CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 2 of 2

Thread: How to config syslog for serureplatform

  1. #1
    Join Date
    Rep Power

    Default How to config syslog for serureplatform

    How to config syslog for serureplatform?

  2. #2
    Join Date
    Rep Power

    Default Re: How to config syslog for serureplatform

    Checkpoint's Firewall-1 does not offer sending its firewall logs to a syslog server - which is especially hurting when a central system already is installed especially to correlate network events. There is a trick though, where you can re-route the logs to a different location: the user-defined alert. We (mis)use the user-defined alert to send a log entry to a local shell script instead of to the log file.

    Security and Performance Implications
    Firing up a script each and every time a TCP session is established or ended as well as for every packet being dropped can give quite an impact on the firewall performance, depending on hardware and line usage.

    Second syslog is not "secured" as the CheckPoint log facility is. It transfers the messages unencrypted and stores them plain text - which might be of consideration.

    Remote syslog usually is using UDP - which means log entries can (and probably will) be lost during transfer. Switching to a TCP-based syslog can help with this part.

    Implementation & Setup

    I assume the firewall is run under a Unix-style operating system. We need a syslog-feeder for this script - and as I usually work under Linux, I am using the "logger" binary that usually is included in a distribution.

    If you want to send your logs to a remote syslog server, configure it in /etc/syslog.conf

    To set up, copy the script below to a suitable location and adapt it to your needs. Don't forget to mark it executable (chmod 755). Then configure it as the "user-defined alert" in CheckPoint firewall (menu properties/alerts IIRC).

    First try wether it is working with a dedicated test rule where you set logging to "user-defined". If it's working fine, you can slowly switch all the rules you want to get logged to. Have an eye on ressource usage when (and after) switching, though...

    # fw1syslog  (c) 2004 volker.tanger@wyae.de - this script is public domain
    # an identifier for the log
    # the syslog facility	
    # choose one of: auth, authpriv, daemon, security (deprecated synonym for 
    #	auth), local0, local1, local2, local3, local4, local5, local6, local7
    # severity level: alert, crit, debug, emerg, err, info, notice
    # no config below here
    fwdate 		= "$1"	## date of the log entry
    fwtime 		= "$2"	## time of the log entry
    fwaction 	= "$3"	## block / accept / reject
    fwLog 		= "$4"	## log type
    fwInterface 	= "$5"	## interface on which the packet arrived
    fwtype 		= "$6"	##
    fwproto1 	= "$7"	## 
    fwprotocol 	= "$8"	## protocol used
    fwsrc 		= "$9"	## 
    fwsource 	= "$10"	## source IP
    fwdst 		= "$11"	## 
    fwdestination 	= "$12"	## destination IP
    fwsrv 		= "$13"	##
    logger -p ${FACILITY}.${LEVEL} "${IDTAG}: ${fwaction} from ${fwsource} to ${fwdestination} proto ${fwprotocol}"
    All credits go to: http://www.wyae.de/docs/fw1syslog.php

    Best regards,
    Danny Trommer

Similar Threads

  1. Logging to Syslog?
    By Barry J. Stiefel in forum SmartView Tracker
    Replies: 7
    Last Post: 2011-03-11, 08:33
  2. how to config syslog server on vsx scalability
    By eduardw in forum VPN-1 VSX
    Replies: 2
    Last Post: 2008-12-12, 10:31
  3. Urgent! log to syslog.
    By Routerkid1 in forum Installing And Upgrading
    Replies: 3
    Last Post: 2008-09-27, 23:23
    By robori in forum SmartView Tracker
    Replies: 3
    Last Post: 2006-12-26, 18:29
  5. syslog
    By herrmadbeef in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 1
    Last Post: 2006-09-02, 01:08


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts