This tag identifies events that were generated by a Check Point firewall. The first three levels of this tag are fixed and the subtype level is used to identify the firewall group (or zone). It is essentially a free level that you can use to identify the specific Check Point firewall event source, and it cannot be left unassigned.





firewall checkpoint fw group

For example, firewall.checkpoint.fw.chicago

Regardless of the fourth level of the tag, all log events will be saved in the firewall.checkpoint.fw data table. The fourth-level of the tag will appear in the data table in a column labeled machine.

Check Point configuration

Configure the Check Point Log Exporter (or other log sending facility) to send events to the Devo Relay through a dedicated port of your choosing.

In-house Relay configuration

Create a new rule that tags all the events arriving to the relay through the dedicated port you set in Check Point as Again, you are free to assign the fourth level of this tag (group) as suits the needs of your network. In the example below, we use the fourth level to identify the firwall location.

Sending logs from SmartCenter console on Windows

To send the logs, use the following CLI command on SmartCenter:

$FWDIR/bin/fw log -ftnl fw.log

The system starts collecting the events with the Devo’s Windows Agent MagicLog and labels them using the firewall.checkpoint.fw tag.

  • The Windows Agent ProxServerContainer should send all events to the In-house Relay. 
  • The destination port in the In-house Relay should be number 13000 (for events already tagged).

When adding the Folder Path, enter the absolute path name. No variables allowed.

For more information on how to set up the Windows Agent, see Devo agents for Windows events sending.

Sending logs from SmartCenter console on Linux

  1. Edit /etc/syslog.conf and add: <TAB> @IP_OF_in-house-relay
  2. Edit /etc/rc.d/init.d/cpboot and add: 

    fw log -ftnl | logger -p -t firewall.checkpoint.fw &
  3. Reboot the management server.
A reboot of the management server is required, as the command cpoff/cpon is not sufficient to activate the log forwarding.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.