When you configure Check Point Firewall-1 to send log data to USM Appliance, you can use the Check Point Firewall plugin to translate the raw log data into normalized events for analysis.
|Data Source Name||fw1-alt|
|Data Source ID||1590|
Integrating Check Point Firewall-1
Before you configure the Check Point Firewall-1 integration, you must have the IP Address of the USM Appliance Sensor and the firewall must have the Add-On Package R77.30 installed.
Note: This procedure does not support the Provider-1 / Multi-Domain Server.
To configure Check Point Firewall-1 to send data to USM Appliance
On the Check Point appliance, back up the current /etc/syslog.conf script:
cp /etc/syslog.conf /etc/syslog.conf_ORIGINAL
Edit the current /etc/syslog.conf script by adding the following line:
local4.info @<IP address of the USM Appliance Sensor>
Note: Press TAB after local4.info.
Save your configuration edits and close the file.
Back up the /etc/rc.d/init.d/cpboot script, and edit the current version of /etc/rc.d/init.d/cpboot by adding the following line at the bottom of the script:
fw log -f -t -n -l 2> /dev/null | awk 'NF' | logger –p local4.info -t CP_FireWall &
& = run command in the background. If & is not included, the operating system stops before loading the syslogd service. No login prompt then appears at the console.
For help on available flags, enter:
fw log --help
- Save the configuration edits and close the file.
Restart the machine.
Important: Restarting the Check Point services with the cpstop;cpstart commands does not suffice. Only a restart achieves the desired result.
For plugin enablement information, see Enable Plugins.
For troubleshooting, refer to the vendor documentation: