Check Point Firewall Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Check Point Next Generation Firewall (NGFW) is an advanced security solution that combines traditional firewall features with intrusion prevention, antivirus, and application control capabilities to enhance network security. It inspects traffic at both the network and application levels, providing granular control over network traffic and preventing the spread of malware and cyber threats. Check Point NGFWs are highly scalable and easy to manage, making them a popular choice for organizations of all sizes seeking advanced network security features. This technology pack will process Check Point Next Generation Firewall (NGFW) logs, providing normalization and enrichment of those events.

Supported Version(s)

  • Check Point R81.2.0

Requirements

  • Check Point NGFW version R81.x.

  • Graylog Server with a valid Enterprise license, running Graylog version 4.3 or later.

  • Ensure the Check Point device is configured to export logs in a format compatible with Graylog Illuminate parsers. Refer to the Check Point Log Exporter Administration Guide for setup instructions.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Checkpoint Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Checkpoint Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

  • Sending logs via Syslog

Log Format Example

[flags:"147456"; ifdir:"inbound"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"192.168.10.75"; originsicname:"cn=cp_mgmt,o=CHKP_R81..b792qm"; sequencenum:"11"; time:"1677752746"; version:"5"; attack:"Security Products Enforcement Violation"; attack_info:"Netis/Netcore Router Hard-Coded Backdoor"; confidence_level:"5"; description_url:"NETIS_R_help.html"; performance_impact:"3"; product:"SmartDefense"; protection_id:"asm_dynamic_prop_NETIS_R"; protection_name:"Netis/Netcore Router Hard-Coded Backdoor"; protection_type:"IPS"; severity:"3"; smartdefense_profile:"Optimized"; src:"192.168.11.55"] [action:"Drop"; flags:"393216"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x641438da,0x1,0x4b0aa8c0,0x13dca7b3}"; origin:"192.168.10.75"; originsicname:"cn=cp_mgmt,o=gw-chkp..2hw9xr"; sequencenum:"2"; time:"1679046874"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={5F246403-00BB-E743-9690-C36A9C7FE416};mgmt=gw-chkp;date=1679046655;policy_name=Standard\]"; dst:"142.250.192.13"; layer_name:"Network"; layer_uuid:"f5cec687-05e5-4573-b1dc-08119f24cbc9"; match_id:"1"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Block Client IP"; rule_uid:"f566bb6e-b41b-4e41-b67d-da0ef3aa1d08"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49243"; service:"443"; service_id:"https"; src:"192.168.11.65"] [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x63dd128a,0xc3,0x6efea8c0,0xdd49b9f}"; origin:"192.168.10.75"; originsicname:"cn=cp_mgmt,o=CHKP_R81..b792qm"; sequencenum:"1"; time:"1675938823"; version:"5"; administrator:"admin"; client_ip:"192.168.10.71"; machine:"192.168.10.71"; operation:"Log Out"; operation_number:"12"; product:"query-database"; subject:"Administrator Login"]

What is Provided

We provide parsing rules to normalize and enrich Check Point Next Generation Firewall log messages, including:

  • URL Filtering

  • Smart Dashboard

  • Log Update

  • Security Management

  • CPM Server

  • Smart Console

  • Query Database

  • Endpoint Management

  • Smart Defense

  • Endpoint Security Console

  • Web API

  • VPN-1 & Firewall-1

We provide categorization for the following log types:

  • SmartDefense Alert logs

  • Network logs

  • Authentication logs

Events Processed by This Technology Pack

The Check Point Next Generation Firewall content pack supports parsing for all fields, and GIM categorization for network events, SmartDefense alert events, and authentication events.

GIM Categorization

GIM categorization is provided for the following messages:

Check Point NGFW Content Pack

Introduced in Illuminate 3.4 the Check Point NGFW Spotlight Content Pack comes bundled with the Check Point Security Content Pack. See Installing Illuminate or Upgrading Illuminate for more information on Spotlight Content Pack selection. This additional pack contains the following dashboards:

Overview

Network

Alerts

Authentication