Help
FortiSIEM Discussions
Waloo5
New Contributor III

Created on ‎05-21-2024 05:06 AM

Integration Checkpoint in FortiSIEM

Hi,

Please can you help to integrate checkpoint firewall to my FortiSIEM.

I have logs in my siem but it's unknown_EventType .

How can I parse thé logs?

Amir
Amir
1714
0 Kudos
2 Solutions
cdurkin_FTNT
Staff
Staff
In response to Waloo5

Created on ‎05-21-2024 06:39 AM

Thank you.

 

So I believe the issue here is that we require syslog in CEF format.

 

The above sample is not CEF.

 

https://docs.fortinet.com/document/fortisiem/7.1.6/external-systems-configuration-guide/335430/check...

View solution in original post

1616
0 Kudos
Waloo5
New Contributor III
In response to cdurkin_FTNT

Created on ‎05-22-2024 03:53 AM

Hi,

I have an update of the issue

The error we made is not installing Database after configuration change in checkpoint.

Thank you @cdurkin_FTNT for your help.

Amir

View solution in original post

Amir
1537
0 Kudos
10 REPLIES 10
cdurkin_FTNT
Staff
Staff

Created on ‎05-21-2024 06:16 AM

Can you provide more information!

 

Version of Checkpoint?

Is it Syslog your sending?

What do the logs look like?
Is it all logs or just individual logs that are not parsing?

1427
0 Kudos
Waloo5
New Contributor III
In response to cdurkin_FTNT

Created on ‎05-21-2024 06:28 AM

Hi, thank you for your replay

 

- Checkpoint Version 81.20

- log sending are syslog

- logs are like: <134>1 2024-05-21T13:29:35Z Jidar CheckPoint 14762 - [action:"HTTPS Bypass"; flags:"393216"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x664ca1bf,0x12,0x296960a,0x1d08b9aa}"; origin:"10.150.150.2"; originsicname:"cn=cp_mgmt,o=jidar.ont.org"; sequencenum:"1"; time:"1716298175"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={6FD6C417-5FBC-1549-A5D1-3C30245C2AD5};mgmt=jidar;date=1715777317;policy_name=package_17022020\]"; dst:"23.47.189.163"; https_inspection_action:"Bypass"; https_inspection_rule_id:"{A7204184-CDFF-4532-A30C-50490D6296AB}"; https_inspection_rule_name:"Predefined Rule"; product:"HTTPS Inspection"; proto:"6"; s_port:"63591"; service:"443"; src:"172.16.21.174"; log_link:"

 

 

- all logs are not parsing and showed as Unknown_EventType

Amir
Amir
1424
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to Waloo5

Created on ‎05-21-2024 06:39 AM

Thank you.

 

So I believe the issue here is that we require syslog in CEF format.

 

The above sample is not CEF.

 

https://docs.fortinet.com/document/fortisiem/7.1.6/external-systems-configuration-guide/335430/check...

1617
0 Kudos
Waloo5
New Contributor III

Created on ‎05-21-2024 08:27 AM

Hi,

I apply change in my Checkpoint FW to send CEF format but still Unknown

FYI : in Fortisiem CMDB the device is in category "Generic" 

Amir
Amir
1399
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to Waloo5

Created on ‎05-21-2024 08:45 AM

Can you give a few new sample events in CEF format.

1391
0 Kudos
Waloo5
New Contributor III
In response to cdurkin_FTNT

Created on ‎05-21-2024 09:06 AM

Hi, I clicked by error

Here is log

<134>1 2024-05-21T15:54:11Z Jidar CheckPoint 14762 - [action:"Accept"; flags:"417028"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x9a21907,0xa430b040,0xe8b082dc,0x2ffdd8d0}"; origin:"10.150.150.2"; originsicname:"cn=cp_mgmt,o=jidar.ont.orgm7kic3"; sequencenum:"6"; time:"1716306851"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BD8249E2-5B97-8243-9A5D-2AC67F5694C2};mgmt=jidar;date=1716305572;policy_name=package_17022020\]"; dst:"192.168.3.110"; inzone:"Internal"; layer_name:"package_17022020 Security"; layer_uuid:"8a3192b4-5c30-4dd2-9d87-2678ac934224"; match_id:"49"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1f0ca9bd-c881-4295-8b4a-0f50d18644ca"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43578"; service:"161"; service_id:"snmp"; src:"192.168.1.148";

Amir
Amir
1383
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to Waloo5

Created on ‎05-21-2024 10:10 AM

Hi Amir

 

Not sure if you pasted the wrong event.. but that was still not CEF format.

This is an example of CEF..
CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|http|Unknown|act=Accept deviceDirection=0 rt=1528095651000 spt=39108 dpt=80 cs2Label=Rule Name cs2=Implicit Cleanup layer_name=LRSK Security layer_name=LRSK Application layer_uuid=ab166dee-e955-4b8f-a5e7-6234fbaeefde layer_uuid=5549ebc0-70a4-43d1-8ec6-ca53f2306a62 match_id=42 match_id=33554431 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=f3d1c6d8-f328-4059-b471-99dc346cea78 ifname=eth6 logid=0 loguid={0x5b14e3a2,0xb,0xfbffff0a,0xc0000007} origin=1.1.1.1 originsicname=CN\=gate2,O\=pgkeeper.citadele.lrs.lt.wj6ide sequencenum=34 version=5 dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6 service_id=http src=1.1.1.1

1354
0 Kudos
Waloo5
New Contributor III
In response to cdurkin_FTNT

Created on ‎05-21-2024 10:13 AM

Hi

I have to do any thing when change in configuration of logs in checkpoint?

Amir
Amir
1353
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to Waloo5

Created on ‎05-21-2024 10:27 AM

Sorry I do not have access to a Checkpoint to verify. Id suggest a TAC ticket or speak with your Checkpoint specialist.

1347
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.