Check Point Firewall
Connect Check Point Firewall to Radiant Security to forward security log events for AI triage.
Check Point Firewall is a next-generation firewall that inspects network traffic and blocks malicious activity, intrusion attempts, and policy violations. Connecting Check Point Firewall forwards Security Logs to Radiant Security over syslog. Radiant uses these events for AI triage, giving analysts context on network-level threats during alert investigations.
Check Point Firewall can forward logs to Radiant Security in two ways:
Through the Radiant Agent (recommended). Forward to a Radiant Agent deployed in your environment.
Direct to Radiant Security. Forward over TLS to the Radiant syslog cluster. Use only when a Radiant Agent is not available.
Prerequisites
If you are running a Check Point version earlier than R80.10, the built-in Log Exporter is not available. Forward logs via OPSEC LEA instead.
Add the data connector in Radiant Security
Sign in to Radiant Security.
From the navigation menu, click Settings > Data Connectors, then click + Add Connector.
Search for and select Radiant Agent, then click Data Feeds.
Under Select your data feeds, select Check Point Firewall, then click Credentials.
Under Credential Name, enter an identifiable name for the Radiant Agent integration (e.g.,
Radiant Agent Integration). To reuse an existing Radiant Agent credential, select it from the drop-down menu.Click Add Connector.
Enable extended logging in Check Point
Before configuring syslog forwarding, confirm your security policies and rules are configured to generate logs. For each rule, enable the Track option and set it to Log. Where applicable, enable Extended Log.
For details, see the Check Point Tracking Options documentation.
Configure Check Point to forward syslog through the Radiant Agent
Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Check Point Firewall data. If you do not know the port, contact your Customer Success representative.
The procedure depends on whether your Check Point gateways are centrally managed by SmartConsole or individually managed through each gateway's WebUI.
Connect to SmartConsole with Administrator credentials.
Go to Logs & Monitor and select Log Exporter under the Gateways tab.
Click + Add Exporter to create a new log exporter.
Enter the following parameters:
Name:
RadiantSecurityForwarderTarget Server:
IPv4 Address: the IP address of the Radiant Agent.
Protocol:
TCPPort: the port configured on the Radiant Agent to receive Check Point Firewall data.
Format:
JSONSelect Show Obfuscated Fields if present.
Under Select Logs to Forward, select only Security Logs.
Click OK to save the configuration.
Navigate to Gateways & Servers in SmartConsole.
Select the gateway or cluster to configure, then click Edit.
Go to Logs > Log Export Settings.
Under Log Exporter, select the log exporter created above (e.g.,
RadiantSecurityForwarder).Click OK to save changes.
Click Publish to confirm the changes.
Navigate to Security Policies and click Install Policy to apply the configuration to the selected gateways.
Access the gateway's WebUI with Administrator credentials.
Navigate to Logs & Monitoring or System Logs. The label varies by firmware version.
Locate the Log Exporter or Syslog configuration section.
Click Add Syslog Server.
Enter the following parameters:
Name:
RadiantSecurityForwarderIPv4 Address: the IP address of the Radiant Agent.
Protocol:
TCPPort: the port configured on the Radiant Agent to receive Check Point Firewall data.
Format:
JSONSelect Show Obfuscated Fields if present.
Under Select Logs to Forward, select only Security Logs.
Click OK to save the configuration.
Configure Check Point to forward syslog directly to Radiant Security
Use this path only when a Radiant Agent is not available.
The procedure depends on whether your Check Point gateways are centrally managed by SmartConsole or individually managed through each gateway's WebUI.
Connect to SmartConsole with Administrator credentials.
Go to Logs & Monitor and select Log Exporter under the Gateways tab.
Click + Add Exporter to create a new log exporter.
Enter the following parameters:
Name:
RadiantSecurityForwarderTarget Server:
IPv4 Address:
cluster.syslog.radiantsecurity.aiProtocol:
TCPPort:
6514
Format:
JSONSelect Show Obfuscated Fields if present.
Under Select Logs to Forward, select only Security Logs.
Click OK to save the configuration.
Navigate to Gateways & Servers in SmartConsole.
Select the gateway or cluster to configure, then click Edit.
Go to Logs > Log Export Settings.
Under Log Exporter, select the log exporter created above (e.g.,
RadiantSecurityForwarder).Click OK to save changes.
Click Publish to confirm the changes.
Navigate to Security Policies and click Install Policy to apply the configuration to the selected gateways.
Access the gateway's WebUI with Administrator credentials.
Navigate to Logs & Monitoring or System Logs. The label varies by firmware version.
Locate the Log Exporter or Syslog configuration section.
Click Add Syslog Server.
Enter the following parameters:
Name:
RadiantSecurityForwarderIPv4 Address:
cluster.syslog.radiantsecurity.aiProtocol:
TCPPort:
6514Format:
JSONSelect Show Obfuscated Fields if present.
Under Select Logs to Forward, select only Security Logs.
Click OK to save the configuration.
Verify ingestion
After Check Point Networks Firewall begins forwarding, confirm alerts and events are reaching Radiant.
In Radiant, navigate to Log Management.
Filter by
rs_connectorType:"checkpoint_firewall".Confirm recent alerts and events appear.
Allow several minutes for alerts and events to be parsed, indexed, and available for search.
Last updated
Was this helpful?