Check Point Firewall

Check Point Firewall monitors and filters incoming and outgoing network traffic based on established security policies.

When you set up Check Point Firewall as an event source, you can review and analyze the data that your firewall collects. In InsightIDR you can view these as log types:

  • Firewall
  • VPN
  • Ingress Authentication
  • Web Proxy
  • IDS
  • Advanced Malware

To send Check Point Firewall data to InsightIDR, you can use either Syslog or ArcSight Log Aggregator. This topic provides configuration instructions for the Syslog method.

Note: InsightIDR supports parsing JSON data, regardless of the method you use.

Read the third-party vendor documentation

For the most up-to-date information about configuring your event source product, we recommend that you visit the vendor's documentation. While Rapid7 will continue to update our documentation when our own user interface is updated, we cannot guarantee the same due diligence with third-party user interfaces.

To set up Check Point Firewall:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Check Point Firewall to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.
  5. Troubleshoot common issues.

Requirements

Read the Check Point Firewall logging and monitoring administration guide at: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_AdminGuide/Topics-MDSG/Logging-and-Monitoring.htm

Configure Check Point Firewall to send data to InsightIDR

You must enable and configure your Check Point firewall to send syslog to a server.

To do this, follow the instructions at: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Working-with-Syslog-Servers.htm?TocPath=Logging%7C_____7

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Check Point FireWall-1 in the event sources search bar.
    • In the Product Type filter, select Firewall.
  3. Select the Check Point FireWall-1 event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed data.
  7. Select an attribution source.
  8. Configure the inactivity timeout threshold in minutes.
  9. Consider the collection method you want to use:
    • If you are using Syslog, select Listen on Network Port and enter the port you defined in your Check Point Smart Dashboard.
    • If you are using the ArcSight Log Aggregator, select Log Aggregator and choose ArcSight.
  10. Specify the port number and select the protocol you want to use.
  11. If you selected TCP as the protocol, you can optionally choose to encrypt the event source by downloading the Rapid7 Certificate.
  12. Click Save.

Test the configuration

To test that event data is flowing into InsightIDR, first verify that event data is flowing to the Collector:

  1. From the Data Collection Management page, click the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately seven minutes, then open the Log Search page in InsightIDR.

Next, verify that log entries are appearing in Log Search:

  1. Go to Log Search.
  2. In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. The logs should flow into these log sets:
    • Firewall
    • VPN
    • Ingress Authentication
    • Web Proxy
    • IDS
    • Advanced Malware
  3. Select the log sets and the logs inside them that you want to search.
  4. Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Troubleshoot common errors

For your reference, Check Point's logging and monitoring administration guide contains specific troubleshooting sections: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_AdminGuide/Topics-MDSG/Logging-and-Monitoring.htm