- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Integration Checkpoint in FortiSIEM
Hi,
Please can you help to integrate checkpoint firewall to my FortiSIEM.
I have logs in my siem but it's unknown_EventType .
How can I parse thé logs?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
So I believe the issue here is that we require syslog in CEF format.
The above sample is not CEF.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have an update of the issue
The error we made is not installing Database after configuration change in checkpoint.
Thank you @cdurkin_FTNT for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide more information!
Version of Checkpoint?
Is it Syslog your sending?
What do the logs look like?
Is it all logs or just individual logs that are not parsing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for your replay
- Checkpoint Version 81.20
- log sending are syslog
- logs are like: <134>1 2024-05-21T13:29:35Z Jidar CheckPoint 14762 - [action:"HTTPS Bypass"; flags:"393216"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x664ca1bf,0x12,0x296960a,0x1d08b9aa}"; origin:"10.150.150.2"; originsicname:"cn=cp_mgmt,o=jidar.ont.org"; sequencenum:"1"; time:"1716298175"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={6FD6C417-5FBC-1549-A5D1-3C30245C2AD5};mgmt=jidar;date=1715777317;policy_name=package_17022020\]"; dst:"23.47.189.163"; https_inspection_action:"Bypass"; https_inspection_rule_id:"{A7204184-CDFF-4532-A30C-50490D6296AB}"; https_inspection_rule_name:"Predefined Rule"; product:"HTTPS Inspection"; proto:"6"; s_port:"63591"; service:"443"; src:"172.16.21.174"; log_link:"
- all logs are not parsing and showed as Unknown_EventType
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
So I believe the issue here is that we require syslog in CEF format.
The above sample is not CEF.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I apply change in my Checkpoint FW to send CEF format but still Unknown
FYI : in Fortisiem CMDB the device is in category "Generic"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give a few new sample events in CEF format.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I clicked by error
Here is log
<134>1 2024-05-21T15:54:11Z Jidar CheckPoint 14762 - [action:"Accept"; flags:"417028"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x9a21907,0xa430b040,0xe8b082dc,0x2ffdd8d0}"; origin:"10.150.150.2"; originsicname:"cn=cp_mgmt,o=jidar.ont.orgm7kic3"; sequencenum:"6"; time:"1716306851"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BD8249E2-5B97-8243-9A5D-2AC67F5694C2};mgmt=jidar;date=1716305572;policy_name=package_17022020\]"; dst:"192.168.3.110"; inzone:"Internal"; layer_name:"package_17022020 Security"; layer_uuid:"8a3192b4-5c30-4dd2-9d87-2678ac934224"; match_id:"49"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1f0ca9bd-c881-4295-8b4a-0f50d18644ca"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43578"; service:"161"; service_id:"snmp"; src:"192.168.1.148";
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Amir
Not sure if you pasted the wrong event.. but that was still not CEF format.
This is an example of CEF..
CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|http|Unknown|act=Accept deviceDirection=0 rt=1528095651000 spt=39108 dpt=80 cs2Label=Rule Name cs2=Implicit Cleanup layer_name=LRSK Security layer_name=LRSK Application layer_uuid=ab166dee-e955-4b8f-a5e7-6234fbaeefde layer_uuid=5549ebc0-70a4-43d1-8ec6-ca53f2306a62 match_id=42 match_id=33554431 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=f3d1c6d8-f328-4059-b471-99dc346cea78 ifname=eth6 logid=0 loguid={0x5b14e3a2,0xb,0xfbffff0a,0xc0000007} origin=1.1.1.1 originsicname=CN\=gate2,O\=pgkeeper.citadele.lrs.lt.wj6ide sequencenum=34 version=5 dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6 service_id=http src=1.1.1.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have to do any thing when change in configuration of logs in checkpoint?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I do not have access to a Checkpoint to verify. Id suggest a TAC ticket or speak with your Checkpoint specialist.
