This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vijayreddy
Explorer
‎2019-09-23 05:52 PM

CheckPoint R80.20 Management- Qradar Integration- Unknown Events (LEEF)

Hello  folks

 

I am using R80.20 Management server to manage gateways and sending logs to QRADAR using syslog via leef format. QRADAR throws connections from gateways as unknown event /unkown firewall event. 

I am specifically looking for source,destination and destination port on QRADAR for the logs which were sent from management server. 

Does anyone face similar issue ? What format is the best practice to use so that QRADAR recognizes events from logs sent by checkpoint management server ? 

 

QRADAR version: v7.3.2

 

Configuration on management server using log exporter to send logs to QRADAR

name: USECHKMGMT

     enabled: true

     target-server: QRADAR IP

     target-port: 514

     protocol: tcp

     format: leef

     read-mode: raw

 

QRADAR config: 

 

Log Source Type               Check Point

Protocol Configuration 

Log Source Identifier     

Management server ip

Enabled               

Credibility           

Target Event Collector   

Coalescing Events           

Incoming Payload Encoding

 

QRADAR unable to identify the log type on leef method. I have tried syslog, cef and generic format as well but all results are same. 

Qradar log : tempsnip.png

LEEF:2.0|Check Point|VPN-1 & FireWall-1|1.0|Drop|cat=Drop	devTime=1569285537	srcPort=63030	ifdir=inbound	ifname=WAN	loguid={0x5d8966c2,0x0,0xe5141fac,0x3fffaeca}	origin=10.69.42.13	version=1	dst=239.255.255.250	inzone=External	origin_sic_name=CN\=US-FRID-FW-1,O\=usechkmgmt..g553k9	product=VPN-1 & FireWall-1	proto=17	rule=5	rule_name=Cleanup rule	rule_uid={F700F5BC-5D35-4496-A868-C42E4E080F1B}	service=1900	src=10.69.42.58

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-09-23 09:00 PM

Have you tried the troubleshooting tips IBM provides for this? https://www-01.ibm.com/support/docview.wss?uid=ibm10876650
This was linked in the QRadar Docs: https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_sending_Checkpoin...
0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2019-09-24 12:03 AM
In response to PhoneBoy

Hi,

There currently an effort for validating log exporter's LEEF format with IBM.

The effort is being done by both Check Point and IBM developers and is very close to the end.

 

The instructions provided by IBM are the temporary changes that showed progress in Qradar parsers but are not the final changes.

Thanks.

PhoneBoy
Admin
Admin
‎2019-09-24 08:37 AM
In response to Yaakov_Ohayon

Thanks for clarifying, wasn't 100% sure of the state of our integration with QRadar.
0 Kudos
Beja
Contributor
‎2020-04-02 05:39 PM
In response to Yaakov_Ohayon

Hi there.

you know if now is 100% compatible LEEF in R80.20 for IBM QRADAR?

Regards.

0 Kudos
Beja
Contributor
‎2020-06-04 08:02 AM
In response to Beja

Hi there!

news?

We are facing few format mismatch right now when NAT rule are applied.

For example:

 

LEEF:2.0|Check Point|FG AND VPN-1 & FireWall-1|1.0|Accept|devTime=1591281065 srcPort=56619 dstPort=53 srcPostNAT=publicIPaddress dstPostNAT=0.0.0.0 usrName=Admin anyuser (admin.anyuser) srcPostNATPort=24544 dstPostNATPort=0 layer_name=Network layer_name=Layer1 layer_uuid=713fedc7-6186-425c-a2a6-ac817a971cd5 layer_uuid=563cff80-2724-49bd-b396-71b2e147615f match_id=120 match_id=134217768 parent_rule=0 parent_rule=120 rule_action=Inline rule_action=Accept rule_name=Desde red 10.10.10.0_23 rule_name=Navegacion rule_uid=b2a832b6-ef07-4337-863f-ebd1cef4cfb4 rule_uid=810b8f02-da0f-4bf5-81aa-544c6776326d ifdir=inbound ifname=bond1.21 logid=0 loguid={0x5ed905a9,0xe,0xa50a8307,0xf5ad3d0e} origin=10.1.0.1 originsicname=CN\=FWLOCAL1,O\=FWLOCAL..8dqary sequencenum=125 version=5 dst=8.8.8.8 fg-1_client_in_rule_name=Default fg-1_client_out_rule_name=Default fg-1_server_in_rule_name=Default fg-1_server_out_rule_name=Default hll_key=249433924800804892 https_inspection_action=Bypass inzone=Internal lastupdatetime=1591281065 nat_addtnl_rulenum=0 nat_rulenum=0 outzone=External proto=17 security_inzone=MgmtZone service_id=domain-udp src=10.1.1.1 src_machine_name=maquina@dominio.local src_user_dn=CN\=Admin Usuario DC\=dominio,DC\=local

Preview file
299 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events