Checkpoint Firewall
Checkpoint Firewall
CheckPoint Firewall log source integration fetches and normalizes logs from CheckPoint Firewall devices so you can visualize and analyze the log data through the dashboards and reports. Dashboards visualize events including source addresses, destination addresses, services, actions, outbound connection by countries, denied connection, protocols and secure remote login detected in your network. You can customize dashboards to perform in-depth analysis by changing the data used in a search. Checkpoint Firewall includes the Syslog Collector based Check Point log source template, which ensures consistency in collecting, processing and analyzing
You can get the following Checkpoint Firewall product logs into Logpoint:
Check Point Firewall version r80.10 and later
Log Ingestion
Download the integration .pak file, or make sure it is installed.
There are two ways to ingest the logs:
Log Source Template (recommended)
Using a device
Configure Checkpoint Firewall Security Management Server.
Logpoint automatically generates required certificates to retrieve the Check Point Firewall logs. If automatic generation fails, you can generate them using the command line: https://newportal.logpoint.com/Content/Integrations/CheckPoint%20Software/Checkpoint%20Firewall/3.Generate%20Certificate.htm
After setting up and configuring the integration, check:
Normalized Keys-Value Pairs/Vendor Field Mapping
Label Packages
After your logs are ingested, you can get started using Logpoint Analytics and your own use cases: https://newportal.logpoint.com/Content/Integrations/CheckPoint%20Software/Checkpoint%20Firewall/2.CheckPoint%20Firewall%20Analytics.htm
Checking Installed Integrations
In the Navigation Bar, click System Settings.
Click Applications.
You can search for the integration, or use the column headers to filter the list.
Downloading and Installing
Download the .pak file from the Service Desk: https://servicedesk.logpoint.com/hc/en-us
Go to Settings >> System Settings and click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.
After installing it, you can find it under Settings >> System Settings >> Plugins.
Use Log Source Template to Ingest Logs
You must create a log source using the log source template to receive the normalized CheckPoint Firewall logs. See Creating Log Source via a Template: https://newportal.logpoint.com/docs/log-sources/en/latest/Log%20Source%20Template.html#creating-log-source-via-a-template
Use Devices to Ingest Logs
To use a device there are six main steps. Use the stepper below to follow the sequential process.
Configure a Repo
A repository (repo) is a log storage location where device logs are routed to. A Routing Policy determines which repo logs are sent to. Repo properties control retention, storage tier, replication, and related behavior.
Steps:
Go to Settings >> Configuration and click Repos.
Click Add.
Enter a Repo Name.
Select a Repo Path to store incoming logs.
Set a Retention Day to keep logs in a repository before automatic deletion.
You can add and remove multiple Repo Path and Retention Day.
Select a Remote Logpoint and set Available for (day).
Click Submit.
Screenshot:
Normalize Checkpoint Firewall Logs
Normalization translates raw log messages into Logpoint taxonomy so searches and correlations work across vendors.
Logpoint uses two types of normalizers:
Compiled Normalizers — hard-coded and fast.
Normalization Packages — regex/signature-based packages that extract key-value pairs.
Normalization Policies combine Compiled Normalizers with Normalization Packages. Create separate policies for similar device types. Place the most commonly used normalizers at the top of the list.
Checkpoint Firewall uses:
Compiled Normalizers:
CheckPointOpsecCompiledNorm Noalizer
CheckPointInfinityCompiledNormalizer
CheckPointFirewallCEFCompiledNormalizer
Normalization Packages:
LP_ChkPoint Endpoint Security
LP_CheckPoint Firewall
LP_CheckPoint Firewall Opsec Generic
LP_CheckPoint Firewall Process
Adding a Normalization Policy:
Go to Settings >> Configuration and click Normalization Policies.
Click Add.
Enter a Policy Name.
Select required Compiled Normalizers and Normalization Packages.
Click Submit.
Screenshot:
Configure a Processing Policy
A Processing Policy combines normalization, enrichment and routing policies into a single policy and assigns it to a device.
Steps:
Go to Settings >> Configuration and click Processing Policies.
Click Add.
Enter a Policy Name.
Select the previously created Normalization Policy.
Select the Enrichment Policy.
Select the Routing Policy.
Click Submit.
Screenshot:
Configure a Fetcher
Fetcher retrieves logs from sources and forwards them to Logpoint. Ensure the fetcher has permissions by adding required parameters to the log source configuration and set a fetch interval.
There are two fetchers for Checkpoint Firewall:
OPSEC Fetcher
Adhoc OPSEC Fetcher
Configuring the OPSEC Fetcher
Go to Settings >> Configuration and click Devices.
Click the Add collectors/fetchers icon in Actions.
Click OPSEC Fetcher.
Select a Processing Policy.
Select a Charset.
Click Policy.
You can configure an OPSEC Policy via Settings >> System >> Plugins (Manage for OPSEC Fetcher).
Click Add.
Options:
Select Is log server? if the server is a log server, then select the required Management Server.
In Application Name, enter the name of the OPSEC application created in SmartDashboard.
Select a Time Zone.
Enter the SIC One Timer Password.
Enter the Device IP, ClientDN, and ServerDN.
Select where to put the Certificate on. If Remote LPC is selected, choose the required remote machine.
Click Submit.
Screenshots:
Configuring the Adhoc OPSEC Fetcher
Go to Settings >> Configuration and click Devices.
Click the Add collectors/fetchers icon in Actions.
Click Adhoc OPSEC Fetcher.
Click Add.
Enter a Name.
Select the Start Date Time and End Date Time.
Select a Parser, a Processing Policy and a Charset.
Click Submit.
Screenshot:
Configure CheckPoint Security Management Server
Note: Interfaces and UI may change; refer to official Checkpoint documentation when needed.
There are four configuration areas:
Check Point Security Management Server Version r80.10
SmartDashboard
Log Exporter
Source Configuration of Check Point Firewall
Before you begin, make the Check Point server listen on port 18184.
Configure CheckPoint Security Management Server v. r80.10
SSH into the server and enter expert mode:
Open fwopsec.conf:
Uncomment:
Add (use sslca as auth type):
Save and exit.
Restart server:
OR
Configuring the SmartDashboard for r80.10
Log into SmartDashboard using admin credentials.
Go to New >> More >> Server >> OPSEC Application >> Application.
Fill parameters.
Click Communication to initialize the SIC-OneTime-Password. The OPSEC Fetcher uses Communication DN and the SIC-OneTime-Password.
Save the Application.
Go to Security and Policies.
Add a policy Rule.
Select required firewall services or Any.
Install Policy and Database.
Key values you will need:
Application Name — name of OPSEC application
SIC-OneTimer Password — password created for SIC-APP
Client DN — communication DN from SmartDashboard
Server DN — communication DN (prefix CN=cp_mgmt). You can also view it via server browser.
Login format:
Configuring the CheckPoint Log Exporter
CheckPoint Log Exporter sends logs from CheckPoint Log Server to Logpoint.
Supports Syslog and CEF formats, Logpoint 6.x+, multiple values for same field, and log filtering.
Install CheckPoint R.80.30:
Install from: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144293#Downloads
Choose standalone/gateway version with Security Gateway and Security Management appliances on same machine.
Install Gaia OS in Open Server:
Use VMware ESXI UI (https://10.45.1.251/ui/) to create VM, select Linux / Other Linux 64 bit, configure storage, power ON VM, install Gaia, configure keyboard, partitions, admin password, management interface (static IP, netmask, gateway — do not select DHCP), complete install and reboot.
Configuring the Security Management Server or Security Gateway on Gaia:
Browse to:
Provide admin credentials, select R80.30 application, configure IPv4, NTP, installation type (Security Gateway and/or Security Management), define admin, select Any IP Address, finish and reboot as prompted.
Configuring Log Exporter via SSH on Log Server:
SSH into host:
Change log settings:
Enter expert mode:
Create expert password:
Check checkpoint configuration:
To add GUI Clients manually: select 3 (GUI Clients), follow prompts to add IP.
Check log exporter status:
Add log exporter (target server = Logpoint):
Example:
Start log exporter:
Show forwarded rules:
Change parameters and restart:
Stop log exporter:
SmartConsole (via Remote Desktop) can monitor Log Server and Management Center status.
Source Configuration of the Check Point Firewall
Gateway logs are sent to the Security Management server by default. Gateways can be configured to send logs directly to Syslog servers. First define Syslog servers, then update gateway logging properties.
Defining Syslog Servers (SmartDashboard):
In SmartDashboard, click Firewall.
In Servers and OPSEC Applications object tree, right-click Servers >> New >> Syslog.
In SyslogProperties, enter:
Name
Optional comment
Host
Port (default 514)
Version (BSD Protocol or Syslog Protocol)
Configuring Gateways to Send Logs to Syslog Servers:
Gateways can send logs to multiple Syslog servers (servers must be of same type: BSD or Syslog Protocol).
In SmartDashboard, go to Gateway Properties >> Logs.
In Send logs and alerts to these log server table, click Green button to add Syslog servers.
Click OK.
Install policy.
Enabling Syslog in Kernel:
Controlled by fwsyslog_enable kernel parameter:
0 = Disabled (default)
1 = Enabled
Temporarily enable Syslog in Kernel on a Security Gateway:
Run:
Install policy.
Permanently enable:
Run:
Reboot the Security Gateway or cluster members.
Temporarily disable:
Run:
Permanently disable:
Edit
$FWDIR/modules/fwkern.confand set/remove the fwsyslog_enable line so it is disabled.Reboot the Security Gateway.
Check Syslog in Kernel status:
Sample output:
To see the log count for all instances:
Open two CLI connections to the Security Gateway.
On the first, run:
On the second, run:
On the first shell, see the counter per instance and the sum.
Normalized Key-Value Pairs / Vendor Field Mapping
Any normalized log message contains indexed fields (key/value pairs) to allow fast indexed searches. Vendor Field mapping tables show which vendor fields map to which Logpoint fields. Mapping depends on the normalizer used.
CheckPointOpsecCompiledNormalizer mapping
The following table maps Check Point Firewall fields to Logpoint taxonomy (excerpt):
app_category
category
app_desc
description
app_id
application_id
bytes
datasize
d_port
destination_port
dst
destination_address
dst_machine_name
server
dst_user_name
target_user
generated_time
log_ts
i/f_name
source_interface
icmp-code
icmp_code
message_info
message
NAT_rulenum
nat_rule_number
orig
host_address
policy_name
policy
proto
protocol
s_port
source_port
service
destination_port
src
source_address
src_user_name
user
start_time
start_ts
time
log_ts
User
user
web_client_type
user_agent
xlatedport
nat_destination_port
product
application
received_bytes
received_datasize
sent_bytes
sent_datasize
has_accounting
accounting_flag
logId
log_id
log_sequence_num
sequence_number
browse_time
browse_duration
Suppressed logs
suppressed_log_count
LastUpdateTime
last_update_ts
(See full mapping in original documentation for all fields.)
CheckPointFirewallCEFCompiledNormalizer mapping
The following table maps Check Point Firewall fields to Logpoint taxonomy (excerpt):
app_category
category
app_desc
description
app_id
application_id
bytes
sent_datasize
d_port
destination_port
dst
destination_address
dst_machine_name
server
endpoint_ip
endpoint_address
generated_time
log_ts
icmp-type
icmp_type
message_info
message
NAT_rulenum
nat_rule_number
orig
host_address
policy_name
policy
proto
protocol_id
s_port
source_port
service
destination_port
src
source_address
start_time
start_ts
time
log_ts
xlatedport
nat_destination_port
assigned_ip
new_address
attack_info
attack_information
auth_method
authentication_method
auth_status
status
client_name
event_source
client_version
application_version
cookiei
cookie_i
domain_name
domain
feature_name
feature
flags
flag
origin
gateway_address
outzone
destination_zone
peer_gateway
peer_address
product
application
protection_name
protection
sam_log_type
event_type
sam_rule_uid
sam_rule_id
src_machine_group
machine_group
src_user_group
group
seqencenum
sequence_number
termination_reason
reason
vpn_feature_name
vpn_feature
logid
log_id
(See full mapping in original documentation for all fields.)
CheckPointFirewallCEFCompiledNormalizer (alternate mapping)
Another CEF-based mapping (excerpt):
deviceExternalId
serialnumber
src
sourceaddress
dst
destinationaddress
sourceTranslatedAddress
natsourceaddress
destinationTranslatedAddress
natdestinationaddress
Rule
rule
suser
user
duser
targetuser
app
application
VirtualSystem
virtualfirewall
SourceZone
sourcezone
DestinationZone
destinationzone
deviceInboundInterface
sourceinterface
deviceOutboundInterface
destinationinterface
LogProfile
logprofile
SessionID
sessionid
cnt
eventcount
spt
sourceport
dpt
destinationport
Flags
flag
proto
protocol
act
action
msg
message
URLCategory
urlcategory
deviceDirection
direction
Totalbytes
datasize
Packets
packetcount
Elapsedtimeinseconds
duration
sequencenum
sequencenumber
rt
logts
start
startts
originsicname
path
conndirection
direction
destinationDnsDomain
destinationdomain
deviceMacAddress
hardwareaddress
deviceNtDomain
windowsdomain
deviceProcessName
processid
dhost
destinationhost
dmac
destinationhardwareaddress
dpid
destinationprocessid
duser
targetuser
dvchost
host
end
endts
fileHash
hash
filePath
path
out
sentdatasize
outcome
outcome
request
url
requestMethod
requestmethod
shost
sourcehost
smac
sourcehardwareaddress
spt
sourceport
src
sourceaddress
start
startts
bytes
datasize
packets
packet
origin
hostaddress
logid
logid
loguid
loguid
ifname
interface
clientinboundpackets
receivedpacket
clientoutboundpackets
sentpacket
serverinboundbytes
serverreceiveddatasize
serveroutboundbytes
serversentdatasize
(See full mapping in original documentation for all fields.)
CheckPoint Firewall Labels
Labels are key-value pairs assigned to log fields after parsing, used to categorize, enrich, and structure logs. Logpoint applies labels via:
Label Packages
Normalization Signatures
Labeling Rules
Checkpoint Firewall has two Label Packages:
LP_CheckPoint Firewall
LP_CheckPoint Firewall OpsecL
Adding / Activating Label Packages:
Go to Settings >> Knowledge Base and click Label Packages.
Under Vendor Label Packages, click the Activate Label Package icon.
Click Manage Labels to view Search Labels.
CheckPoint Action → Label Mapping
The labels assigned to logs according to the value of the action field:
accept
Connection, Allow
ctl
Connection, Control
monitor
Connection, Monitor
drop
Connection, Deny, Drop
reject
Connection, Deny
decrypt
Connection, Decrypt
block
Connection, Deny
encrypt
Connection, Encrypt
log in
User, LogIn
update
Connection, Update
log out
User, LogOut, Logoff
ip changed
IP, Change
key install
Key, Install
Expected Log Sample
Pipe (|) separated key-value pair example:
We do our best to ensure that the content provided is complete and up to date. Logpoint makes no warranties about the documentation. We update it on a best-effort basis.
Last updated
Was this helpful?