firewall.checkpoint
Introduction
The tags beginning with firewall.checkpoint identify log events generated by the Check Point firewall.
Valid tags and data tables
The full tag must have four levels. The first two are fixed as firewall.checkpoint. The third level identifies the tool used to forward the events and the fourth is required but you are free to define it as you like (we suggest using it to identify the location of the machine that is the event source, for example, dmz).
Technology | Brand | Tool | Group |
---|---|---|---|
firewall | checkpoint | fw | <group> |
gaia |
| ||
lea | <group> | ||
log_exporter | <group> |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
firewall.checkpoint.log_exporter.<group> | firewall.checkpoint.log_exporter |
firewall.checkpoint.gaia.<group> | firewall.checkpoint.gaia |
firewall.checkpoint.lea.<group> | firewall.checkpoint.lea |
firewall.checkpoint.fw.<group> | firewall.checkpoint.fw |
These tags are designed to accommodate the different ways that the firewall events can be exported to Devo.Â
If you use the Check Point Log Exporter, then it is the firewall.checkpoint.log_exporter.<group> tag. This is the recommended option.
If you use the ArcSight SmartConnector for Check Point, then it is the firewall.checkpoint.gaia.<group> tag.
If you use OPSEC LEA, then it is the firewall.checkpoint.lea.<group> tag.
If you use any other method, then it is the firewall.checkpoint.fw.<group> tag.
Regardless of the third level of the tag, all firewall log events will be saved in the firewall.checkpoint.fw data table. The fourth level of the tag will appear in the data table in a column labeled group.
How is the data sent to Devo?
Logs generated by the Check Point firewall must be sent to the Devo platform via the Devo Relay to secure communication and apply the correct tag. Before that, you need to export the log events in syslog format and then direct them to a relay port by configuring the relay rules as shown below:
Relay rule 1 - Check Point Firewall
Source Port → any free port you can dedicate to the incoming events
Target Tag → the target tag depends on the method used to export the events (we recommend you to use the Check Point Log Exporter)
firewall.checkpoint.log_exporter.<group>
firewall.checkpoint.gaia.<group>
firewall.checkpoint.lea.<group>
firewall.checkpoint.fw.<group>
Check the Sent without syslog tag option.
Â