How to Configure Check Point to Stream Firewall Activity Logs to Immediate Insight
The purpose of this document is to walk the user through configuring the Checkpoint Security Manager Server running GAIA OS to work with Immediate Insight as the external syslog receiver.
Note: This process was successfully tested in the FireMon lab, however this document should not be considered as fully definitive, for official Check Point documentation please contact Check Point.
This configuration was tested in a GAIA R77 environment, but is valid for the following GAIA versions: (R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, R77.20, R77.30)
Important: This procedure is not supported on Checkpoint SPLAT or Multi-Domain Server environments. However there is a different procedure available for such environments, please contact email@example.com for details
Step 1: Configure the Checkpoint GAIA OS for the Immediate Insight external syslog server.
- Connect to the GAIA OS via CLI using Putty or console over SSH.
- Log into CLISH
- Use the commands below to add the Immediate Insight client as a syslog server.
add syslog log-remote-address (adds the server)
show syslog all (reviews that the server was added)
save config (saves the configuration)
Note: In the Checkpoint GUI if you check the box Accept Syslog messages (Security Management server properties - expand 'Logs and Masters' - click on 'Additional Logging'), then Security Management server will accept these messages, and they will not be sent to the designated Syslog server. Therefore, if you want the messages to be sent to the designated Syslog server, do not check box Accept Syslog messages.
Step 2: Backup and configure the boot script in the CLI of the Check Point GAIA.
- Using Putty or appropriate terminal emulator connect to the CLI and browse to the following file path to backup the current /etc/rc.d/init.d/cpboot script:
[Expert@HostName]# cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot_ORIGINAL
- Using the VI editor update the /etc/rc.d/init.d/cpboot script adding the following syntax at the very bottom of the file:
fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &
Step 3: Reboot the Security Manager server.
Step 4: Verify firewall activity logs are being imported into Immediate Insight.
- Connect to the GUI interface of your Immediate Insight client and click on the “DataFlow” and “Collectors” menu. (By default the Immediate Insight has a collector set up to listen for UDP port 514 logs where the Checkpoint logs should be coming from.)
- Next choose the “Search” menu option at the top of the Immediate Insight client to review data.
- You can verify from the Search screen by using a few different search options.
- Searching by the IP Check Point syslog source (example search string: sourceFile:10.0.4.2
- Searching by the firewall hostname. (example search string: “CP_FireWall”)
Note: If there are any questions or issues with your Immediate Insight product please send an email to firstname.lastname@example.org and a support tech will get back with you as quickly as possible.