The tags beginning with firewall.checkpoint identify log events generated by the Check Point firewall. These log events need to be sent to the Devo Relay in order to apply the correct tag. The tag you should apply will depend upon the tool used to export to the log events and send them to the Devo Relay. We recommend using the Check Point Log Exporter tool.
The full tag must have at least four levels. The first two are fixed as firewall.checkpoint. The third level identifies the tool used to forward the events and must be one of log_exporter, lea, gaia, or fw. The fourth element is required but you are free to define it as you like. We suggest using it to identify the location of the machine that is the event source (for example, dmz).
|firewall||checkpoint||free but required|
Which tag should you use?
These tags are designed to accommodate the different ways that the firewall events can be exported to Devo.
- If you use Check Point Log Exporter, then you should apply the firewall.checkpoint.log_exporter.<group> tag to the events. This is the recommended option.
- If you use the ArcSight SmartConnector for Check Point, then you should apply the firewall.checkpoint.gaia.<group> tag to the events.
- If you use OPSEC LEA, then you should apply the firewall.checkpoint.lea.<group> tag to the events.
- If you use any other method, then you should apply the firewall.checkpoint.fw.<group> tag to the events.
Regardless of the third level of the tag, all firewall log events will be saved in the firewall.checkpoint.fw data table. The fourth level of the tag will appear in the data table in a column labeled group.
Configuring the sending of Check Point events
We recommend that you use the Check Point Log Exporter to send the firewall events in syslog format to a Devo Relay where the correct tag can be applied before secure forwarding the Devo Platform.
- Set up the rule on the Devo Relay
- Use Log Exporter to export your Check Point logs over syslog to the relay port.
Set up the Devo Relay rule
To set up the relay rule, you only need to identify a free port on the relay that you can dedicate to incoming Check Point events and indicate the tag to apply to them.
Use Log Exporter to export the logs
Refer to Check Point's documentation for the Log Exporter. Be sure to send the events in syslog format and direct them to the correct Devo relay and port.