Check Point Firewall (syslog)

Configure Check Point Firewall to forward syslog to Radiant Security.

In this guide, you will create a new entry in the Check Point Log Exporter configuration. This is required in order to send Check Point Firewalls logs to Radiant Security with the use of an intermediary syslog relay server for additional security.

Add the data connector in Radiant Security

First, you’ll add the Check Point Networks Firewall data connector in Radiant Security.

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Check Point Firewall (syslog) option and then click Data Feeds.

  4. Under Select your data feeds, select Check Point Firewall and then click Credentials.

  5. Under Credential Name, give the credential an identifiable name (e.g. Check Point Credentials). If you already have a credential in place, select it from the drop-down menu. Click Credentials.

  6. In the Connector tag field, enter a random value. This value will act as the salt to randomize the unique Token you’ll download in the next step.

  7. Click Add Connector.

  8. Save the Token value or use the Download Files option to save the token as a file. This token will be used in the upcoming section in the Configure a local Radiant Security Syslog Collector section.

  9. Click Done to save your changes.

Configure a local Radiant Agent

Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs.

Configure syslog forwarding

By default, the log exporter module comes installed on R80.10 and later versions. If you are running a Check Point version older than R80.10, then you won't have access to the built-in Log Exporter feature and will have to forward the logs via OPSEC LEA.

If the Check Point gateways are managed by a central console, refer to the Centrally managed gateways section. If the gateways are individually managed, refer to the Individual gateways section.

Enable extended logging on policies and rules

Before setting up the syslog forwarding, it's important to make sure the security policies and rules are configured to generate logs. To do so, enable the Track option and set it to Log, and when applicable, enable the Extended Log feature.

For more details on how to set up the tracking and logging options, refer to the Check Point documentation.

Centrally managed gateways

If the Check Point gateways are managed by a central console, then complete the following steps:

  1. Connect to the SmartConsole using Administrator credentials

  2. Go to Logs & Monitor and select Log Exporter under the Gateways tab.

  3. Click + Add Exporter to create a new log exporter.

  4. Enter the following parameters:

    • Name: RadiantSecurityForwarder

    • Target Server:

      • IPv4 Address: <syslogCollectorIPAddress>

      • Protocol: TCP

      • Port: 6514

    • Format: JSON

    • Select Show Obfuscated Fields (if present)

    • Under Select Logs to Forward, select only Security Logs

  5. Click OK to save the configuration

  6. Navigate to Gateways & Servers in SmartConsole.

  7. Select the gateway or cluster to configure and click Edit.

  8. Go to Logs > Log Export Settings.

  9. Under Log Exporter, select the previously created log exporter (e.g., RadiantSecurityForwarder).

  10. Click OK to save changes.

  11. Click Publish to confirm the changes

  12. Navigate to Security Policies and click Install Policy to apply the configuration to the selected gateways

Individual gateways

If the Check point gateways are individually managed, then complete the following steps:

  1. Access the gateway's WebUI using Administrator credentials.

  2. Navigate to Logs & Monitoring or System Logs (The naming varies based on firmware version).

  3. Locate the Log Exporter or Syslog configuration section.

  4. Click Add Syslog Server.

  5. Enter the following parameters:

    • Name: RadiantSecurityForwarder

    • IPv4 Address: <syslogCollectorIPAddress>

    • Protocol: TCP

    • Port: 6514

    • Format: JSON

    • Select Show Obfuscated Fields (if present)

    • Under Select Logs to Forward, select only Security Logs

  6. Click OK to save the configuration.

Before setting up the syslog forwarding, it's important to make sure the security policies and rules are configured to generate logs. To do so, the security policies must have the Track option enabled and set to Log, and when applicable, with the Extended Log feature enabled.

For more details on how to setup the tracking and logging options, refer to the Check Point documentation.

PreviousBarracuda Email Gateway DefenseNextCisco ASA (syslog)

Last updated