	`str`
snid	`str`
connectraGroup	`str`
description	`str`
accessStatus	`str`
url	`str`
outgoingUrl	`str`
resource	`str`
dstName	`str`
rejectId	`str`
citrixInfo	`str`
citrixSessionId	`str`
sessionDurationTime	`str`
pktsDetail	`str`
unknown	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`	rawSource	✓

Anchor
tag2
tag2
firewall.checkpoint.gaia

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

group

str

vgroup

host

ip4

app_name

str

proc_id

str

msg_id

str

oid

str

action

str

uuid

str

inzone

str

outzone

str

rule

str

rule_uid

str

rule_name

str

service_id

str

src

ip4

dst

ip4

proto

str

product

str

service

str

s_port

str

product_family

str

user

str

src_user_name

str

src_machine_name

str

snid

str

sport_svc

str

match_table_layer_name_str

str

Code Block
join(match_table_layer_name, ',')

match_table_layer_name

match_table_layer_uuid_str

str

Code Block
join(match_table_layer_uuid, ", ")

match_table_layer_uuid

match_table_malware_rule_id_str

str

Code Block
join(match_table_malware_rule_id, ',')

match_table_malware_rule_id

match_table_malware_rule_name_str

str

Code Block
join(match_table_malware_rule_name, ',')

match_table_malware_rule_name

match_table_matched_category_str

str

Code Block
join(match_table_matched_category, ',')

match_table_matched_category

match_table_rule_str

str

Code Block
join(match_table_rule, ',')

match_table_rule

match_table_rule_name_str

str

Code Block
join(match_table_rule_name, ',')

match_table_rule_name

match_table_rule_uid_str

str

Code Block
join(match_table_rule_uid, ',')

match_table_rule_uid

match_table_smartdefense_profile_str

str

Code Block
join(match_table_smartdefense_profile, ',')

match_table_smartdefense_profile

match_table_appi_name_str

str

Code Block
join(match_table_appi_name, ',')

match_table_appi_name

match_table_app_desc_str

str

Code Block
join(match_table_app_desc, ',')

match_table_app_desc

match_table_app_id_str

str

Code Block
join(match_table_app_id, ',')

match_table_app_id

match_table_app_properties_str

str

Code Block
join(match_table_app_properties, ',')

match_table_app_properties

match_table_app_risk_str

str

Code Block
join(match_table_app_risk, ',')

match_table_app_risk

match_table_app_sig_id_str

str

Code Block
join(match_table_app_sig_id, ',')

match_table_app_sig_id

match_table_match_id_str

str

Code Block
join(match_table_match_id, ',')

match_table_match_id

match_table_properties_str

str

Code Block
join(match_table_properties, ',')

match_table_properties

match_table_parent_rule_str

str

Code Block
join(match_table_parent_rule, ',')

match_table_parent_rule

hostchain

str

✓

tag

str

✓

rawMessage

str

rawSource

✓

Anchor
tag3
tag3
firewall.checkpoint.gaia_system

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
group	`str`	vgroup
hostname	`str`
process	`str`
message	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓

Rw tab

title	4-5

firewall.checkpoint.lea
firewall.checkpoint.log_exporter

Anchor
tag4
tag4
firewall.checkpoint.lea

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

sede

str

vsede

eventSize

int4

Code Block
int4(length(raw))

raw

time

str

action

str

orig

str

ifDir

str

ifName

str

hasAccounting

str

product

str

rule

str

ruleUid

str

src

str

sPort

str

dst

str

service

str

proto

str

policyIdTagProduct

str

dbTag

str

mgmt

str

date

str

policyName

str

originSicNameCN

str

O

str

serviceId

str

icmp

str

icmpType

str

icmpCode

str

messageInfo

str

industryReference

str

attackInfo

str

attack

str

inzone

str

rpcProg

str

outzone

str

ruleName

str

tcpPacketOutOfState

str

tcpFlags

str

xLateSrc

str

xLateDst

str

xLatesPort

str

xLatedPort

str

natRulenum

str

natAddtnlRulenum

str

dceRpcInterfaceUuid1

str

dceRpcInterfaceUuid2

str

dceRpcInterfaceUuid3

str

dceRpcInterfaceUuid

str

dropReason

str

packetAmount

str

packets

str

user

str

srcName

str

protectionName

str

severity

str

confidenceLevel

str

protectionId

str

smartDefenseProfile

str

performanceImpact

str

protectionType

str

packetInfo

str

logDelay

str

Message

str

ipId

str

ipLen

str

ipOffset

str

fragmentsDropped

str

duringSec

str

scheme

str

methods

str

peerGateway

str

community

str

fwSubproduct

str

vpnUser

str

vpnFeatureName

str

srcUserName

str

srcMachineName

str

dstUserName

str

dstMachineName

str

snid

str

sessionId

str

dnsQuery

str

dnsType

str

description

str

reason

str

status

str

failureImpact

str

updateService

str

updateVersion

str

emailControl

str

emailSessionId

str

from

str

information

str

unknown

str

hostchain

str

✓

tag

str

✓

rawMessage

str

rawSource

✓

Anchor
tag5
tag5
firewall.checkpoint.

...

log_exporter

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

Code Block
vgroup

group

str

vgroup

host

str

Code Block
ifthenelse(host_aux = "1", split(header, ' ', 1), host_aux)

host_aux

header

product

str

db_tag

str

mgmt

str

date

timestamp

policy_name

str

action

str

flags

str

ifdir

str

ifname

str

logid

str

loguid

str

origin

ip4

fwname

str

originsicname

str

sequencenum

str

conn_direction

str

time

timestamp

version

str

description

str

severity

str

src

ip4

dst

ip4

service

str

proto

str

malware_action

str

malware_family

str

malware_rule_id

str

session_id

str

src_machine_name

str

snid

str

scope

ip4

src_user_dn

str

session_uid

str

src_user_name

str

user

str

confidence_level

str

vendor_list

str

log_sys_message

str

file_md5

str

file_name

str

product_family

str

common_policy_name

str

policy

str

policy_time

timestamp

policy_id_tag

str

inzone

str

layer_name

str

layer_uuid

str

match_id

str

parent_rule

str

rule_action

str

rule_name

str

rule_uid

str

outzone

str

service_id

str

nsons

str

p_dport

str

pos

str

bytes

str

client_inbound_bytes

str

client_inbound_interface

str

client_inbound_packets

str

client_outbound_bytes

str

client_outbound_packets

str

context_num

str

elapsed

str

hll_key

str

packets

str

segment_time

timestamp

server_inbound_bytes

str

server_inbound_packets

str

server_outbound_bytes

str

server_outbound_packets

str

start_time

timestamp

status

str

update_service

str

update_status

str

comment

str

contract_name

str

special_properties

str

subs_exp

str

subscription_stat

str

subscription_stat_desc

str

protection_id

str

protection_name

str

protection_type

str

fw_subproduct

str

message

str

scheme

str

vpn_feature_name

str

administrator

str

client_ip

ip4

machine

str

operation

str

operation_number

str

subject

str

sensor_alert_blade

str

sensor_alert_category

str

sensor_alert_duration

str

sensor_alert_id

str

sensor_alert_message

str

sensor_alert_module

str

sensor_alert_solution

str

sensor_alert_solution_sk

str

sensor_alert_source

str

sensor_alert_title

str

sensor_alert_type

str

sensor_test_name

str

precise_error

str

proxy_src_ip

ip4

reason

str

resource

str

s_port

str

client_name

str

client_version

str

os_name

str

os_version

str

host_type

str

db_ver

str

attack

str

attack_info

str

alert

str

attack_status

str

rule

str

icmp

str

icmp_code

str

icmp_type

str

xlatedport

str

xlatedst

ip4

xlatesport

str

xlatesrc

ip4

aggregated_log_count

int4

connection_count

int4

creation_time

timestamp

event_type

str

local_time

str

Code Block

ifthenelse(length(local_time_str) = 10,
  timestamp(int(local_time_str)*1000),
  parsedate(local_time_str,
    ifthenelse(startswith(local_time_str, " "),
      ifthenelse(length(split(split(local_time_str," ",1),":",0))=1,
        dateformat(" DMMMYYYY H:mm:ss", "UTC"),
        dateformat(" DMMMYYYY HH:mm:ss", "UTC")
      ),
      ifthenelse(length(split(split(local_time_str," ",1),":",0))=1,
        dateformat("DDMMMYYYY H:mm:ss", "UTC"),
        dateformat("DDMMMYYYY HH:mm:ss", "UTC")
      )
    )
  )
)

local_time_str

update_count

int4

uid

str

object_type

str

object_name

str

send_to_tracker_as_advanced_audit_log

str

fields_changes

str

advanced_changes

str

logic_changes

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Versions Compared

Old Version 6

New Version Current

Key

Introduction

How is the data sent to Devo?

Table structure

Anchor
tag1
tag1
firewall.checkpoint.fw

Anchor
tag2
tag2
firewall.checkpoint.gaia

Anchor
tag3
tag3
firewall.checkpoint.gaia_system

Anchor
tag4
tag4
firewall.checkpoint.lea

Anchor
tag5
tag5
firewall.checkpoint.

log_exporter

Page Comparison

Versions Compared

Old Version 6

New Version Current

Key

Introduction

How is the data sent to Devo?

Table structure

Anchortag1tag1firewall.checkpoint.fw

Anchortag2tag2firewall.checkpoint.gaia

Anchortag3tag3firewall.checkpoint.gaia_system

Anchortag4tag4firewall.checkpoint.lea

Anchortag5tag5firewall.checkpoint.

log_exporter

Anchor
tag1
tag1
firewall.checkpoint.fw

Anchor
tag2
tag2
firewall.checkpoint.gaia

Anchor
tag3
tag3
firewall.checkpoint.gaia_system

Anchor
tag4
tag4
firewall.checkpoint.lea

Anchor
tag5
tag5
firewall.checkpoint.