Configuring Check Point Firewalls

Supported Versions

Firewall Analyzer supports "Log Exporter" for Check Point firewall versions R77.30, R80.10, R80.20, and later versions.

Ways to Obtain Syslogs

  • Log Exporter - Check Point Log Export
  • Import of Check Point Log Files

Prerequisites for Check Point Firewall

Follow these steps in the Smart Dashboard of Check Point Firewall:

  1. Access Smart Dashboard: Open the Smart Dashboard to view all firewall rules.
  2. Modify "Track" Value:
    • Set the "Track" value to "Account" instead of "Log" for all rules allowing traffic.
    • Right-click on the "Track" value for each rule and select "Account".
    • This change enables the firewall to log information regarding bytes.
  3. Apply Changes: Once all rules are updated, install all policies to apply the modifications.

Configuring Log Exporter

After applying the hotfix, restart the Check Point firewall.

Use Telnet/SSH to connect to the firewall and enter:

cp_log_export add name <name> target-server <Firewall Analyzer IP> target-port 1514 protocol udp format cef

To start the log exporter:

cp_log_export restart name <name>

Installation

R80.20

Log Exporter is already integrated in version R80.20. No separate installation is needed.

Note:

  • To preserve Log Exporter configuration before upgrading to R80.20, follow sk127653.
  • To support exporting logs in CEF format, install R80.20 Jumbo Hotfix Take 5 and above.

R80.10

Install this release on a Multi-Domain Server, Security Management Server, Log Server, or SmartEvent Server.

Note:

  • Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 56 and above.
  • Must be uninstalled to upgrade to a higher Jumbo take and reinstalled afterward.

R77.30

Install this release on a Multi-Domain Server, Security Management Server, Log Server, or SmartEvent Server.

Note:

  • Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above.

Importing Check Point Log Files

Before importing logs, configure Smart View Tracker:

  1. Open Smart View Tracker and go to View > Query Properties.
  2. Select the following attributes: Elapsed, Bytes, Client/Server InBound/OutBound Bytes, Status, URL.

Installation Files

Version Date CPUSE Online Identifier CPUSE Offline Package
R80.10 20 January 2019 Check_Point_R80.10_Log_Exporter_T43_sk122323_FULL.tgz (TGZ)
R77.30 06 November 2018 Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz (TGZ)

Creating and Exporting Logs

Method 1 (Command Line)

fw logexport -d ; -i fw.log -o exportresult.log -n

For Check Point NG:

fwm logexport -d ; -i fw.log -o exportresult.log -n

Copy the resulting file to the Firewall Analyzer machine and import it.

Method 2 (Smart Tracker UI)

  1. Open Smart Tracker.
  2. Select All Records from the left panel.
  3. Go to File > Export and save as exportresult.log.
  4. Transfer the file to Firewall Analyzer and import it.

Virtual Firewall Logs

No additional configuration is required for virtual firewalls.

If the orig_name attribute is present in the syslog, Firewall Analyzer detects it as a virtual firewall. Otherwise, it considers it a physical device.

Thank you for your feedback!

Was this content helpful?

We are sorry. Help us improve this page.

How can we improve this page?
Do you need assistance with this topic?
By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.
Back to Top