Log Types: Firewall1Log
Overview
Checkpoint Firewall-1 is a stateful packet inspection and filtering engine, with VPN functionality.
The CISCORouterLog module makes use of several regular expressions to try and pull data out of the information presented.
Collection
The tool "CPLogToSyslog", available in Checkpoint Firewall1 R80.1 and newer, is capable of sending checkpoint firewall1 log data to a remote syslog server. This is the recommended process for ingesting Checkpoint Firewall1 Logs into the Snare Central Server.
Checkpoint Firewall 1 firewalls can also export log data to a CSV file. Snare Central is capable of coping with a range of formats, as long as the header line, specifying the log format, is included as the first line in each exported file. Note though that csv-based exported data will be imported directly into the Snare Central data store, and will not traverse the 'Reflector'. As such, events will not be pushed to destinations managed by the reflector.
A sample header line is:
num,date,time,orig,type,action,alert,i/f_name,i/f_dir,proto,src,dst,service,s_port,len,rule,icmp-type,icmp-code,reason:,rpc_prog,IKE Log:,product,additionals:,sys_msgs
Checkpoint Firewall logs can be transferred to the directory /data/SnareCollect/Firewall1Log
via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Sample Events
Sep 20 22:33:44+03:00 192.168.1.1 Action=\"update\" UUid=\"{0x34cd2400,0x0,0x1551515,0x817}\" client_name=\"Active Directory Query\" client_version=\"R77\" domain_name=\"lab01\" src=\"10.10.1.11\" endpoint_ip=\"10.10.1.11\" auth_status=\"Successful Login\" identity_src=\"AD Query\" snid=\"53eb31c1\" src_machine_name=\"lab23a\" src_machine_group=\"All Machines\" auth_method=\"Machine Authentication (Active Directory)\" identity_type=\"machine\" Authentication trial=\"this is a reauthentication for session 53eb3bc8\" product=\"Identity Awareness\"
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | Firewall1Log |
ACTION | The action taken by the firewall in response to this packet |
INTERFACE | Hardware or virtual interface, if available. |
SRCADDR | Source IP address |
SRCPORT | Source Port |
DSTADDR | Destination IP address |
DSTPORT | Destination Port |
PROTO | Protocol |
RULE | The firewall rule triggered |
MESSAGE | All other content that does not fit into an existing field |
Notes
Firewall1 logs can potentially include a 'xlateport' field, which is a textual representation of a port number - eg: "IMAP3" translates to port 220. The Snare Central collection module can translate the common ports used by Firewall1 to numeric equivalents.
Checkpoint produces logs in either the R80, or R80.1+ format. The Snare Server collection subsystem can distinguish between the two formats, and ingest data from both.