# Check Point Firewall

Check Point Firewall is a next-generation firewall that inspects network traffic and blocks malicious activity, intrusion attempts, and policy violations. Connecting Check Point Firewall forwards Security Logs to Radiant Security over syslog. Radiant uses these events for AI triage, giving analysts context on network-level threats during alert investigations.

Check Point Firewall can forward logs to Radiant Security in two ways:

* **Through the Radiant Agent (recommended).** Forward to a Radiant Agent deployed in your environment.
* **Direct to Radiant Security.** Forward over TLS to the Radiant syslog cluster. Use only when a Radiant Agent is not available.

### Prerequisites

* [ ] Admin access to Check Point Firewall
* [ ] Check Point R80.10 or later for the built-in Log Exporter
* [ ] For the Radiant Agent path: a deployed [Radiant Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) reachable from the Check Point gateway or management server
* [ ] For the direct path: network egress from the Check Point gateway or management server to `cluster.syslog.radiantsecurity.ai` on TCP port `6514`

{% hint style="info" %}
If you are running a Check Point version earlier than R80.10, the built-in Log Exporter is not available. Forward logs via [OPSEC LEA](https://community.checkpoint.com/t5/SMB-Gateways-Spark/How-to-send-log-from-Checkpoint-moreover-Opsec-LEA/td-p/29508) instead.
{% endhint %}

### Add the data connector in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**.
3. Search for and select **Radiant Agent**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **Check Point Firewall**, then click **Credentials**.
5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Radiant Agent Integration`). To reuse an existing Radiant Agent credential, select it from the drop-down menu.
6. Click **Add Connector**.

### Enable extended logging in Check Point

Before configuring syslog forwarding, confirm your security policies and rules are configured to generate logs. For each rule, enable the **Track** option and set it to **Log**. Where applicable, enable **Extended Log**.

For details, see the [Check Point Tracking Options documentation](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Tracking-Options.htm).

### Configure Check Point to forward syslog through the Radiant Agent

Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Check Point Firewall data. If you do not know the port, contact your Customer Success representative.

The procedure depends on whether your Check Point gateways are centrally managed by SmartConsole or individually managed through each gateway's WebUI.

{% tabs %}
{% tab title="Centrally managed gateways" %}

1. Connect to **SmartConsole** with Administrator credentials.
2. Go to **Logs & Monitor** and select **Log Exporter** under the **Gateways** tab.
3. Click **+ Add Exporter** to create a new log exporter.
4. Enter the following parameters:
   * **Name**: `RadiantSecurityForwarder`
   * **Target Server**:
     * **IPv4 Address**: the IP address of the Radiant Agent.
     * **Protocol**: `TCP`
     * **Port**: the port configured on the Radiant Agent to receive Check Point Firewall data.
   * **Format**: `JSON`
   * Select **Show Obfuscated Fields** if present.
   * Under **Select Logs to Forward**, select only **Security Logs**.
5. Click **OK** to save the configuration.
6. Navigate to **Gateways & Servers** in SmartConsole.
7. Select the gateway or cluster to configure, then click **Edit**.
8. Go to **Logs** > **Log Export Settings**.
9. Under **Log Exporter**, select the log exporter created above (e.g., `RadiantSecurityForwarder`).
10. Click **OK** to save changes.
11. Click **Publish** to confirm the changes.
12. Navigate to **Security Policies** and click **Install Policy** to apply the configuration to the selected gateways.
    {% endtab %}

{% tab title="Individual gateways" %}

1. Access the gateway's WebUI with Administrator credentials.
2. Navigate to **Logs & Monitoring** or **System Logs**. The label varies by firmware version.
3. Locate the **Log Exporter** or **Syslog** configuration section.
4. Click **Add Syslog Server**.
5. Enter the following parameters:
   * **Name**: `RadiantSecurityForwarder`
   * **IPv4 Address**: the IP address of the Radiant Agent.
   * **Protocol**: `TCP`
   * **Port**: the port configured on the Radiant Agent to receive Check Point Firewall data.
   * **Format**: `JSON`
   * Select **Show Obfuscated Fields** if present.
   * Under **Select Logs to Forward**, select only **Security Logs**.
6. Click **OK** to save the configuration.
   {% endtab %}
   {% endtabs %}

### Configure Check Point to forward syslog directly to Radiant Security

Use this path only when a Radiant Agent is not available.

The procedure depends on whether your Check Point gateways are centrally managed by SmartConsole or individually managed through each gateway's WebUI.

{% tabs %}
{% tab title="Centrally managed gateways" %}

1. Connect to **SmartConsole** with Administrator credentials.
2. Go to **Logs & Monitor** and select **Log Exporter** under the **Gateways** tab.
3. Click **+ Add Exporter** to create a new log exporter.
4. Enter the following parameters:
   * **Name**: `RadiantSecurityForwarder`
   * **Target Server**:
     * **IPv4 Address**: `cluster.syslog.radiantsecurity.ai`
     * **Protocol**: `TCP`
     * **Port**: `6514`
   * **Format**: `JSON`
   * Select **Show Obfuscated Fields** if present.
   * Under **Select Logs to Forward**, select only **Security Logs**.
5. Click **OK** to save the configuration.
6. Navigate to **Gateways & Servers** in SmartConsole.
7. Select the gateway or cluster to configure, then click **Edit**.
8. Go to **Logs** > **Log Export Settings**.
9. Under **Log Exporter**, select the log exporter created above (e.g., `RadiantSecurityForwarder`).
10. Click **OK** to save changes.
11. Click **Publish** to confirm the changes.
12. Navigate to **Security Policies** and click **Install Policy** to apply the configuration to the selected gateways.
    {% endtab %}

{% tab title="Individual gateways" %}

1. Access the gateway's WebUI with Administrator credentials.
2. Navigate to **Logs & Monitoring** or **System Logs**. The label varies by firmware version.
3. Locate the **Log Exporter** or **Syslog** configuration section.
4. Click **Add Syslog Server**.
5. Enter the following parameters:
   * **Name**: `RadiantSecurityForwarder`
   * **IPv4 Address**: `cluster.syslog.radiantsecurity.ai`
   * **Protocol**: `TCP`
   * **Port**: `6514`
   * **Format**: `JSON`
   * Select **Show Obfuscated Fields** if present.
   * Under **Select Logs to Forward**, select only **Security Logs**.
6. Click **OK** to save the configuration.
   {% endtab %}
   {% endtabs %}

### Verify ingestion

After Check Point Networks Firewall begins forwarding, confirm alerts and events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"checkpoint_firewall"`.
3. Confirm recent alerts and events appear.

{% hint style="info" %}
Allow several minutes for alerts and events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/check-point-firewall.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.