The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

HintThe Checkpoint Next Generation Firewall Security Content Pack was first introduced in Illuminate 3.3.

Checkpoint Next Generation Firewall (NGFW) is an advanced security solution that combines traditional firewall features with intrusion prevention, antivirus, and application control capabilities to enhance network security. It inspects traffic at both the network and application levels, providing granular control over network traffic and preventing the spread of malware and cyber threats. Checkpoint NGFWs are highly scalable and easy to manage, making them a popular choice for organizations of all sizes seeking advanced network security features. This technology pack will process Checkpoint Next Generation Firewall (NGFW) logs, providing normalization and enrichment of those events.

Requirements

  • Checkpoint NGFW version R81.x.

  • Graylog Server with a valid Enterprise license, running Graylog version 4.3 or later.

Supported Version(s)

  • Checkpoint R81.2.0

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Checkpoint Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “Checkpoint Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

  • Sending logs via Syslog

Log Format Example

[flags:"147456"; ifdir:"inbound"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"192.168.10.75"; originsicname:"cn=cp_mgmt,o=CHKP_R81..b792qm"; sequencenum:"11"; time:"1677752746"; version:"5"; attack:"Security Products Enforcement Violation"; attack_info:"Netis/Netcore Router Hard-Coded Backdoor"; confidence_level:"5"; description_url:"NETIS_R_help.html"; performance_impact:"3"; product:"SmartDefense"; protection_id:"asm_dynamic_prop_NETIS_R"; protection_name:"Netis/Netcore Router Hard-Coded Backdoor"; protection_type:"IPS"; severity:"3"; smartdefense_profile:"Optimized"; src:"192.168.11.55"]

[action:"Drop"; flags:"393216"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x641438da,0x1,0x4b0aa8c0,0x13dca7b3}"; origin:"192.168.10.75"; originsicname:"cn=cp_mgmt,o=gw-chkp..2hw9xr"; sequencenum:"2"; time:"1679046874"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={5F246403-00BB-E743-9690-C36A9C7FE416};mgmt=gw-chkp;date=1679046655;policy_name=Standard\]"; dst:"142.250.192.13"; layer_name:"Network"; layer_uuid:"f5cec687-05e5-4573-b1dc-08119f24cbc9"; match_id:"1"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Block Client IP"; rule_uid:"f566bb6e-b41b-4e41-b67d-da0ef3aa1d08"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49243"; service:"443"; service_id:"https"; src:"192.168.11.65"]

[action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x63dd128a,0xc3,0x6efea8c0,0xdd49b9f}"; origin:"192.168.10.75"; originsicname:"cn=cp_mgmt,o=CHKP_R81..b792qm"; sequencenum:"1"; time:"1675938823"; version:"5"; administrator:"admin"; client_ip:"192.168.10.71"; machine:"192.168.10.71"; operation:"Log Out"; operation_number:"12"; product:"query-database"; subject:"Administrator Login"]

What is Provided

We provide parsing rules to normalize and enrich Checkpoint Next Generation Firewall log messages, including:

  • URL Filtering

  • Smart Dashboard

  • Log Update

  • Security Management

  • CPM Server

  • Smart Console

  • Query Database

  • Endpoint Management

  • Smart Defense

  • Endpoint Security Console

  • Web API

  • VPN-1 & Firewall-1

We provide categorization for the following log types:

  • SmartDefense Alert logs

  • Network logs

  • Authentication logs

Events Processed by This Technology Pack

The Checkpoint Next Generation Firewall content pack supports parsing for all fields, and GIM categorization for network events, SmartDefence alert events, and authentication events.

Checkpoint NGFW Spotlight Content Pack

Introduced in Illuminate 3.4 the Checkpoint NGFW Spotlight Content Pack comes bundled with the Checkpoint Security Content Pack. See Installing Illuminate or Upgrading Illuminate for more information on Spotlight Content Pack selection. This additional pack contains the following dashboards:

  • Checkpoint NGFW: Overview Tab

  • Checkpoint NGFW: Alerts Tab

  • Checkpoint NGFW: Network Tab

  • Checkpoint NGFW: Authentication Tab