CheckPoint Firewall Auditing Overview
The Firewalls Knowledge Pack expands the auditing and reporting capabilities of InTrust to CheckPoint Firewall. The necessary data is provided by the CheckPoint log in plain text format.
Use the following InTrust objects to work with data related to CheckPoint Firewall:
- “CheckPoint Firewall-1 text Log” data source
- “CheckPoint Firewall: All Events” gathering policy
- “CheckPoint Firewall: All Events” import policy
- “CheckPoint Firewall log daily collection” task
- “CheckPoint Firewall weekly reporting” task
- “All CheckPoint firewalls” site
The Knowledge Pack also provides the CheckPoint Firewall report pack. You can schedule the reports with the “CheckPoint Firewall weekly reporting” task.
Getting Started with CheckPoint Auditing
The predefined CheckPoint data source is configured for logs exported by CheckPoint in ASCII format. The data source works with two log formats created by the following methods:
- Manual export from the CheckPoint Firewall GUI
- CheckPoint’s standalone export utility
To configure gathering of the CheckPoint log
- Do one of the following:
- Manually export the log to a location that is available to an InTrust agent or directly to the InTrust gathering engine.
- Create a schedule for the CheckPoint export utility that exports the log to a location that is available to an InTrust agent or directly to the InTrust gathering engine. A sample script for Windows is provided further in this document. For UNIX computers, the script is similar as far as export options go, but with a different syntax.
- In InTrust Manager, edit the CheckPoint data source. Specify the log file name and location; you can use regular expressions and wildcards.
If you want to gather without an agent, specify the path using the %COMPUTER_NAME% variable and a share name (\\%COMPUTER_NAME%\share_name). You can supply the name of a special Windows share or a regular Windows or SMB share, depending on where CheckPoint stores or exports logs in your environment.
- Make sure the “All CheckPoint firewalls” site includes the computer where the log is located.
If you want to gather CheckPoint logs from an SMB share on a Unix host without an agent, make sure that this host is a member of an InTrust site in the Microsoft Windows Environment container. InTrust currently supports gathering from network shares only in Microsoft Windows Environment sites; this workaround makes InTrust aware of the share even though the processed computer is not actually running Windows.
- Schedule the “CheckPoint Firewall log daily collection” task. Make sure the gathering job within this task uses the “CheckPoint Firewall: All Events” gathering policy.
For agentless gathering from an SMB share, the gathering job must be configured for the site described in the previous step. You also need to create a separate gathering policy under the Gathering | Gathering Policies | Microsoft Windows Network node and use it in the gathering job instead of “CheckPoint Firewall: All Events”. In this scenario, the Use agents to execute this job on target computers option must be turned off for the gathering job.
- Schedule the “CheckPoint Firewall log weekly reporting” task. Configure the reporting job within this task to create the reports you need.
Sample Export Schedule Script
@echo off
REM Setting Variables
SET EXPORTDIR=c:\checkpoint_export
if exist %EXPORTDIR% goto 2
:1
echo.
echo - Error, [%EXPORTDIR%] does not exist, creating directory...
md %EXPORTDIR%
goto 2
:2
for /F "tokens=2-4 delims=/ " %%i in ('date /t') do (
set Month=%%i
set Day=%%j
set Year=%%k
)
REM Switching logs
echo.
echo - Switching log...
%FWDIR%\bin\fw logswitch cpfw1_%Year%%Month%%Day%.log
REM Removing previously exported logs
echo.
echo - Removing previously exported logs...
rem del %EXPORTDIR%\*.log
REM Exporting logs
echo.
echo - Exporting log...
echo.
fwm logexport -i %FWDIR%\log\cpfw1_%Year%%Month%%Day%.log -d "|" -n -o %EXPORTDIR%\cpfw1_exported_%Year%%Month%%Day%.log