Check Point Firewall
Check Point’s Next Generation Firewalls (NGFW’s) are trusted by customers for their highest security effectiveness and their ability to keep organizations protected from sophisticated fifth generation cyber-attacks. Check Point’s NGFW includes 23 Firewall models optimized for running all threat prevention technologies simultaneously, including full SSL traffic inspection, without compromising on security or performance.
Related Built-in Rules
Benefit from SEKOIA.IO built-in rules and upgrade Check Point Firewall with the following detection capabilities out-of-the-box.
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
The following table lists the data source offered by this integration.
||Check Point can record traffic events flowing through their firewall.|
||Check Point firewall does traffic analysis at physical/data/transport layers|
||Domain names are extracted from HTTP traffic|
As of now, the main solution to collect Checkpoint logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.
We are currently supporting the following firewall versions: R77.30, R80.10, R80.20, R80.30.
Please refer to the documentation of the Log Exporter of checkpoint to forward events to your rsyslog server. The reader is also invited to consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.