立即与支持人员聊天
与支持团队交流

InTrust 11.5.1 - Preparing for Auditing CheckPoint Firewall

CheckPoint Firewall Auditing Overview

The Firewalls Knowledge Pack expands the auditing and reporting capabilities of InTrust to CheckPoint Firewall. The necessary data is provided by the CheckPoint log in plain text format.

Use the following InTrust objects to work with data related to CheckPoint Firewall:

  • “CheckPoint Firewall-1 text Log” data source
  • “CheckPoint Firewall: All Events” gathering policy
  • “CheckPoint Firewall: All Events” import policy
  • “CheckPoint Firewall log daily collection” task
  • “CheckPoint Firewall weekly reporting” task
  • “All CheckPoint firewalls” site

The Knowledge Pack also provides the CheckPoint Firewall report pack. You can schedule the reports with the “CheckPoint Firewall weekly reporting” task.

Getting Started with CheckPoint Auditing

The predefined CheckPoint data source is configured for logs exported by CheckPoint in ASCII format. The data source works with two log formats created by the following methods:

  • Manual export from the CheckPoint Firewall GUI
  • CheckPoint’s standalone export utility

To configure gathering of the CheckPoint log

  1. Do one of the following:
    • Manually export the log to a location that is available to an InTrust agent or directly to the InTrust gathering engine.
    • Create a schedule for the CheckPoint export utility that exports the log to a location that is available to an InTrust agent or directly to the InTrust gathering engine. A sample script for Windows is provided further in this document. For UNIX computers, the script is similar as far as export options go, but with a different syntax.
  1. In InTrust Manager, edit the CheckPoint data source. Specify the log file name and location; you can use regular expressions and wildcards.
    If you want to gather without an agent, specify the path using the %COMPUTER_NAME% variable and a share name (\\%COMPUTER_NAME%\share_name). You can supply the name of a special Windows share or a regular Windows or SMB share, depending on where CheckPoint stores or exports logs in your environment.
  2. Make sure the “All CheckPoint firewalls” site includes the computer where the log is located.
    If you want to gather CheckPoint logs from an SMB share on a Unix host without an agent, make sure that this host is a member of an InTrust site in the Microsoft Windows Environment container. InTrust currently supports gathering from network shares only in Microsoft Windows Environment sites; this workaround makes InTrust aware of the share even though the processed computer is not actually running Windows.
  3. Schedule the “CheckPoint Firewall log daily collection” task. Make sure the gathering job within this task uses the “CheckPoint Firewall: All Events” gathering policy.
    For agentless gathering from an SMB share, the gathering job must be configured for the site described in the previous step. You also need to create a separate gathering policy under the Gathering | Gathering Policies | Microsoft Windows Network node and use it in the gathering job instead of “CheckPoint Firewall: All Events”. In this scenario, the Use agents to execute this job on target computers option must be turned off for the gathering job.
  4. Schedule the “CheckPoint Firewall log weekly reporting” task. Configure the reporting job within this task to create the reports you need.

Sample Export Schedule Script

@echo off

REM Setting Variables

SET EXPORTDIR=c:\checkpoint_export

if exist %EXPORTDIR% goto 2

:1

echo.

echo - Error, [%EXPORTDIR%] does not exist, creating directory...

md %EXPORTDIR%

goto 2

:2

for /F "tokens=2-4 delims=/ " %%i in ('date /t') do (

set Month=%%i

set Day=%%j

set Year=%%k

)

REM Switching logs

echo.

echo - Switching log...

%FWDIR%\bin\fw logswitch cpfw1_%Year%%Month%%Day%.log

REM Removing previously exported logs

echo.

echo - Removing previously exported logs...

rem del %EXPORTDIR%\*.log

REM Exporting logs

echo.

echo - Exporting log...

echo.

fwm logexport -i %FWDIR%\log\cpfw1_%Year%%Month%%Day%.log -d "|" -n -o %EXPORTDIR%\cpfw1_exported_%Year%%Month%%Day%.log

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级