Configuring Check Point for Non-Encrypted Syslogs

SecureChange Requester This topic is intended for TOS Administrators.

Overview

The syslog mechanism is used to pass policy change and traffic information from your devices to SecureTrack. For Check Point devices, you can configure syslogs, non-encrypted over UDP, as described here, or encrypted over TCP.

Non-encrypted syslog configuration for Check Point includes configuring:

To configure encrypted syslogs, see Check Point Syslogs over encrypted TCP. For general information about sending syslogs to TOS, see Sending Additional Information using Syslog.

Syslog Processing Methods

TOS supports two methods of processing syslog information for Check Point devices:

  • Original method (default)

    • The Automatic Policy Generator (APG) and in the Rule and Object Usage reports display rule usage.

    • The SecureTrack Reporting Essentials (STRE) reports do not display objects.

    • The Rule Viewer displays last-hit information only for rules (not for objects in rules).

  • New method

    Tufin Support might advise switching to the new method if you have a large volume of syslog traffic and have experienced performance issues.

    On switching to the new method, all existing last-hit information is cleared and reinitialized.

    • The Rule Viewer displays last-hit information for both rules and objects in rules.

    • The STRE reports includes objects.

    • The following are not available:

      • Automatic Policy Generator

      • Rule and Object Usage report

Switching from the new method back to the original method does not restore the last-hit information cleared previously.

Configure Syslog Processing Method

  • Switch to the new method:

    tos config set -p opm.usage.support.legacy.types=checkpoint
    tos config set -p opm.usage.support.legacy.types=checkpoint

  • Switch to the default method:

    tos config reset -p opm.usage.support.legacy.types
    tos config reset -p opm.usage.support.legacy.types

Configure SecureTrack to Retrieve Audit/Traffic Logs

Configure the log exporter on all monitored MDSM CMA, SMC and CLM log server devices.

  1. Add to SecureTrack the first management server and its associated Log Server or CLM.

  2. In the Device Configuration list, select the relevant management server (not the log server).

  3. Click Edit configuration:

  4. Click Next and Next.

  5. In the stage 3 page, select Custom.

  6. Set your Check Point device to communicate with SecureTrack by syslog:

    Select Custom > Syslog Authentication.

    Enter the log ID from the Check Point log exporter.

    Select Protocol UDP.

  7. Click Next, and then Save.