Configuring Check Point Firewalls

    Supported Versions

    Firewall Analyzer supports "Log Exporter" for Check Point firewall versions R77.30, R80.10, R80.20, and later versions.

    Ways to Obtain Syslogs

    • Log Exporter - Check Point Log Export
    • Import of Check Point Log Files

    Prerequisites for Check Point Firewall

    Follow these steps in the Smart Dashboard of Check Point Firewall:

    1. Access Smart Dashboard: Open the Smart Dashboard to view all firewall rules.
    2. Modify "Track" Value:
      • Set the "Track" value to "Account" instead of "Log" for all rules allowing traffic.
      • Right-click on the "Track" value for each rule and select "Account".
      • This change enables the firewall to log information regarding bytes.
    3. Apply Changes: Once all rules are updated, install all policies to apply the modifications.

    Configuring Log Exporter

    After applying the hotfix, restart the Check Point firewall.

    Use Telnet/SSH to connect to the firewall and enter:

    cp_log_export add name <name> target-server <Firewall Analyzer IP> target-port 1514 protocol udp format cef

    To start the log exporter:

    cp_log_export restart name <name>

    Installation

    R80.20

    Log Exporter is already integrated in version R80.20. No separate installation is needed.

    Note:

    • To preserve Log Exporter configuration before upgrading to R80.20, follow sk127653.
    • To support exporting logs in CEF format, install R80.20 Jumbo Hotfix Take 5 and above.

    R80.10

    Install this release on a Multi-Domain Server, Security Management Server, Log Server, or SmartEvent Server.

    Note:

    • Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 56 and above.
    • Must be uninstalled to upgrade to a higher Jumbo take and reinstalled afterward.

    R77.30

    Install this release on a Multi-Domain Server, Security Management Server, Log Server, or SmartEvent Server.

    Note:

    • Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above.

    Importing Check Point Log Files

    Before importing logs, configure Smart View Tracker:

    1. Open Smart View Tracker and go to View > Query Properties.
    2. Select the following attributes: Elapsed, Bytes, Client/Server InBound/OutBound Bytes, Status, URL.

    Installation Files

    Version Date CPUSE Online Identifier CPUSE Offline Package
    R80.10 20 January 2019 Check_Point_R80.10_Log_Exporter_T43_sk122323_FULL.tgz (TGZ)
    R77.30 06 November 2018 Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz (TGZ)

    Creating and Exporting Logs

    Method 1 (Command Line)

    fw logexport -d ; -i fw.log -o exportresult.log -n

    For Check Point NG:

    fwm logexport -d ; -i fw.log -o exportresult.log -n

    Copy the resulting file to the Firewall Analyzer machine and import it.

    Method 2 (Smart Tracker UI)

    1. Open Smart Tracker.
    2. Select All Records from the left panel.
    3. Go to File > Export and save as exportresult.log.
    4. Transfer the file to Firewall Analyzer and import it.

    Virtual Firewall Logs

    No additional configuration is required for virtual firewalls.

    If the orig_name attribute is present in the syslog, Firewall Analyzer detects it as a virtual firewall. Otherwise, it considers it a physical device.

    Thank you for your feedback!

    Was this content helpful?

    We are sorry. Help us improve this page.

    How can we improve this page?
    Do you need assistance with this topic?
    By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.