 |
Previous Next Sheriff CSM™
Check Point Firewall
When you configure Check Point Firewall-1 to send log data to Sheriff CSM, you can use the Check Point Firewall plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin: Plugin Information| Device | Details |
|---|---|
| Vendor | Check Point |
| Device Type | Firewall |
| Connection Type | Syslog |
| Data Source Name | fw1-alt |
| Data Source ID | 1590 |
Integrating Check Point Firewall-1
Before you configure the Check Point Firewall-1 integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy) and the firewall must have the Add-On Package R77.30 installed. Note: This procedure does not support the Provider-1 / Multi-Domain Server. To configure Check Point Firewall-1 to send data to Sheriff CSM-
On the Check Point appliance, back up the current
/etc/syslog.confscript:cp /etc/syslog.conf /etc/syslog.conf_ORIGINAL
-
Edit the current
/etc/syslog.confscript by adding the following line:local4.info @<IP address of the Sheriff CSM Sensor>
Note: Press TAB after local4.info.
-
Save your configuration edits and close the file.
-
Back up the
/etc/rc.d/init.d/cpbootscript, and edit the current version of /etc/rc.d/init.d/cpboot by adding the following line at the bottom of the script:fw log -f -t -n -l 2> /dev/null | awk 'NF' | logger –p local4.info -t CP_FireWall &
Where:
& = run command in the background. If & is not included, the operating system stops before loading the syslogd service. No login prompt then appears at the console.
For help on available flags, enter:
fw log --help
- Save the configuration edits and close the file.
-
Restart the machine.
Important: Restarting the Check Point services with the cpstop;cpstart commands does not suffice. Only a restart achieves the desired result.