Ingest Logs from Check Point Firewalls

To take advantage of Cortex XDR investigation and detection capabilities while using Check Point firewalls, forward your firewall logs to Cortex XDR.
If you use Check Point firewalls, you can still take advantage of Cortex XDR investigation and detection capabilities by forwarding your Check Point firewall logs to Cortex XDR. By forwarding firewall logs, Cortex XDR can examine your network traffic to detect anomalous behavior. Cortex XDR can use Check Point firewall logs as the sole data source, but can also use Check Point firewall logs in conjunction with Palo Alto Networks firewall logs. For additional endpoint context, you can also use Traps to collect and alert on endpoint data.
As an estimate for initial sizing, note that the average Check Point log size is roughly 700 bytes. For proper sizing calculations, test the log sizes and log rates produced by your Check Point firewalls.
As soon as Cortex XDR starts to receive logs, the app can begin analyzing and raising Analytics alerts. Cortex XDR stores Analytics alerts according to your Cortex Data Lake storage retention policy but does not store the Check Point firewall logs. As a result, you cannot query or apply IOC and BIOC rule matching to Check Point firewall logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to act as a syslog collector. You then configure firewall policy to log all traffic and set up the Log Exporter on your Check Point Log Server to forward logs to the syslog collector in a CEF format.
  1. Configure the Check Point firewall to forward syslog events in CEF format to the syslog collector.
    Configure your firewall policy to log all traffic and set up the Log Exporter to forward logs to the syslog collector. By logging all traffic, you enable Cortex XDR to detect anomalous behavior from Check Point firewall logs. For more information on setting up Log Exporter, see the Check Point documentation.

Recommended For You