cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
martin_p
Level 7
Report Inappropriate Content
Message 1 of 11
‎07-24-2014 02:43 AM

Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hello!

After configureing the Check Point SmartCenter-Server as a datasource (OPSEC-Connection) i can see a lot of log-information of the firewalls.

Till now i did not find out how to find Logs related to the IPS-System of the Firewall. All the IPS-Logs are stored on the SmartCenter and are transfered via the OPSEC-Connection to the SIEM-System but i am not able to find them (drilldown, etc.).

Best regards

Martin

0 Kudos
Reply
1 Solution

Accepted Solutions
japie
Level 9
Report Inappropriate Content
Message 9 of 11
‎07-29-2014 01:25 PM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hi Martin

If you are using the Smart Defence IPS from Check Point, you can build a custom view.

If you want to view all the Smart Defence IPS classifications use the application filter: Smart Defence ( you will see this as well from the Check Point management station feed or datasource)

The same goes for any other blade functionality you enable from the Check Point technology stack ( application control,anti-botnet etc)

From there you can go down further and break it up in signature etc.

One big issue we have currently is with the auto-learn rules which clash with the 7 custom ASP rules provided by McAfee.

Regards,

Japie

View solution in original post

0 Kudos
Reply
10 Replies
lichnt
Level 7
Report Inappropriate Content
Message 2 of 11
‎07-27-2014 07:51 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Can you capture config CP FW ?

0 Kudos
Reply
martin_p
Level 7
Report Inappropriate Content
Message 3 of 11
‎07-28-2014 03:11 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hello!

What kind of information do you mean? I configured on the SmartCenter the OPSEC-Part.

Best regards

Martin P.

0 Kudos
Reply
lichnt
Level 7
Report Inappropriate Content
Message 4 of 11
‎07-28-2014 03:13 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Yes

0 Kudos
Reply
martin_p
Level 7
Report Inappropriate Content
Message 5 of 11
‎07-28-2014 03:19 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hello!

It is straight forward:

Vendor: User defined

Server Entities: none

Client Entities: LEA

As I said, this connection works fine and i can see all the Rule-Descriptions, the traffic. And i can make drill-downs (for example) based on source-ips, Ports. But i have the problem that till now, i cannot drill down (find) possilbe IPS-Logs, which are generated by the IPS-Blade on the Firewall.

Best regardsopsec.JPG

Martin

0 Kudos
Reply
lichnt
Level 7
Report Inappropriate Content
Message 6 of 11
‎07-28-2014 03:36 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

at communication you config as picture:

01.png

AT ESM : you config as datasource with one time password

0 Kudos
Reply
martin_p
Level 7
Report Inappropriate Content
Message 7 of 11
‎07-28-2014 03:37 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hello!

Yes as i said, the OPSEC-Connection works fine, trust is established. How can you see IPS-Alerts in the MC-AFEE ESM?

Best regards

Martin

0 Kudos
Reply
martin_p
Level 7
Report Inappropriate Content
Message 8 of 11
‎07-28-2014 03:53 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hello!

Now i maybe found something. With the drill-down-option i found out, that in the value-field "Threat_Name" the original Check Point Names of the IPS-Alarms are listened! Maybe i can use this to create reports/alarms.

Have you tried this in this way?

Martin

0 Kudos
Reply
japie
Level 9
Report Inappropriate Content
Message 9 of 11
‎07-29-2014 01:25 PM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hi Martin

If you are using the Smart Defence IPS from Check Point, you can build a custom view.

If you want to view all the Smart Defence IPS classifications use the application filter: Smart Defence ( you will see this as well from the Check Point management station feed or datasource)

The same goes for any other blade functionality you enable from the Check Point technology stack ( application control,anti-botnet etc)

From there you can go down further and break it up in signature etc.

One big issue we have currently is with the auto-learn rules which clash with the 7 custom ASP rules provided by McAfee.

Regards,

Japie

View solution in original post

0 Kudos
Reply
martin_p
Level 7
Report Inappropriate Content
Message 10 of 11
‎08-01-2014 04:12 AM

Re: Check Point Firewall R75 Datasource (OPSEC) and finding specific LOG-Information

Jump to solution

Hi Japie!

Thank you very much for your answere. Now i found out how to proceed with this.

It works great!

Best regards

Martin

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC