Blumira’s modern cloud SIEM platform integrates with Check Point’s Next Generation Firewalls to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.
When configured, the Blumira integration with Check Point Next-Gen Firewalls will stream security event logs to the Blumira service for threat detection and actionable response.
When Blumira’s dynamic blocklist capabilities are configured with the Check Point Firewall, Blumira can provide automated blocking of known threats, automatically add new block rules when threats are detected and provide blocking based on Blumira’s community of customers that have detected new threats. All through automation without requiring any human interaction.
Learn more about enabling Blumira’s Dynamic Block Lists to block malicious source IP addresses and domains for automated threat response.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
In this document, you will learn how to configure Check Point to allow a LEA client to connect using an authenticated SSL CA connection or use the new log_exporter syslog solution added with R77.30/R80.10 JH 56.
If your Check Point is above R80.10 with the Jumbo Hotfix 56 then you can use the new simplified Syslog Exporter instead of setting up the LEA application. The LEA setup still works below for your newer Check Point so you can use it if you would like to, it requires much more setup however.
On your Check Point Management Server CLI, run the following command once you have replaced <blumira_sensor> with the IP of the Blumira Sensor that you have stood up.
cp_log_export add name Blumira target-server <blumira_sensor> target-port 514 protocol tcp format cef
This will read files from the log files on the Management Server, no filtering of the logs being shipped should be required.
References:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#How%20does%20it%20Work
https://community.checkpoint.com/t5/Logging-and-Reporting/R80-10-Syslog-Exporter/m-p/37042
https://community.checkpoint.com/t5/Logging-and-Reporting/Exporting-Check-Point-logs-over-syslog-LogExporter-with-Log/td-p/38410
The detailed process is:
admin
and type the following commands:
expert
(This will ask for your expert password.)grep auth_type $FWDIR/conf/fwopsec.conf
echo 'lea_server auth_type sslca' >> $FWDIR/conf/fwopsec.conf
cpstop; cpstart
(This will cause some downtime, and your console may be disconnected.)More object types → Server → OPSEC Application → New application...
Communication...
button. Choose a one-time password and enter it (twice). Leave the Trust state field unchanged. Click on Initialize, then on Close.When you add the Blumira Sensor Module, you will need to provide the following information:
1. If the Sensor is already created, select the far right edit button and click View Detail.
2. Once the flyout for your Sensor opens, click Add a module, which will then open the Module selection screen. Select the Check Point Module from the dropdown, as of writing this article the latest version is 1.0.0. If your Sensor does not have a Logger module yet, add this module as well using it’s latest version, 1.1.0 at the time of writing this.
3. Taking the One-time Password you set earlier, the LEA Object Name you chose during setup, the address of the Check Point Management Server, and the LEA port, if different from the default, enter them into the form after selecting the module. Once completed, click Create, Blumira will push the Check Point module down to your selected Sensor.
4. Blumira will drop the Check Point Module with your defined information down into the Sensor platform and complete the certificate exchange to start pulling logs via LEA. Logs should start flowing in the next 5-15 minutes depending on the utilization of the device and its setup.