Forwarding CheckPoint Logs to Syslog Server

This document captures the configuration of Syslog and logs of different blades that will be seen in SmartView Tracker and syslog with the following scenarios,

Scenario 1: R77.30 Mgmt and R77.30 GW, Syslog forwarded through Gateway (Limitation some logs will be hidden)

Scenario 2: R77.30 Mgmt and R77.30 GW, Syslog forwarded through Mgmt (Limitation all logs forwarded to /var/log/messages and then to syslog server)

Scenario 3: R80 Mgmt and R77.30 GW, Syslog forwarded through Mgmt (Limitation all logs forwarded to /var/log/messages and then to syslog server)

In this article, we have shown the logs of the below software blades,

1. Firewall

2. IPS

3. Anti-Virus

4. Anti-Bot

5. Application Control &

6. URL Filtering

 

Scenario 1: Forwarding the Traffic Logs from R77.30 Firewall to Syslog Server

 

In this scenario, am making the firewall to send the traffic logs to both Management Server and Syslog Server directly.

Note: Only Traffic logs can be seen on the Syslog server and there will be no /var/log/messages.

1. Install the R77.30 Add-on on Management Server via CPUSE.

2. Create the Syslog Server object in SmartDashboard,

 

 

 

3. Under “Send logs and alerts to these log servers”, add the Syslog server object along with the original management server object.

 

4. Enable the fwsyslog_enable parameter on the Firewall either on-the fly or permanent and install the Policy.

 

Firewall Software Blade Log:

1. Accessed the website http://qostechnology.in/ whose ip-address is 166.62.28.120.

 

 

 

2017-01-30 16:07:33 System0.Notice 10.10.10.254 Jan 30 16:07:33+05:1800 10.10.10.254 Action=”accept” UUid=”{0x588f176d,0x3,0xfe0a0a0a,0xc0000000}” inzone=”Internal” outzone=”External” rule=”3″ rule_uid=”{E6149B4A-DF60-4500-A097-5557F547A675}” rule_name=”Internet Access” service_id=”http” src=”10.10.10.5″ dst=”166.62.28.120″ proto=”6″ xlatesrc=”10.10.18.254″ NAT_rulenum=”4″ NAT_addtnl_rulenum=”1″ product=”VPN-1 & FireWall-1″ service=”80″ s_port=”1445″ xlatesport=”10381″ product_family=”Network”

URL Filtering Software Blade Log:

1. Accessed the website http://qostechnology.in/

 

 

2017-01-30 16:07:36 System0.Notice 10.10.10.254 Jan 30 16:07:34+05:1800 10.10.10.254 Action=”allow” UUid=”{0x588f176e,0x0,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”166.62.28.120″ proto=”6″ appi_name=”******” app_desc=”******” app_id=”******” app_category=”******” matched_category=”******” app_properties=”******” app_risk=”******” app_rule_id=”******” app_rule_name=”******” web_client_type=”Firefox” web_server_type=”Apache” resource=”http://qostechnology.in/” proxy_src_ip=”10.10.10.5″ product=”URL Filtering” service=”80″ s_port=”1445″ product_family=”Network”

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below,

 

 

2017-01-30 17:37:18 System0.Notice 10.10.10.254 Jan 30 17:37:18+05:1800 10.10.10.254 Action=”block” UUid=”{0x588f2c76,0x3,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”194.29.38.122″ proto=”6″ appi_name=”******” app_desc=”******” app_id=”******” app_category=”******” matched_category=”******” app_properties=”******” app_risk=”******” app_rule_id=”******” app_rule_name=”******” app_sig_id=”60343744:1″ proxy_src_ip=”10.10.10.5″ product=”Application Control” service=”22″ s_port=”1846″ product_family=”Network”

IPS Software Blade Log:

1. Performed a port scan on my firewall,

 

01-30-2017 16:25:24 System0.Notice 10.10.10.254 Jan 30 16:25:22+05:1800 10.10.10.254 Action=”reject” UUid=”{0x0,0x0,0x0,0x0}” Protection Name=”Non-MD5 Authenticated BGP Connections” Severity=”3″ Confidence Level=”3″ protection_id=”bgp_protos” SmartDefense Profile=”Recommended_Protection” Performance Impact=”3″ Industry Reference=”CAN-2004-0589, CAN-2004-0230″ Protection Type=”protection” Attack Info=”Non-MD5 Authenticated BGP Protocol Detected on Connection” attack=”BGP Enforcement Violation” rule=”1″ rule_uid=”{547FE81C-AC6A-47A3-981F-9DCBB2606E80}” rule_name=”Mgmt Access” Total logs=”12″ Suppressed logs=”11″ proto=”6″ dst=”10.10.10.254″ src=”10.10.10.1″ product=”SmartDefense” service=”179″ FollowUp=”Not Followed” product_family=”Network”

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below URL,

http://www.wicar.org/test-malware.html

 

01-30-2017 16:32:59 System0.Notice 10.10.10.254 Jan 30 16:32:59+05:1800 10.10.10.254 Action=”monitor” UUid=”{0x588f1d63,0x4,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”62.0.58.94″ proto=”6″ session_id=”{0x588f1d63,0x4,0xfe0a0a0a,0xc0000000}” Protection name=”REP.ianwwg” description=”Connections to IP associated by DNS trap with malicious domain. See sk74060 for more information.” Source OS=”Windows” Confidence Level=”1″ severity=”2″ malware_action=”Access to site known to contain malware” Protection Type=”DNS Trap” malware_rule_id=”{1E90B500-246E-1F43-82F4-4E99FAD647B6}” Destination DNS Hostname=”malware.wicar.org” protection_id=”000AC512A” vendor_list=”Check Point ThreatCloud” log_id=”2″ scope=”10.10.10.5″ product=”New Anti Virus” service=”80″ s_port=”1687″

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 ,

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

 

2017-01-30 16:00:28 System0.Notice 10.10.10.254 Jan 30 16:00:26+05:1800 10.10.10.254 Action=”redirect” UUid=”{0x588f1348,0x3,0xfe0a0a0a,0xc0000000}” web_client_type=”Firefox” resource=”http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html” src=”10.10.10.5″ dst=”184.31.212.234″ proto=”6″ session_id=”{0x588f1348,0x3,0xfe0a0a0a,0xc0000000}” Protection name=”Check Point – Testing Bot” malware_family=”Check Point” Source OS=”Windows” Confidence Level=”5″ severity=”2″ malware_action=”Communication with C&C site” rule_uid=”{E6149B4A-DF60-4500-A097-5557F547A675}” rule_name=”Internet Access” Protection Type=”URL reputation” malware_rule_id=”{1E90B500-246E-1F43-82F4-4E99FAD647B6}” protection_id=”00233CFEE” log_id=”2″ proxy_src_ip=”10.10.10.5″ scope=”10.10.10.5″ product=”Anti Malware” service=”80″ s_port=”1414″

Scenario 2: Forwarding Traffic Logs stored on the R77.30 Management Server to Syslog Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file,

fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &

 

2. After this we are able to see the firewall logs in the /var/log/message directory,

Note: We can able to see the /var/log/message logs along with the Firewall logs as well.

 

3. Now, send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

 

4. Able to see the Logs on the Syslog server from the Management Server (10.10.10.10),

a) Traffic logs on the Syslog server,

b) /var/log/messages of the Management Server on Syslog Server,

 

Firewall Software Blade Log:

1. Accessed the website http://qostechnology.in/ whose ip-address is 166.62.28.120.

 

01-30-2017 19:41:43 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:41:35 accept 10.10.10.254 >eth0 inzone:Internal; outzone:External;rule:3;rule_uid:{E6149B4A-DF60-4500-A097-5557F547A675};rule_name:Internet Access; service_id:http; src:10.10.10.5;dst:166.62.28.120; proto:tcp; xlatesrc:10.10.18.254;NAT_rulenum:4;NAT_addtnl_rulenum:1;product:VPN-1 & FireWall-1;service:http;s_port:2158;xlatesport:11003;product_family:Network

 

URL Filtering Software Blade Log:

1. Accessed the website http://qostechnology.in/

 

01-30-2017 19:41:43 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:41:36 allow 10.10.10.254 <eth1 src:10.10.10.5;dst:166.62.28.120;proto:tcp; appi_name:qostechnology.in; app_id:1109311486;matched_category:Business / Economy;app_properties:Business / Economy,URL Filtering;app_risk:0; app_rule_id:{62C84CA0-0C82-4C07-B9BF-CD8F1CD67E17}; web_client_type:Firefox; web_server_type:Apache; resource:http://www.qostechnology.in/; proxy_src_ip:10.10.10.5; product:URL Filtering;service:http; s_port:2158;product_family:Network

 

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below,

 

01-30-2017 19:47:36 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:46:29 block 10.10.10.254 <eth0 src:10.10.10.5;dst:194.29.38.122; proto:tcp;appi_name:WinSCP; app_desc:WinSCP (Windows Secure CoPy) is a free and open source SFTP, SCP, and FTP client for Microsoft Windows. WinSCP’s main function is secure file transfer between a local and a remote computer. Supported from: R75.;app_id:60343744;app_category:Network Utilities;matched_category:Network Utilities;app_properties:Supports File Transfer, Encrypts communications, Medium Risk, Network Utilities;app_risk:3;app_rule_id:{4564C8D7-0A9C-4DA0-A353-B1D3428C95E4};app_rule_name:Block VLC; app_sig_id:60343744:1; proxy_src_ip:10.10.10.5;product:Application Control; service:ssh; s_port:2204; product_family:Network

IPS Software Blade Log:

1. Performed a port scan on my firewall,

 

01-30-2017 19:54:50 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:54:11 reject 10.10.10.254 > Protection Name:Non-MD5 Authenticated BGP Connections;Severity:3; Confidence Level:3; protection_id:bgp_protos; SmartDefense Profile:Recommended_Protection; Performance Impact:3; Industry Reference:CAN-2004-0589, CAN-2004-0230;Protection Type:protection;Attack Info:Non-MD5 Authenticated BGP Protocol Detected on Connection;attack:BGP Enforcement Violation;rule:1;rule_uid:{547FE81C-AC6A-47A3-981F-9DCBB2606E80};rule_name:Mgmt Access;Total logs:12; Suppressed logs:11;proto:tcp;dst:10.10.10.254; src:10.10.10.1;product:SmartDefense;service:BGP;FollowUp:Not Followed;product_family:Network

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below url,

http://www.wicar.org/test-malware.html

 

01-30-2017 19:57:48 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:57:41 monitor 10.10.10.254>eth0 src:10.10.10.5; dst:62.0.58.94; proto:tcp;session_id:{0x588f4058,0x3,0xfe0a0a0a,0xc0000000}; Protection name:REP.ianwwg; description:Connections to IP associated by DNS trap with malicious domain. See sk74060 for more information.;Source OS:Windows;Confidence Level:1;severity:2;malware_action:Access to site known to contain malware;Protection Type:DNS Trap;malware_rule_id:{1E90B500-246E-1F43-82F4-4E99FAD647B6};Destination DNS Hostname:malware.wicar.org; protection_id:000AC512A; vendor_list:Check Point ThreatCloud;log_id:2;scope:10.10.10.5; product:New Anti Virus;service:http;s_port:2211

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 ,

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

 

 

2017-01-30 20:03:35 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 20:02:05 block 10.10.10.254<eth0;web_client_type:Firefox;resource:http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html;src:10.10.10.5;dst:184.31.212.234;proto:tcp;session_id:{0x588f4e65,0x2,0xfe0a0a0a,0xc0000000};Protection name:Check Point – Testing Bot;malware_family:Check Point;Source OS:Windows;Confidence Level:5;severity:2;malware_action:Communication with C&C site;rule_uid:{E6149B4A-DF60-4500-A097-5557F547A675};rule_name:Internet Access;Protection Type:URLreputation;malware_rule_id:{1E90B500-246E-1F43-82F4-4E99FAD647B6}; protection_id:00233CFEE;log_id:9999;proxy_src_ip:10.10.10.5;scope:10.10.10.5;Suppressed logs:1;sent_bytes:0;received_bytes:0;packet_capture_unique_id:10.10.10.5_maildir_sent_new_time1485786726.mail-1565954732-392261992.localhost; packet_capture_time:1485786726; packet_capture_name:src-10.10.10.5.eml;UserCheck_incident_uid:7105BAFB-08F2-DF01-F36B-2F232920DC61;UserCheck:1;dlp_incident_uid:{588F4E65-0000-0002-FE0A-0A0AC0000000};portal_m…

2017-01-30 20:03:47 Local4.Info 10.10.10.10 CP_FireWall: r is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 2920DC61 ;UserCheck_Confirmation_Level:Application;frequency:1 days ;product:Anti Malware;service:http;s_port:2226

 

Scenario 3: Syslog forwarded through R80 Management Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file,

fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &

 

 

 

2. After this we are able to see the firewall logs in the /var/log/message directory,

Note: We can able to see the /var/log/message logs along with the Firewall logs as well.

 

3. Now, send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

 

4. Able to see the Logs on the Syslog server from the Management Server (192.168.10.253),

 

Firewall Software Blade Log:

1. Accessed the website http://acme.com/ whose ip-address is 216.27.178.28.

 

01-30-2017 21:27:14 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:17:09 1 accept 192.168.1.3 >Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; inzone: Internal; outzone: External; rule: 17; rule_uid: {C73E055B-3678-4257-AADF-434FAD7006A5}; rule_name: Complete Allow For Int Net; service_id: http; src: 192.168.12.153; dst: 216.27.178.28; proto: tcp; xlatesrc: 192.168.1.3; NAT_rulenum: 21; NAT_addtnl_rulenum: 1; ProductName: VPN-1 & FireWall-1; svc: http; sport_svc: 34891; xlatesport_svc: 26752; ProductFamily: Network;

URL Filtering Software Blade Log:

1. Accessed the website http://ndtv.com/

 

01-30-2017 21:39:36 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:29:31 1 allow 192.168.1.3 <Mgmt LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 52.2.229.194; proto: tcp; appi_name: ndtv.com; app_id: 2894003724; matched_category: News / Media; app_properties: News / Media,URL Filtering; app_risk: 0; app_rule_id: {F741EBE9-D97B-4DF6-B3A3-55CC29C49CEE}; web_client_type: Chrome; web_server_type: Other: nginx/1.8.0; resource: http://ndtv.com/; proxy_src_ip: 192.168.12.153; ProductName: URL Filtering; svc: http; sport_svc: 36098; ProductFamily: Network;

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below,

 

01-30-2017 21:53:50 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:43:46 1 block 192.168.1.3 <Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 194.29.38.122; proto: tcp; appi_name: WinSCP; app_desc: WinSCP (Windows Secure CoPy) is a free and open source SFTP, SCP, and FTP client for Microsoft Windows. WinSCP’s main function is secure file transfer between a local and a remote computer. Supported from: R75.; app_id: 60343744; app_category: Network Utilities; matched_category: Network Utilities; app_properties: Supports File Transfer, Encrypts communications, Medium Risk, Network Utilities; app_risk: 3; app_rule_id: {D46D297F-B53A-475E-98DA-B34F7265CE3C}; app_rule_name: Raghu Testing Winscp Block; app_sig_id: 60343744:1; proxy_src_ip: 192.168.12.153; ProductName: Application Control; svc: ssh_version_2; sport_svc: 36909; ProductFamily: Network;

IPS Software Blade Log:

1. performed a port scan on our QOS firewall,

 

2017-01-30 22:34:19 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:24:13 1 reject 192.168.1.3 > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; Protection Name: Non-MD5 Authenticated BGP Connections; Severity: 0; Confidence Level: 3; protection_id: bgp_protos; SmartDefense Profile: Default_Protection_2df2f915b4001bd5; Performance Impact: 3; Industry Reference: CAN-2004-0589, CAN-2004-0230; Protection Type: protection; Attack Info: Non-MD5 Authenticated BGP Protocol Detected on Connection; attack: BGP Enforcement Violation; rule: 14; rule_uid: {C3A95356-AFCF-4897-8337-A2448109B4E5}; rule_name: Between all QOS LANs; Total logs: 12; Suppressed logs: 11; proto: tcp; dst: 192.168.12.1; src: 192.168.12.153; ProductName: SmartDefense; svc: BGP; ProductFamily: Network;

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below url,

 

2017-01-30 22:23:09 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:12:51 1 prevent 192.168.1.3 >Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 62.0.58.94; proto: tcp; session_id: {0x588f6d0b,0x10000,0x301a8c0,0xc0000001}; Protection name: REP.ianwwg; description: Connection to DNS trap bogus IP. See sk74060 for more information.; Source OS: Windows; Confidence Level: 1; severity: 1; malware_action: Access to site known to contain malware; Protection Type: DNS Trap; malware_rule_id: {ABA61341-AC30-3149-AF91-E5AC2B6B8E80}; Destination DNS Hostname: malware.wicar.org; protection_id: 000AC512A; vendor_list: Check Point ThreatCloud; log_id: 2; scope: 192.168.12.153; ProductName: New Anti Virus; svc: http; sport_svc: 44001; ProductFamily: Network;

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 ,

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

 

2017-01-30 22:19:02 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:08:57 1 block 192.168.1.3 <Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; web_client_type:Chrome;resource: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html ; src: 192.168.12.153; dst: 23.211.213.229; proto: tcp; session_id: {0x588f6c21,0x10007,0x301a8c0,0xc0000002}; Protection name: Check Point – Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence Level: 5; severity: 2; malware_action: Communication with C&C site; rule_uid: {C73E055B-3678-4257-AADF-434FAD7006A5}; rule_name: Complete Allow For Int Net; Protection Type: URL reputation; malware_rule_id: {ABA61341-AC30-3149-AF91-E5AC2B6B8E80}; protection_id: 00233CFEE; log_id: 9999; proxy_src_ip: 192.168.12.153; scope: 192.168.12.153; Suppressed logs: 1; sent_bytes: 0; received_bytes: 0; packet_capture_unique_id: 192.168.12.153_maildir_sent_new_time1485794338.mail-989086109-484857403.localhost; packet_capture_time: 1485794338; packet_capture_name: s…

2017-01-30 22:19:02 Local4.Info 192.168.10.253 CP_FireWall: l; UserCheck_incident_uid: 9E71CD67-C8C2-DB14-D926-6F97BC2003CE; UserCheck: 1; dlp_incident_uid: {588F6C21-0001-0007-0301-A8C0C0000002}; portal_message: Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: BC2003CE ; UserCheck_Confirmation_Level: Application; frequency: 1 days ; LastUpdateTime: 30Jan2017 22:08:59; ProductName: Anti Malware; svc: http; sport_svc: 43860; ProductFamily: Network;

 

 

For additional information, Feel free to write it in the comment’s section

 

Raghu K

Raghu K

Senior Network Security Engineer at QOS Technology
Raghu K

Latest posts by Raghu K (see all)

    Leave a Reply

    1 Comment on "Syslog Integration with CheckPoint"

    Notify of
    avatar
    Sort by:   newest | oldest | most voted
    Arun
    Guest

    Very well documented.

    wpDiscuz