Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RemoteUser
Advisor

S1C forwarding LOGS

Hi mates,
I have a question.

Is it possible to forward logs to a SIEM using TCP without SSL/TLS when using Smart-1 Cloud?

According to the documentation, this seems to be supported:
https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...

However, when I contacted TAC, they advised that it’s better to use TLS.
I was wondering if anyone has a working TCP (non-SSL) configuration in production.

Also, does the choice of protocol depend on the specific SIEM being used?

Thanks in advance.

0 Kudos
21 Replies
Vincent_Bacher
MVP Silver
MVP Silver

When I look at the documentation, it clearly states that both SSL-encrypted forwarding and plain forwarding are supported.
The choice of protocol, whether TLS, plain or UDP, depends on what your SIEM supports. Tac's statement is, of course, correct. Encrypted transmission should always be preferred to plain text transmission, even if plain text is supported and works.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
RemoteUser
Advisor

100% right Vincent

0 Kudos
RemoteUser
Advisor

We only need to set up this configuration with Tufin, and the Tufin team told us that they support UDP on port 514 and TLS.
However, as far as I know, we already tried UDP, and it doesn’t seem to be working.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver

Did you work like discussed here?

https://forum.tufin.com/support/kc/latest/Content/Suite/cp_log-exp_R81.20.htm

I'm an S1C layman, I'm just trying to brainstorm a little.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond

Hey bro,

100% possible. We do it for few customers to siem solution. There is TAC case currently for new CP customer using S1C where we have an issue doing it for tcp protocol, so TAC is working on that. You just do it from the portal itself, see below.

 

 

Screenshot_1.png

Best,
Andy
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver

Apparently, I wasn't that far off the mark. 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Diamond
MVP Diamond

You got it. @RemoteUser , I know 2 customers where we have this working with tcp/over tls as well. Just not sure this issue we currently have if it is siem or not. TAC guy said he believes it could be log rate problem, but they are still checking it.

Will update you once we have a solution.

Best,
Andy
0 Kudos
RemoteUser
Advisor

https://support.checkpoint.com/results/sk/sk182699 this cloud be a possible solution?

(1)
the_rock
MVP Diamond
MVP Diamond

100%. Sorry, forgot about it. TAC gave us that sk last week as well.

Best,
Andy
0 Kudos
RemoteUser
Advisor

ok but since we want to export all the logs of the managment i need to configure this rule on all the policy package of the cma? 

0 Kudos
the_rock
MVP Diamond
MVP Diamond

Sounds like that, yes.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond

Hey brother,

Were you able to sort this out?

Best,
Andy
0 Kudos
RemoteUser
Advisor

Hi Andy,

Yes, Check Point is sending the logs without any issues. It looks like there’s something in between that’s interfering and causing the logs to arrive incompletely at Tufin.

0 Kudos
the_rock
MVP Diamond
MVP Diamond

I will let you know how we fix the issue we have with new CP customer. TAC is telling us that all on S1C side is fine, but its so weird, because if we change to send logs say using udp and random port, works for few seconds at a time, or 1 minute, then stops.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond

Hey brother,

We spent many hours troubleshooting this. TAC even verified all was fine on S1C side, nat rule was 100% right, but ended up being that we changed cluster object IP from external to internal, modified link selection, pushed policy, then all worked fine, we can now see logs. Appears logs were being sent over maas tunnel interface for some reason, rather than external, like what happens witt environments where this does work.

Best,
Andy
0 Kudos
RemoteUser
Advisor

Hi Bro - whic nat rule ? this ? https://support.checkpoint.com/results/sk/sk182699

0 Kudos
the_rock
MVP Diamond
MVP Diamond

Nope...thats regular rule, Im talking about actual nat rule. In this dst is wan IP of the cluster (VIP) and then dst is log collector.

 

Screenshot_1.png

Best,
Andy
0 Kudos
RemoteUser
Advisor

Ah, got it 😄 that’s why it seemed strange to me to talk about NAT with that rule 😄

the_rock
MVP Diamond
MVP Diamond

Always good to be sure 🙂

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond

By the way, as far as source of the regular policy (NOT nat one), you can obviously include whatever else needed. We added our SASE ip as well, as we always connect to it.

Best,
Andy
AlexVaisberg
Employee
Employee

Hi,
Event Forwarding from the portal also supports TLS (non-SSL) configuration.

Are there any customers interested in enabling this? If so, we’d be happy to assist and gather feedback.

 

Step 4 in the attached:
https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/C... 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 24 Feb 2026 @ 04:30 PM (EST)

    Las Vegas: MDR/XMDR

    Wed 25 Feb 2026 @ 04:30 PM (MST)

    Tempe, AZ: MDR/MXDR

    Wed 11 Mar 2026 @ 12:00 PM (MDT)

    CheckMates Live Denver!
    CheckMates Events