How to collect data from Check Point Firewall
This document explains how to add a new data source - Check Point Firewall - using syslog forwarding.
Before adding the data source in CYBERQUEST, configure the Check Point Firewall to forward events to the CYBERQUEST server on UDP port 5140.
For detailed setup instructions, refer to the configuration guide: Configure Check Point Firewall Log Forwarding to CQ
Navigate to Settings
Log in to the CYBERQUEST web interface with an account that has administrator privileges.
Navigate to Settings > Management > Data Source Manager.
This page contains all the data sources added in the CYBERQUEST application.
Add data source
Press the ADD DATA-SOURCE button and complete the following form:
-
DataSource Type: Choose "Syslog / CheckPoint Firewall Syslog (LogName: CheckPointFirewall)" to interpret Check Point Firewall events.
-
DataSource Information: This field is populated automatically with the data source details.
-
Tag: A unique identifier automatically assigned to the data source;
-
Anonymize Fields: Select one or more fields to be anonymized as required.
-
IPList: Enter the sender IP address(es) for this source, separated by commas. CYBERQUEST will accept logs only from these IPs.
- Data:
true= active and receiving logs;false= inactive or not receiving logs.
Click the "Save" button to save the data source.
Verify ingestion
- On the CQ server, confirm packets are received:
bash sudo tcpdump -n udp port 5140 -i any - In CYBERQUEST, open the Browser to verify that Check Point events are appearing and tagged as
CheckPointFirewall.
Assign the CYBERQUEST agent
The next step is to assign the CYBERQUEST agent to this data source. Press the drop-down list and choose the agent (often the CQServer-DataServer agent):
- Edit: Press
to modify the data source information. The process is very similar to adding a new data source. -
Clone: Press
button to create a copy of the data source. -
Delete: To remove a data source, unassign the Agent first, then press "Delete".