Getting Check Point Logs for APG

Overview

You can manually fetch Check Point logs with Check Point's fwm logexport command, and then standardize them as with non-Check Point logs.

SecureTrack offers a simpler alternative method, using our st_apg_collect tool for automatically collecting, standardizing, and filtering Check Point logs. The st_apg_collect utility is included in the TOS installation and is typically run in the command line of your SecureTrack machine. When using this tool, SecureTrack takes the logs for the specified time frame from any relevant log files, filters and standardizes them, and generates an output file in the required format for the APG.

You can limit log collection by rule UID or action (drop/accept), and/or by policy package and/or by gateway. This can be useful for forensic purposes as well.

When using the output for an APG job in SecureTrack, if you want to filter the logs by rule you must do that manually in the output before you send it to the APG. When using the output for the APG CLI, you can filter the output by rule and traffic pattern in the APG configuration.

Collect and Prepare Check Point Logs for the APG

  1. Get into the device-collector pod. 

    kubectl exec -it deployment/device-collector -c device-collector -- bash

  2. Get the SecureTrack device ID for the monitored Check Point management server.

    To see the ID of a device, in Securetrack:

    1. Navigate to Monitoring > Manage Devices.

    2. Click a device in the device tree.

    3. Type the letter "t".

      The ID for every device appears.

  3. Before collecting the logs, you can view a list of available log files, by running the st_apg_collect utility on your SecureTrack machine:

    st_apg_collect -m <mgmt_id> --list

    where <mgmt_id> is the SecureTrack device ID for the monitored Check Point management server or for the CLM that is associated with the monitored CMA..

    For each log file, the following appears:

    • File name: If the default naming has been used, the current file is named fw.log, and all other files are named according to the date and time they were closed.
    • File time: The date and time of the first log in the file.
    • Number of records in the file.

  4. Decide on a time frame for which to collect logs, and run:

    st_apg_collect -m <mgmt_id> -f <output_file> [--from="<from_date>"] [--to="<to_date>"] [--append] [--policy-name=<Policy>] [--log-file=<log_file>] [--rule-uid=<uid> | --action=drop] [--module-name=<Name> | --module-ip=<IP>] --long-mode

    where:

    • <mgmt_id> is the SecureTrack device ID for the monitored Check Point management server or for the CLM that is associated with the monitored CMA..

    • <output_file> is the path and filename for the generated log file.

    • <from_date> is the date (and optionally, time) from which to collect logs. This value must be included in quote marks, and its format is:

      yyyy-mm-dd [hh:mm:ss]

    • <to_date> is the date (and optionally, time) until which to collect logs. This value must be included in quote marks, and its format is:

      yyyy-mm-dd [hh:mm:ss]

    • --append indicates that the generated log file should be added to an existing log file, if found, rather than overwrite it.

    • <Policy> is the name of a policy package. The --policy-name flag is used to limit log collection to logs from this package.

    • <log_file> is the name of a log file. The --log-file flag is used to limit log collection to this log file.

    • <uid> is a rule UID, to limit log collection to logs generated by this rule.

    • --action=drop limits log collection to drop and reject actions. When this flag is not used, log collection is limited to accept, authenticate, and encrypt actions (unless the --rule-uid flag is used, in which case the logs for that rule are collected, regardless of action).

      The --action and --rule-uid flags cannot both be used.

    • <Name> is the case-sensitive name of a gateway. The --module-name flag is used to limit log collection to logs from traffic handled by this gateway.

    • <IP> is the primary IP address of a gateway. The --module-ip flag is used to limit log collection to logs from traffic handled by this gateway.

      The --module-name and --module-ip flags cannot both be used.

    • --long-mode exports verbose data for each log record. This is needed for historical rule usage.