topic Re: S1C forwarding LOGS in General Topics

S1C forwarding LOGS

RemoteUser — Tue, 03 Feb 2026 13:48:36 GMT

Hi mates,
I have a question.

Is it possible to forward logs to a SIEM using TCP without SSL/TLS when using Smart-1 Cloud?

According to the documentation, this seems to be supported:
https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-Guide/Topics-Smart-1-Cloud/Using-the-Settings.htm

However, when I contacted TAC, they advised that it’s better to use TLS.
I was wondering if anyone has a working TCP (non-SSL) configuration in production.

Also, does the choice of protocol depend on the specific SIEM being used?

Thanks in advance.

Re: S1C forwarding LOGS

Vincent_Bacher — Tue, 03 Feb 2026 13:54:58 GMT

When I look at the documentation, it clearly states that both SSL-encrypted forwarding and plain forwarding are supported.
The choice of protocol, whether TLS, plain or UDP, depends on what your SIEM supports. Tac's statement is, of course, correct. Encrypted transmission should always be preferred to plain text transmission, even if plain text is supported and works.

Re: S1C forwarding LOGS

RemoteUser — Tue, 03 Feb 2026 13:56:57 GMT

100% right Vincent

Re: S1C forwarding LOGS

RemoteUser — Tue, 03 Feb 2026 14:10:39 GMT

We only need to set up this configuration with Tufin, and the Tufin team told us that they support UDP on port 514 and TLS.
However, as far as I know, we already tried UDP, and it doesn’t seem to be working.

Re: S1C forwarding LOGS

Vincent_Bacher — Tue, 03 Feb 2026 14:27:38 GMT

Did you work like discussed here?

https://forum.tufin.com/support/kc/latest/Content/Suite/cp_log-exp_R81.20.htm

I'm an S1C layman, I'm just trying to brainstorm a little.

Re: S1C forwarding LOGS

the_rock — Tue, 03 Feb 2026 14:33:44 GMT

Hey bro,

100% possible. We do it for few customers to siem solution. There is TAC case currently for new CP customer using S1C where we have an issue doing it for tcp protocol, so TAC is working on that. You just do it from the portal itself, see below.

Re: S1C forwarding LOGS

Vincent_Bacher — Tue, 03 Feb 2026 14:35:48 GMT

Apparently, I wasn't that far off the mark. 🙂

Re: S1C forwarding LOGS

the_rock — Tue, 03 Feb 2026 14:41:12 GMT

You got it. @RemoteUser , I know 2 customers where we have this working with tcp/over tls as well. Just not sure this issue we currently have if it is siem or not. TAC guy said he believes it could be log rate problem, but they are still checking it.

Will update you once we have a solution.

Re: S1C forwarding LOGS

RemoteUser — Tue, 03 Feb 2026 14:45:03 GMT

https://support.checkpoint.com/results/sk/sk182699 this cloud be a possible solution?

Re: S1C forwarding LOGS

the_rock — Tue, 03 Feb 2026 14:47:40 GMT

100%. Sorry, forgot about it. TAC gave us that sk last week as well.

Re: S1C forwarding LOGS

RemoteUser — Tue, 03 Feb 2026 14:49:46 GMT

ok but since we want to export all the logs of the managment i need to configure this rule on all the policy package of the cma?

Re: S1C forwarding LOGS

the_rock — Tue, 03 Feb 2026 14:50:44 GMT

Sounds like that, yes.

Re: S1C forwarding LOGS

the_rock — Fri, 06 Feb 2026 00:27:39 GMT

Hey brother,

Were you able to sort this out?

Re: S1C forwarding LOGS

RemoteUser — Fri, 06 Feb 2026 06:54:54 GMT

Hi Andy,

Yes, Check Point is sending the logs without any issues. It looks like there’s something in between that’s interfering and causing the logs to arrive incompletely at Tufin.

Re: S1C forwarding LOGS

the_rock — Fri, 06 Feb 2026 11:50:42 GMT

I will let you know how we fix the issue we have with new CP customer. TAC is telling us that all on S1C side is fine, but its so weird, because if we change to send logs say using udp and random port, works for few seconds at a time, or 1 minute, then stops.

Re: S1C forwarding LOGS

AlexVaisberg — Tue, 10 Feb 2026 13:15:02 GMT

Hi,
Event Forwarding from the portal also supports TLS (non-SSL) configuration.

Are there any customers interested in enabling this? If so, we’d be happy to assist and gather feedback.

Step 4 in the attached:
https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/Content/Topics-Infinity-Portal/Event-Forwarding-Push.htm?tocpath=Account%20Settings%7CEvent%20Forwarding%7C_____1

Re: S1C forwarding LOGS

the_rock — Tue, 10 Feb 2026 13:21:15 GMT

Hey brother,

We spent many hours troubleshooting this. TAC even verified all was fine on S1C side, nat rule was 100% right, but ended up being that we changed cluster object IP from external to internal, modified link selection, pushed policy, then all worked fine, we can now see logs. Appears logs were being sent over maas tunnel interface for some reason, rather than external, like what happens witt environments where this does work.

Re: S1C forwarding LOGS

RemoteUser — Tue, 10 Feb 2026 15:07:59 GMT

Hi Bro - whic nat rule ? this ? https://support.checkpoint.com/results/sk/sk182699

Re: S1C forwarding LOGS

the_rock — Tue, 10 Feb 2026 15:11:05 GMT

Nope...thats regular rule, Im talking about actual nat rule. In this dst is wan IP of the cluster (VIP) and then dst is log collector.

Re: S1C forwarding LOGS

RemoteUser — Tue, 10 Feb 2026 15:13:07 GMT

Ah, got it 😄 that’s why it seemed strange to me to talk about NAT with that rule 😄