Configuring Check Point Firewalls

Supported Versions

Firewall Analyzer supports "Log Exporter" for Check Point firewall versions R77.30, R80.10, R80.20, and later versions.

Ways to Obtain Syslogs

• Log Exporter - Check Point Log Export
• Import of Check Point Log Files

Prerequisites for Check Point Firewall

Follow these steps in the Smart Dashboard of Check Point Firewall:

1. Access Smart Dashboard: Open the Smart Dashboard to view all firewall rules.
2. Modify "Track" Value:
   • Set the "Track" value to "Account" instead of "Log" for all rules allowing traffic.
   • Right-click on the "Track" value for each rule and select "Account".
   • This change enables the firewall to log information regarding bytes.
3. Apply Changes: Once all rules are updated, install all policies to apply the modifications.

Configuring Log Exporter

After applying the hotfix, restart the Check Point firewall.

Use Telnet/SSH to connect to the firewall and enter:

cp_log_export add name <name> target-server <Firewall Analyzer IP> target-port 1514 protocol udp format cef

To start the log exporter:

cp_log_export restart name <name>

Installation

R80.20

Log Exporter is already integrated in version R80.20. No separate installation is needed.

Note:

• To preserve Log Exporter configuration before upgrading to R80.20, follow sk127653.
• To support exporting logs in CEF format, install R80.20 Jumbo Hotfix Take 5 and above.

R80.10

Install this release on a Multi-Domain Server, Security Management Server, Log Server, or SmartEvent Server.

Note:

• Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 56 and above.
• Must be uninstalled to upgrade to a higher Jumbo take and reinstalled afterward.

R77.30

Install this release on a Multi-Domain Server, Security Management Server, Log Server, or SmartEvent Server.

Note:

• Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above.

Importing Check Point Log Files

Before importing logs, configure Smart View Tracker:

1. Open Smart View Tracker and go to View > Query Properties.
2. Select the following attributes: Elapsed, Bytes, Client/Server InBound/OutBound Bytes, Status, URL.

Installation Files

Creating and Exporting Logs

Method 1 (Command Line)

fw logexport -d ; -i fw.log -o exportresult.log -n

For Check Point NG:

fwm logexport -d ; -i fw.log -o exportresult.log -n

Copy the resulting file to the Firewall Analyzer machine and import it.

Method 2 (Smart Tracker UI)

1. Open Smart Tracker.
2. Select All Records from the left panel.
3. Go to File > Export and save as exportresult.log.
4. Transfer the file to Firewall Analyzer and import it.

Virtual Firewall Logs

No additional configuration is required for virtual firewalls.

If the orig_name attribute is present in the syslog, Firewall Analyzer detects it as a virtual firewall. Otherwise, it considers it a physical device.