CheckPoint

Logging via syslog

For CheckPoint device, you need first make sure, that your version has installed CheckPoint Log Export. Some of the latest versions of CheckPoint Security Gateways has already Log Export integrated in the software (80.40 and above), some versions need to install latest Jumbo Hotfix Accumulator (80.10 to 80.30) and some need to install a dedicated patch (version 77.10 to 77.30).

More details about Checkpoint Log Exporter are available on this link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

Once you sure, that CheckPoint Log Export is available on your system, there is just a few steps to have it running with Logmanager.

Create a new CheckPoint Log Export target with command cp_log_export add name Logmanager target-server 192.0.2.10 target-port 514 protocol tcp format generic where replace target-server IP with your Logmanager IP address.
Enable the target with command cp_log_export set name Logmanager enabled true
Restart the CheckPoint Log Export service with command cp_log_export restart name Logmanager

Here is the screenshot from CheckPoint expert console of configuration steps 1-3 in CheckPoint Secure Gateway version 80.40:

CheckPoint expert console of configuration steps
To review CheckPoint log exporter configuration run command cp_log_export show

Review CheckPoint log exporter configuration

on
On the Logmanager, add the proper classification to point the incoming logs from CheckPoint source IP to Logmanager CheckPoint parser. Save edited classifier or classifier template.

Adding the proper classification
Wait a minute and have a look into the Logmanager dashboards for CheckPoint, if they are filling with correct data.

CheckPoint logging via TLS syslog

For CheckPoint device, you first need to install the Log Exporter extension in your Gaia installation to ensure syslog messaging.

After you install the extension, follow these steps:

For encrypted communication, it is first necessary to provide a public CA certificate in the format .pem and create client certificate in format .p12 (contains certificate + a private key).
It is necessary to upload these certificates into your Gaia installation (eg using WinSCP) and create a folder for these certificates.
- In case of uploading the certificate using WinSCP, it is necessary to enable / bin / bash for admin user (access to expert mode) or create a new user for copying files, see here https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/HowTo-Creating-an-scpuser-account-on-Gaia-Clish/td-p/5819. Copy the certificates to the created folder below and do chmod.
- mkdir /opt/ssl-cert
- chmod +r ca-cert.pem
- chmod +r client-certifikat.p12

In expert mode, enter the following command:

cp_log_export add name logmanagertls target-server <Logmanager_IP> target-port 6514 protocol tcp format generic

Next, enter the following command where you need to set the certificate paths (/opt/ssl-cert/) and set a password you chose for .p12 certificate:

cp_log_export set name logmanagertls enabled true encrypted true ca-cert <path_to_CA_pem (/opt/ssl-cert/)> client-cert <path_to_p12_certificate (/opt/ssl-cert/)> client-secret <challenge_phrase_for_p12>

Restart log exporter:

cp_log_export restart name logmanagertls

To verify the correct configuration, use the command:
```
cp_log_export show
```
Now the logs are sent via TLS to the Logmanager side.