Checkpoint firewall - automatic log collection - recommended method ?

%3CLINGO-SUB%20id%3D%22lingo-sub-309609%22%20slang%3D%22en-US%22%3ECheckpoint%20firewall%20-%20automatic%20log%20collection%20-%20recommended%20method%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309609%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20-%20is%20there%20a%20recommended%2Fsupported%20method%20to%20achieve%20automatic%20Checkpoint%20firewall%20log%20collection%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20Checkpoint%20side%20it%20seems%20there%20are%202%20main%20log%20export%20mechanisms.%3C%2FP%3E%3CP%3E1.%20CPLOGTOSYSLOG%20tool.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%3CSPAN%3ELog%20Exporter%20-%20Check%20Point%20Log%20Export%20tool.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20am%20getting%20the%20impression%20that%20cplogtosyslog%20is%20the%20preferred%20supported%20method%20from%20Microsoft%20side.%20However%20from%20Checkpoint%20side%20Log%20Exporter%20tool%20is%20their%20preferred%20method%20going%20forward.%20Any%20guidance%20or%20advice%20on%20how%20to%20get%20this%20to%20work%20would%20be%20appreciated%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks...%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-309609%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309715%22%20slang%3D%22en-US%22%3ERe%3A%20Checkpoint%20firewall%20-%20automatic%20log%20collection%20-%20recommended%20method%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309715%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Max%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20reaching%20out.%3C%2FP%3E%0A%3CP%3EFew%20comments%20on%20that%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20general%20answer%20depends%20on%20the%20log%20format%20that%20each%20of%20these%20tools%20exports.%20While%20I'm%20not%20familiar%20with%20the%20format%20exported%20by%20%22Log%20Exporter%22%2C%20MCAS%20do%20support%20formats%20exported%20from%26nbsp%3B%3CSPAN%3ECPLOGTOSYSLOG.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIf%20possible%2C%20please%20share%20the%20format%20provided%20by%20the%20%22Log%20Exporter%22%2C%20to%20see%20whether%20are%20also%20supported%20out%20of%20the%20box%20or%20by%20MCAS%20custom%20log%20parser.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3ECan%20you%20elaborate%20some%20more%20on%20the%20meaning%20of%20%22%3CSPAN%3ECheckpoint%20side%20Log%20Exporter%20tool%20is%20their%26nbsp%3B%3C%2FSPAN%3Epreferred%20method%20going%20forward%22%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030268%22%20slang%3D%22en-US%22%3ERe%3A%20Checkpoint%20firewall%20-%20automatic%20log%20collection%20-%20recommended%20method%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030268%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20recently%20worked%20with%20CP%20team%2C%20to%20learn%20about%20their%20new%20flow%20for%20exporting%20traffic%20data%20over%20syslog.%3C%2FP%3E%0A%3CP%3EThese%20will%20be%20reflected%20by%20new%20formats%20which%20will%20be%20supported%20by%20MCAS%20and%20that%20will%20include%20more%20details%20than%20the%20ones%20included%20in%20current%20supported%20formats.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20something%20so%20be%20pushed%20during%20Q1CY20.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030301%22%20slang%3D%22en-US%22%3ERe%3A%20Checkpoint%20firewall%20-%20automatic%20log%20collection%20-%20recommended%20method%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030301%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112613%22%20target%3D%22_blank%22%3E%40Danny%20Kadyshevitch%3C%2FA%3E%2C%20but%20as%20we%20are%20working%20with%20some%20Govt.%20Customers%20that%20are%20still%20on%20R80.10%20and%20R80.20%2C%20etc...%20I'm%20not%20sure%20how%20relevant%20that%20might%20be%20to%20some%20of%20our%20Customers%3F%3CBR%20%2F%3E%3CBR%20%2F%3EWhile%20we%20have%20a%20possible%20opportunity%20to%20create%20a%20Customer%20case%20study%20with%20MS%20cause%20this%20customer%20is%20running%20with%20Office%20ATP%2C%20Azure%20ATP%2C%20Defender%20ATP%2C%20AAD%20ID%20P2%2C%20Azure%20MFA%2C%20Azure%20Sentinel%20-%20and%20yet%20for%20MCAS%20it%20looks%20like%20there%20is%20very%20little%20rationale%20to%20go%20to%20the%20effort%20of%20adding%20the%20Automated%20Collector%20for%20a%20CheckPoint%20Firewall%20if%20all%20it's%20going%20to%20be%20able%20to%20do%20is%20add%20Target%2FOrigin%20IP%20address...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%2C%20just%20telling%20it%20like%20it%20is%2C%20and%20it's%20a%20real%20shame...%20Is%20there%20no%20other%20way%20of%20getting%20the%20Tracker%20info%20ingested%20somehow%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030366%22%20slang%3D%22en-US%22%3ERe%3A%20Checkpoint%20firewall%20-%20automatic%20log%20collection%20-%20recommended%20method%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030366%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20I%20was%20misunderstood%20-%3C%2FP%3E%0A%3CP%3EThe%20same%20data%20that%20is%20supported%20on%20the%20manual%20approach%20is%20also%20the%20one%20supported%20on%20the%20automated%20approach.%20If%20you're%20saying%20that%20it%20worked%20for%20you%20with%20the%20manual%20option%2C%20you%20should%20just%20go%20ahead%20and%20upload%20data%20automatically%2C%20there's%20no%20difference%20in%20that%20case%20in%20the%20data%20being%20extracted.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYet%2C%20for%20my%20knowledge%20-%20%22%3CSPAN%3ESmart%20Tracker%3C%2FSPAN%3E%22%20doesn't%20include%20traffic%20volumes%20such%20as%20upload%20and%20downloaded%20bytes%2C%20and%20that%20the%20delta%20is%20the%20username%20which%20is%20included%20in%20the%20%22%3CSPAN%3ESmart%20Tracker%3C%2FSPAN%3E%22%20logs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20it%20makes%20more%20sense%20now.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1029314%22%20slang%3D%22en-US%22%3ERe%3A%20Checkpoint%20firewall%20-%20automatic%20log%20collection%20-%20recommended%20method%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1029314%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112613%22%20target%3D%22_blank%22%3E%40Danny%20Kadyshevitch%3C%2FA%3E%26nbsp%3Bjust%20wondering%20how%20this%20might%20play%20out%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20what%20we%20can%20see%20this%20was%20raised%20some%20time%20ago%20as%20well%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Cloud-App-Security%2FCloud-App-Security-lack-of-integration-with-checkpoint-FW%2Fm-p%2F113808%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Cloud-App-Security%2FCloud-App-Security-lack-of-integration-with-checkpoint-FW%2Fm-p%2F113808%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20can%20see%20that%20just%20using%20the%20Snapshot%20tool%20we%20can%20take%20a%20%22Smart%20Tracker%22%20formatted%20download%20from%20the%20Checkpoint%20Firewall%20and%20then%20upload%20it%20into%20MCAS%20and%20it%20has%20plenty%20of%20detail%2C%20and%20yet%20looking%20thru%20the%26nbsp%3B%20details%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%3C%2FA%3E%26nbsp%3Bit%20appears%20that%20by%20using%20the%20AutoCollector%20method%20all%20we%20are%20going%20to%20see%20is%20Target%20and%20Origin%20IP%20Address%20only%3F%20How%20come%20there%20is%20such%20a%20disparity%20of%20the%20detail%20in%20the%20two%20different%20approaches%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20we%20can%20get%20a%20Graduate%20to%20maually%20do%20this%20process%20as%20a%20daily%20task%20and%20then%20end%20up%20getting%20a%20decent%20amount%20of%20worthwhile%20data%20ingested%20into%20MCAS%2C%20but%20if%20we%20automate%20it%20then%20the%20level%20of%20detail%20falls%20off%20considerably%20-%20it%20could%20be%20that%20we've%20misunderstood%20this%20-%20but%20this%20doesn't%20seem%20to%20make%20sense%3F%20Is%20there%20possibly%20another%20way%20of%20semi-automating%20the%20upload%20of%20the%20Samrt%20Tracker%20logs%20into%20MCAS%20for%20ingestation%3F%20It%20would%20not%20be%20ideal%20as%20it%20would%20keep%20having%20to%20reference%20the%20specific%20snapshot....%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EDave%20C%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi - is there a recommended/supported method to achieve automatic Checkpoint firewall log collection ?

 

On the Checkpoint side it seems there are 2 main log export mechanisms.

1. CPLOGTOSYSLOG tool.

2. Log Exporter - Check Point Log Export tool.

 

I am getting the impression that cplogtosyslog is the preferred supported method from Microsoft side. However from Checkpoint side Log Exporter tool is their preferred method going forward. Any guidance or advice on how to get this to work would be appreciated ?

 

Thanks...

5 Replies

Hi Max,

 

Thanks for reaching out.

Few comments on that:

  1. The general answer depends on the log format that each of these tools exports. While I'm not familiar with the format exported by "Log Exporter", MCAS do support formats exported from CPLOGTOSYSLOG.
  2. If possible, please share the format provided by the "Log Exporter", to see whether are also supported out of the box or by MCAS custom log parser.
  3. Can you elaborate some more on the meaning of "Checkpoint side Log Exporter tool is their preferred method going forward"?

 

Thanks,

Danny.

Hi @Danny Kadyshevitch just wondering how this might play out?

 

From what we can see this was raised some time ago as well?

https://techcommunity.microsoft.com/t5/Microsoft-Cloud-App-Security/Cloud-App-Security-lack-of-integ...

 

We can see that just using the Snapshot tool we can take a "Smart Tracker" formatted download from the Checkpoint Firewall and then upload it into MCAS and it has plenty of detail, and yet looking thru the  details here: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery it appears that by using the AutoCollector method all we are going to see is Target and Origin IP Address only? How come there is such a disparity of the detail in the two different approaches?

 

It looks like we can get a Graduate to maually do this process as a daily task and then end up getting a decent amount of worthwhile data ingested into MCAS, but if we automate it then the level of detail falls off considerably - it could be that we've misunderstood this - but this doesn't seem to make sense? Is there possibly another way of semi-automating the upload of the Samrt Tracker logs into MCAS for ingestation? It would not be ideal as it would keep having to reference the specific snapshot....

Regards,
Dave C

Hi @David Caddick,

 

I recently worked with CP team, to learn about their new flow for exporting traffic data over syslog.

These will be reflected by new formats which will be supported by MCAS and that will include more details than the ones included in current supported formats.

 

This is something so be pushed during Q1CY20.

 

Thanks,

Danny.

Thanks @Danny Kadyshevitch, but as we are working with some Govt. Customers that are still on R80.10 and R80.20, etc... I'm not sure how relevant that might be to some of our Customers?

While we have a possible opportunity to create a Customer case study with MS cause this customer is running with Office ATP, Azure ATP, Defender ATP, AAD ID P2, Azure MFA, Azure Sentinel - and yet for MCAS it looks like there is very little rationale to go to the effort of adding the Automated Collector for a CheckPoint Firewall if all it's going to be able to do is add Target/Origin IP address...

 

Sorry, just telling it like it is, and it's a real shame... Is there no other way of getting the Tracker info ingested somehow?

Hi @David Caddick,

 

I think I was misunderstood -

The same data that is supported on the manual approach is also the one supported on the automated approach. If you're saying that it worked for you with the manual option, you should just go ahead and upload data automatically, there's no difference in that case in the data being extracted.

 

Yet, for my knowledge - "Smart Tracker" doesn't include traffic volumes such as upload and downloaded bytes, and that the delta is the username which is included in the "Smart Tracker" logs.

 

Hope it makes more sense now.

 

Thanks,

Danny.