Log Types: Firewall1Log

Overview

Checkpoint Firewall-1 is a stateful packet inspection and filtering engine, with VPN functionality.

The CISCORouterLog module makes use of several regular expressions to try and pull data out of the information presented.

Collection

The tool "CPLogToSyslog", available in Checkpoint Firewall1 R80.1 and newer, is capable of sending checkpoint firewall1 log data to a remote syslog server. This is the recommended process for ingesting Checkpoint Firewall1 Logs into the Snare Central Server.

Checkpoint Firewall 1 firewalls can also export log data to a CSV file. Snare Central is capable of coping with a range of formats, as long as the header line, specifying the log format, is included as the first line in each exported file. Note though that csv-based exported data will be imported directly into the Snare Central data store, and will not traverse the 'Reflector'. As such, events will not be pushed to destinations managed by the reflector.

A sample header line is:

  • num,date,time,orig,type,action,alert,i/f_name,i/f_dir,proto,src,dst,service,s_port,len,rule,icmp-type,icmp-code,reason:,rpc_prog,IKE Log:,product,additionals:,sys_msgs

Checkpoint Firewall logs can be transferred to the directory /data/SnareCollect/Firewall1Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Sample Events

Sep 20 22:33:44+03:00 192.168.1.1 Action=\"update\" UUid=\"{0x34cd2400,0x0,0x1551515,0x817}\" client_name=\"Active Directory Query\" client_version=\"R77\" domain_name=\"lab01\" src=\"10.10.1.11\" endpoint_ip=\"10.10.1.11\" auth_status=\"Successful Login\" identity_src=\"AD Query\" snid=\"53eb31c1\" src_machine_name=\"lab23a\" src_machine_group=\"All Machines\" auth_method=\"Machine Authentication (Active Directory)\" identity_type=\"machine\" Authentication trial=\"this is a reauthentication for session 53eb3bc8\" product=\"Identity Awareness\"

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

Firewall1Log

ACTION

The action taken by the firewall in response to this packet

INTERFACE

Hardware or virtual interface, if available.

SRCADDR

Source IP address

SRCPORT

Source Port

DSTADDR

Destination IP address

DSTPORT

Destination Port

PROTO

Protocol

RULE

The firewall rule triggered

MESSAGE

All other content that does not fit into an existing field

Notes

Firewall1 logs can potentially include a 'xlateport' field, which is a textual representation of a port number - eg: "IMAP3" translates to port 220. The Snare Central collection module can translate the common ports used by Firewall1 to numeric equivalents.

Checkpoint produces logs in either the R80, or R80.1+ format. The Snare Server collection subsystem can distinguish between the two formats, and ingest data from both.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115392