This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vijayreddy
Explorer
‎2019-09-23 05:52 PM

CheckPoint R80.20 Management- Qradar Integration- Unknown Events (LEEF)

Hello  folks

 

I am using R80.20 Management server to manage gateways and sending logs to QRADAR using syslog via leef format. QRADAR throws connections from gateways as unknown event /unkown firewall event. 

I am specifically looking for source,destination and destination port on QRADAR for the logs which were sent from management server. 

Does anyone face similar issue ? What format is the best practice to use so that QRADAR recognizes events from logs sent by checkpoint management server ? 

 

QRADAR version: v7.3.2

 

Configuration on management server using log exporter to send logs to QRADAR

name: USECHKMGMT

     enabled: true

     target-server: QRADAR IP

     target-port: 514

     protocol: tcp

     format: leef

     read-mode: raw

 

QRADAR config: 

 

Log Source Type               Check Point

Protocol Configuration 

Log Source Identifier     

Management server ip

Enabled               

Credibility           

Target Event Collector   

Coalescing Events           

Incoming Payload Encoding

 

QRADAR unable to identify the log type on leef method. I have tried syslog, cef and generic format as well but all results are same. 

Qradar log : tempsnip.png

LEEF:2.0|Check Point|VPN-1 & FireWall-1|1.0|Drop|cat=Drop	devTime=1569285537	srcPort=63030	ifdir=inbound	ifname=WAN	loguid={0x5d8966c2,0x0,0xe5141fac,0x3fffaeca}	origin=10.69.42.13	version=1	dst=239.255.255.250	inzone=External	origin_sic_name=CN\=US-FRID-FW-1,O\=usechkmgmt..g553k9	product=VPN-1 & FireWall-1	proto=17	rule=5	rule_name=Cleanup rule	rule_uid={F700F5BC-5D35-4496-A868-C42E4E080F1B}	service=1900	src=10.69.42.58

 

0 Kudos
5 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events