New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
5351 views

Guidance and details on the new Check Point CEF gerating solution

Dear ArcSight customers,

In the ongoing effort to improve your experience with the Check Point products, Check Point is introducing a new, modern, Syslog-based log export infrastructure which will be integrated and certified with the standard ArcSight Syslog CEF ArcSight connector. Major features include TLS support, ArcSight-certified CEF formatting integration, and log filtering. The new Check Point Syslog feature will be supported on R77.30 and R80.10, and will replace all previously-released Check Point Syslog-based implementations.

We advise all customers interested in it to refer to the Check Point knowledge base article sk122323 for more information on capabilties and architecture. 

We are currently in the process of finalizing the CEF generation certification of the new Check Point solution and are planning ot complete it soon.

0 Likes
15 Replies
Highlighted
Cadet 1st Class
Cadet 1st Class

I have same experience with R77.30. we just implement that and we are able to get arround the mapping except for firewall configuration changes. We are yet to resolve that.

But i think is a good way to go.

 

Thank you.

 

0 Likes
Highlighted
Commander Commander
Commander

Hello,

That's nice to see that standardization is ongoing across different vendors, which helps to simplify connector infrastructure. But here we have major issue with this checkpoint solution. As Log exporter is sending logs as are generated you have typically first main log which keeps just very basic info like IPS rule name an source IP and that’s it. After that you will receive several log updates where destination IP, port, requested URL, etc. is and on very end last update with bytes in/out. Issue here is that those increments not containing all previously known information like rule name. So you need to somehow aggregate/collect and craft new event based on all those logs which is very hard to achieve in ArcSight and on top of it such rules are obviously suspended by ESM due to high trigger volume. On top of it all current activate content is useless without another round of tuning. That’s pure pain to reinvent wheel. Are somebody form MF working on it with CP ?

Thanks

Stepan

Tags (2)
0 Likes
Highlighted
Cadet 1st Class
Cadet 1st Class

Hello Team,

We integrated checkpoint to Arcsight using Log exporter but the challenge we have now is that when user make any changes on the firewall, we dont see the event on Arcsight. I can see VPN, Application control and others but not when changes is created, modified or install policy.

Please which field mapping can I use to get this event when changes is done on checkpoint firewall.

Thank you.

 

 

0 Likes
Highlighted
Commander Commander
Commander

Are there updates / patches from checkpoints related to audit logs and other mapping?

I have added custom field mapping but some fields (name, action, severity, device event class id) are not mapping properly,

is there any other more complete document related to custom mapping?

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.