This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2021-12-29 04:05 AM

Geolocation details in Checkpoint Syslogs

I have integrated Checkpoint R80.40 with an SIEM tool via log exporter configuration.

SIEM teams is looking for Geo Location information from these syslogs..is it possible to get this information from syslogs ?

7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-12-29 04:38 AM

Are you using geo objects in your access policy?

Search for src_country / dst_country in sk144192 to understand the mappings.

CCSM R77/R80/ELITE
LostBoY
Advisor
‎2021-12-29 05:37 AM
In response to Chris_Atkinson

Thanks for the reply.. no i am not using geo objects but i was wondering if any location information can be filtered from syslogs ..like in smartconsole logs we can see a location flag against source and destination IPs

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-12-29 07:20 AM
In response to LostBoY

I am not SIEM guy by any means, but from what I know, dont believe you can do it that way, though I could ask one of my colleagues, as I know he did something even better for a customer.

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
‎2021-12-29 08:07 AM
In response to LostBoY

I emailed my colleague your question, so will see what he says.

Best,
Andy
LostBoY
Advisor
‎2021-12-29 10:46 AM
In response to the_rock

Thanks 🙂

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-12-29 11:02 AM
In response to LostBoY

Well, dont thank me yet :-). I did ask, but lets see if I get the answer...if this is something he put lots of work into, I cant guarantee he can share it, but I will let you know either way.

Cheers.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-12-30 06:18 PM
In response to LostBoY

Hey @LostBoY . This is a response I got from my colleague to your initial question:

"You can only get external IP and then the SIEM should have the capability to map the IP to country and city name etc. Usually SIEM tools are equipped with GEOIP databases and lookups. Syslog will include only external IPs"

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events