Tchater maintenant avec le support
Tchattez avec un ingénieur du support

InTrust 11.6 - Preparing for Auditing CheckPoint Firewall

CheckPoint Firewall Auditing Overview

The Firewalls Knowledge Pack expands the auditing and reporting capabilities of InTrust to CheckPoint Firewall. The necessary data is provided by the CheckPoint log in plain text format.

Use the following InTrust objects to work with data related to CheckPoint Firewall:

  • “CheckPoint Firewall-1 text Log” data source
  • “CheckPoint Firewall: All Events” gathering policy
  • “CheckPoint Firewall: All Events” import policy
  • “CheckPoint Firewall log daily collection” task
  • “CheckPoint Firewall weekly reporting” task
  • “All CheckPoint firewalls” site

The Knowledge Pack also provides the CheckPoint Firewall report pack. You can schedule the reports with the “CheckPoint Firewall weekly reporting” task.

Getting Started with CheckPoint Auditing

The predefined CheckPoint data source is configured for logs exported by CheckPoint in ASCII format. The data source works with two log formats created by the following methods:

  • Manual export from the CheckPoint Firewall GUI
  • CheckPoint’s standalone export utility

To configure gathering of the CheckPoint log

  1. Do one of the following:
    • Manually export the log to a location that is available to an InTrust agent or directly to the InTrust gathering engine.
    • Create a schedule for the CheckPoint export utility that exports the log to a location that is available to an InTrust agent or directly to the InTrust gathering engine. A sample script for Windows is provided further in this document. For UNIX computers, the script is similar as far as export options go, but with a different syntax.
  1. In InTrust Manager, edit the CheckPoint data source. Specify the log file name and location; you can use regular expressions and wildcards.
    If you want to gather without an agent, specify the path using the %COMPUTER_NAME% variable and a share name (\\%COMPUTER_NAME%\share_name). You can supply the name of a special Windows share or a regular Windows or SMB share, depending on where CheckPoint stores or exports logs in your environment.
  2. Make sure the “All CheckPoint firewalls” site includes the computer where the log is located.
    If you want to gather CheckPoint logs from an SMB share on a Unix host without an agent, make sure that this host is a member of an InTrust site in the Microsoft Windows Environment container. InTrust currently supports gathering from network shares only in Microsoft Windows Environment sites; this workaround makes InTrust aware of the share even though the processed computer is not actually running Windows.
  3. Schedule the “CheckPoint Firewall log daily collection” task. Make sure the gathering job within this task uses the “CheckPoint Firewall: All Events” gathering policy.
    For agentless gathering from an SMB share, the gathering job must be configured for the site described in the previous step. You also need to create a separate gathering policy under the Gathering | Gathering Policies | Microsoft Windows Network node and use it in the gathering job instead of “CheckPoint Firewall: All Events”. In this scenario, the Use agents to execute this job on target computers option must be turned off for the gathering job.
  4. Schedule the “CheckPoint Firewall log weekly reporting” task. Configure the reporting job within this task to create the reports you need.

Sample Export Schedule Script

@echo off

REM Setting Variables

SET EXPORTDIR=c:\checkpoint_export

if exist %EXPORTDIR% goto 2

:1

echo.

echo - Error, [%EXPORTDIR%] does not exist, creating directory...

md %EXPORTDIR%

goto 2

:2

for /F "tokens=2-4 delims=/ " %%i in ('date /t') do (

set Month=%%i

set Day=%%j

set Year=%%k

)

REM Switching logs

echo.

echo - Switching log...

%FWDIR%\bin\fw logswitch cpfw1_%Year%%Month%%Day%.log

REM Removing previously exported logs

echo.

echo - Removing previously exported logs...

rem del %EXPORTDIR%\*.log

REM Exporting logs

echo.

echo - Exporting log...

echo.

fwm logexport -i %FWDIR%\log\cpfw1_%Year%%Month%%Day%.log -d "|" -n -o %EXPORTDIR%\cpfw1_exported_%Year%%Month%%Day%.log

Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation