Guidance and details on the new Check Point CEF gerating solution
Dear ArcSight customers,
In the ongoing effort to improve your experience with the Check Point products, Check Point is introducing a new, modern, Syslog-based log export infrastructure which will be integrated and certified with the standard ArcSight Syslog CEF ArcSight connector. Major features include TLS support, ArcSight-certified CEF formatting integration, and log filtering. The new Check Point Syslog feature will be supported on R77.30 and R80.10, and will replace all previously-released Check Point Syslog-based implementations.
We advise all customers interested in it to refer to the Check Point knowledge base article sk122323 for more information on capabilties and architecture.
We are currently in the process of finalizing the CEF generation certification of the new Check Point solution and are planning ot complete it soon.
I have same experience with R77.30. we just implement that and we are able to get arround the mapping except for firewall configuration changes. We are yet to resolve that.
But i think is a good way to go.
That's nice to see that standardization is ongoing across different vendors, which helps to simplify connector infrastructure. But here we have major issue with this checkpoint solution. As Log exporter is sending logs as are generated you have typically first main log which keeps just very basic info like IPS rule name an source IP and that’s it. After that you will receive several log updates where destination IP, port, requested URL, etc. is and on very end last update with bytes in/out. Issue here is that those increments not containing all previously known information like rule name. So you need to somehow aggregate/collect and craft new event based on all those logs which is very hard to achieve in ArcSight and on top of it such rules are obviously suspended by ESM due to high trigger volume. On top of it all current activate content is useless without another round of tuning. That’s pure pain to reinvent wheel. Are somebody form MF working on it with CP ?
We integrated checkpoint to Arcsight using Log exporter but the challenge we have now is that when user make any changes on the firewall, we dont see the event on Arcsight. I can see VPN, Application control and others but not when changes is created, modified or install policy.
Please which field mapping can I use to get this event when changes is done on checkpoint firewall.
Are there updates / patches from checkpoints related to audit logs and other mapping?
I have added custom field mapping but some fields (name, action, severity, device event class id) are not mapping properly,
is there any other more complete document related to custom mapping?