Skip to content

Check Point Firewall


Check Point’s Next Generation Firewalls (NGFW’s) are trusted by customers for their highest security effectiveness and their ability to keep organizations protected from sophisticated fifth generation cyber-attacks. Check Point’s NGFW includes 23 Firewall models optimized for running all threat prevention technologies simultaneously, including full SSL traffic inspection, without compromising on security or performance.

Benefit from SEKOIA.IO built-in rules and upgrade Check Point Firewall with the following detection capabilities out-of-the-box.

SEKOIA.IO x Check Point Firewall on ATT&CK Navigator

SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
TOR Usage

Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network device logs Check Point can record traffic events flowing through their firewall.
Network protocol analysis Check Point firewall does traffic analysis at physical/data/transport layers
Web logs Domain names are extracted from HTTP traffic


As of now, the main solution to collect Checkpoint logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.

We are currently supporting the following firewall versions: R77.30, R80.10, R80.20, R80.30.


Please refer to the documentation of the Log Exporter of checkpoint to forward events to your rsyslog server. The reader is also invited to consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.