To take advantage of Cortex XDR investigation and detection
capabilities while using Check Point firewalls, forward your firewall
logs to Cortex XDR.
logs and data requires a Cortex XDR Pro per TB license.
you use Check Point FW1/VPN1 firewalls, you can still take advantage
of Cortex XDR investigation and detection capabilities by forwarding
your Check Point firewall logs to Cortex XDR. Check Point firewall
logs can be used as the sole data source, however, you can also
use Check Point firewall logs in conjunction with Palo Alto Networks
firewall logs and additional data sources.
Cortex XDR can
stitch data from Check Point firewalls with other logs to make up
network stories searchable in the Query Builder and in XQL queries.
Cortex XDR can also return raw data from Check Point firewalls in
sessionid = 0
Destination Port data is available only in the raw logs.
In terms of alerts, Cortex XDR can both surface
native Check Point firewall alerts and raise its own alerts on network
activity. Alerts are displayed throughout Cortex XDR alert, incident,
and investigation views.
To integrate your logs, you first
need to set up an applet in a broker VM within your network to act
as a Syslog Collector. You then configure your Check Point firewall
policy to log all traffic and set up the Log Exporter on your Check
Point Log Server to forward logs to the Syslog Collector in a CEF
As soon as Cortex XDR starts to receive logs, the
app can begin stitching network connection logs with other logs
to form network stories. Cortex XDR can also analyze your logs to
raise Analytics alerts and can apply IOC and BIOC rule matching.
You can also use queries to search your network connection logs.
Ensure that your Check Point firewalls meet the
Check Point software version—R77.30, R80.10, R80.20, R80.30,
Increase log storage for Check Point firewall logs.
As an estimate for initial sizing, note that the average
Check Point log size is roughly 700 bytes. For proper sizing calculations, test
the log sizes and log rates produced by your Check Point firewalls.
For more information, see Allocate Log Storage for Cortex XDR.
Configure the Check Point firewall to forward syslog
events in CEF format to the Syslog Collector.
Configure your firewall policy to log all traffic and set
up the Log Exporter to forward logs to the Syslog Collector. For
more information on setting up Log Exporter, see the Check Point