Adding CheckPoint Firewall via Syslog

You'll redirect the logs of the Checkpoint product to the Logsign Unified SecOps Platform via the SSH connection over the CLI (Command Line). First, open the application for SSH connection and start the connection by typing the IP address of your Checkpoint product. After entering user information, enter the following commands respectively:

Note That: "logsignip" being the IP address of the remote Logsign system.


1. # echo " @logsignip" >> /etc/syslog.conf
2. # service syslog restart
3. # cpstop
4. # cpstart
5. # fw log -ftnl | logger -p -t Firewall &
6. # echo "fw log -ftnl | logger -p -t Firewall &" >> /etc/init.d/cpboot
In the Logsign Unified SecOps Platform web interface, click the + Device button in the menu bar on the top of the page, which is opened by clicking on the Settings tab. Then select brand information in the Vendor section of Checkpoint. A page will come up to configure your Checkpoint product.

Host: IP address information of the Checkpoint product that you want to retrieve the logs.

Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.

Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.

Data Policy: As a definition, you can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. The default setting here is the Default Policy, which has the default rule is "collect all logs."

Max Line Length to Process: Each log is generated as a single line. So, the Logsign Unified SecOps Platform takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.

Check Health: If you tick the box, that will inform you about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when you tick the box. This part is the time interval information to be checked.

Device Name: You must enter a descriptive name according to the configuration that you are making (For ex., CheckpointFW). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.

Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple FWs and define each tag as cp1 or cp2. If you want to query about an event, you will get a shorter result when searching according to the cp1 name.

Once configured your Checkpoint product, click the Save button to save your configuration and add the source.

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.