Configure Checkpoint Firewall Collection

Collecting Checkpoint firewall logs enables Alert Logic to run our common firewall analytics on data from your Checkpoint devices. These analytics identify suspicious communication with internet hosts which Checkpoint considers threat actors. Significant security findings from your Checkpoint devices will result in the creation of incidents that can be managed in the Alert Logic console.

You must complete the following to send data from your Checkpoint device(s) to Alert Logic:

  1. Download and install the remote collector
  2. Configure Checkpoint device
  3. Verify log collection

Download and install the remote collector

To send data from your Checkpoint device(s) to Alert Logic, you must first download and install the remote collector in the same network as the Checkpoint device(s).

To download and install the remote collector:

  1. Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
  2. Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the Checkpoint device(s).
  3. While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the Checkpoint device.

Configure Checkpoint device

Once the remote collector is installed, the Checkpoint device needs to be configured to send data to the collector.

For Checkpoint 1500 Series Appliances:

  1. Log in to your Checkpoint Firewall interface.
  2. Under Syslog Servers, click Configure.
  3. Enter the name or IP address of your Alert Logic remote collector.
  4. Enter port 1515.
  5. Select Enable log server.
  6. In the Select logs to forward section, select Both system and security logs.
  7. Click Apply.

For Checkpoint SmartConsole users (R81.10 and above):

  1. In SmartConsole, connect to your firewall’s Management Server.
  2. On the left-hand panel, navigate to Gateways & Servers.
  3. In the Object Explorer, click New > Host.
  4. Enter the following:
    1. In the Name box, enter your desired name
    2. In the IPv4 Address box, enter the IP of the remote collector.
  5. Click OK.
  6. In the Object Explorer, click New > Server > More > Syslog.
  7. Enter the following:
    1. In the Name box, enter your desired name.
    2. In the Host box, select the host you created above.
    3. In the Port box, enter 1515.
    4. In the Version box, select Syslog Protocol.
  8. Close Object Explorer.
  9. Double-click the Security Gateway object.
  10. On the left-hand side, click Logs.
  11. In the Send logs and alerts to these log servers section, click the green plus button and select the syslog server you created above.
  12. Click OK
  13. In the top left drop-down menu, click Install Database.
  14. In the same menu, or across the top of the screen, click Install Policy.

For GAiA Portal users:

GAiA does not let you configure the default syslog port of 514. You must change this in Alert Logic via the remote syslog policy.
  1. Log in to the GAiA Portal.
  2. Navigate to Remote System Logging, and then click Add.
  3. In the IP Address box, enter the IP of your Alert Logic remote collector.
  4. In the Priority box, select Info.
  5. Click OK.

For CLIsh users:

Run the following command:

add syslog log-remote-address <IP of Remote Collector> level info

To configure the Checkpoint device:

  1. Log into your Checkpoint firewall interface.
  2. Under Syslog Servers, click Configure.
  3. Enter the name or IP address of your Alert Logic remote collector.
  4. Enter port 1515.
  5. Select Enable log server.
  6. In the Select logs to forward section, select Both system and security logs.
  7. Click Apply.

Verify log collection

Once you have installed the remote collector and configured the Checkpoint device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.

  1. Log in to the Alert Logic console and use one of the following links to access the Search console with criteria already entered:
  2. Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
  3. Click Search.
  4. Verify logs display for the remote collector.