This tag identifies events that were generated by a Check Point firewall. The first three levels of this tag are fixed and the subtype level is used to identify the firewall group (or zone). It is essentially a free level that you can use to identify the specific Check Point firewall event source, and it cannot be left unassigned.
For example, firewall.checkpoint.fw.chicago
Regardless of the fourth level of the tag, all log events will be saved in the firewall.checkpoint.fw data table. The fourth-level of the tag will appear in the data table in a column labeled machine.
Check Point configuration
Configure the Check Point Log Exporter (or other log sending facility) to send events to the Devo Relay through a dedicated port of your choosing.
In-house Relay configuration
Create a new rule that tags all the events arriving to the relay through the dedicated port you set in Check Point as firewall.checkpoint.fw.group. Again, you are free to assign the fourth level of this tag (group) as suits the needs of your network. In the example below, we use the fourth level to identify the firwall location.
Sending logs from SmartCenter console on Windows
To send the logs, use the following CLI command on SmartCenter:
$FWDIR/bin/fw log -ftnl fw.log
The system starts collecting the events with the Devo’s Windows Agent MagicLog and labels them using the firewall.checkpoint.fw tag.
- The Windows Agent ProxServerContainer should send all events to the In-house Relay.
- The destination port in the In-house Relay should be number 13000 (for events already tagged).
For more information on how to set up the Windows Agent, see Devo agents for Windows events sending.
Sending logs from SmartCenter console on Linux
Edit /etc/syslog.conf and add:
local4.info <TAB> @IP_OF_in-house-relay
Edit /etc/rc.d/init.d/cpboot and add:
fw log -ftnl | logger -p local4.info -t firewall.checkpoint.fw &
- Reboot the management server.