Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

CheckPoint R80.20 Management- Qradar Integration- Unknown Events (LEEF)

Hello  folks

 

I am using R80.20 Management server to manage gateways and sending logs to QRADAR using syslog via leef format. QRADAR throws connections from gateways as unknown event /unkown firewall event. 

I am specifically looking for source,destination and destination port on QRADAR for the logs which were sent from management server. 

Does anyone face similar issue ? What format is the best practice to use so that QRADAR recognizes events from logs sent by checkpoint management server ? 

 

QRADAR version: v7.3.2

 

Configuration on management server using log exporter to send logs to QRADAR

name: USECHKMGMT

     enabled: true

     target-server: QRADAR IP

     target-port: 514

     protocol: tcp

     format: leef

     read-mode: raw

 

QRADAR config: 

 

Log Source Type               Check Point

Protocol Configuration 

Log Source Identifier     

Management server ip

Enabled               

Credibility           

Target Event Collector   

Coalescing Events           

Incoming Payload Encoding

 

QRADAR unable to identify the log type on leef method. I have tried syslog, cef and generic format as well but all results are same. 

Qradar log : tempsnip.png

LEEF:2.0|Check Point|VPN-1 & FireWall-1|1.0|Drop|cat=Drop	devTime=1569285537	srcPort=63030	ifdir=inbound	ifname=WAN	loguid={0x5d8966c2,0x0,0xe5141fac,0x3fffaeca}	origin=10.69.42.13	version=1	dst=239.255.255.250	inzone=External	origin_sic_name=CN\=US-FRID-FW-1,O\=usechkmgmt..g553k9	product=VPN-1 & FireWall-1	proto=17	rule=5	rule_name=Cleanup rule	rule_uid={F700F5BC-5D35-4496-A868-C42E4E080F1B}	service=1900	src=10.69.42.58	

 

0 Kudos
5 Replies
Highlighted
Admin
Admin

0 Kudos
Highlighted
Employee+
Employee+

Hi,

There currently an effort for validating log exporter's LEEF format with IBM.

The effort is being done by both Check Point and IBM developers and is very close to the end.

 

The instructions provided by IBM are the temporary changes that showed progress in Qradar parsers but are not the final changes.

Thanks.

Highlighted
Admin
Admin

Thanks for clarifying, wasn't 100% sure of the state of our integration with QRadar.
0 Kudos
Highlighted
Contributor

Hi there.

you know if now is 100% compatible LEEF in R80.20 for IBM QRADAR?

Regards.

0 Kudos
Highlighted
Contributor

Hi there!

news?

We are facing few format mismatch right now when NAT rule are applied.

For example:

 

LEEF:2.0|Check Point|FG AND VPN-1 & FireWall-1|1.0|Accept|devTime=1591281065 srcPort=56619 dstPort=53 srcPostNAT=publicIPaddress dstPostNAT=0.0.0.0 usrName=Admin anyuser (admin.anyuser) srcPostNATPort=24544 dstPostNATPort=0 layer_name=Network layer_name=Layer1 layer_uuid=713fedc7-6186-425c-a2a6-ac817a971cd5 layer_uuid=563cff80-2724-49bd-b396-71b2e147615f match_id=120 match_id=134217768 parent_rule=0 parent_rule=120 rule_action=Inline rule_action=Accept rule_name=Desde red 10.10.10.0_23 rule_name=Navegacion rule_uid=b2a832b6-ef07-4337-863f-ebd1cef4cfb4 rule_uid=810b8f02-da0f-4bf5-81aa-544c6776326d ifdir=inbound ifname=bond1.21 logid=0 loguid={0x5ed905a9,0xe,0xa50a8307,0xf5ad3d0e} origin=10.1.0.1 originsicname=CN\=FWLOCAL1,O\=FWLOCAL..8dqary sequencenum=125 version=5 dst=8.8.8.8 fg-1_client_in_rule_name=Default fg-1_client_out_rule_name=Default fg-1_server_in_rule_name=Default fg-1_server_out_rule_name=Default hll_key=249433924800804892 https_inspection_action=Bypass inzone=Internal lastupdatetime=1591281065 nat_addtnl_rulenum=0 nat_rulenum=0 outzone=External proto=17 security_inzone=MgmtZone service_id=domain-udp src=10.1.1.1 src_machine_name=maquina@dominio.local src_user_dn=CN\=Admin Usuario DC\=dominio,DC\=local

0 Kudos