Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prashant_YADAV1
Contributor

Checkpoint log exporter and NAT filter

Hello Experts,

 

i have a requirement to export log from checkpoint log server and filter the NAT log before sending to syslog server.

 

i have configured the log exporter as 

 

name: NATsysLOG domain-server: : XYZZ1
enabled: true
target-server: 10.10.10.10
target-port: 514
protocol: tcp
format: generic
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: Not configured, using default
reconnect-interval: Not configured, using default

 

and then i put a NAT filter in 

$EXPORTERDIR/targets 

targetConfiguration.xml

<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>9</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>10.10.10.10</ip><!--the ip of the syslog server-->
<port>514</port><!--the port on which the syslog is listening to-->
<protocol>tcp</protocol><!--udp/tcp-->
<!--the configuration of tls-->
<transport>
<security></security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
<reconnect_interval></reconnect_interval><!-- Shedule reconnection to the destination server (empty to disable [default] | number of minute s) -->
</destination>
<!-- Enrichment configuration, exporting domain server name, orig_log_server uuid and orig_log_server ip -->
<data_enrichment>
<export_domain>false</export_domain>
<export_orig_log_server>false</export_orig_log_server>
</data_enrichment>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files>1</log_files><!-- on-line[default] | read logs from [number] days back (recommended) | specific file name -->
<log_types></log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>raw</read_mode><!--raw|semi-unified[default]/-->
</source>
<export_log_position>false</export_log_position> <!-- True | False /-->
<export_log_link>false</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<export_attachment_ids>false</export_attachment_ids> <!-- True | False /-->
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="generic"> <!--syslog | cef | rsa | leef | generic | splunk | this parameter may differ from the type of destination, for exa mple, destination type = files/format type = CEF -->
<resolver>
<mappingConfiguration>GenericFieldsMapping.xml</mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>false</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exported as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>
<!-- Time In Milli Seconds -->
<time_in_milli>false</time_in_milli>
<!-- The following section is for future use of log filtering, please do not modify these values -->
<filter filter_out_by_connection="false">
<field name="product">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>


</export>

 

 

========

 

and then in 

GenericFieldsMapping.xml

below is the config

<?xml version="1.0" encoding="utf-8"?>
<fields>
<!-- Filter out fields -->
<field><origName>subscriber</origName><exported>true</exported></field>

<field><origName>xlatesrc</origName><exported>true</exported></field>

<field><origName>xlatesint</origName><exported>true</exported></field>

<field><origName>xlatedst</origName><exported>true</exported></field>

<field><origName>xlatedint</origName><exported>true</exported></field>

<field><origName>hide_ip</origName><exported>ture</exported></field>

<field><origName>nat_rulenum</origName><exported>true</exported></field>

<field><origName>end_time</origName><exported>ture</exported></field>

<field><origName>__policy_id_tag</origName><exported>true</exported></field>

<field><origName>milliseconds</origName><exported>true</exported></field>
<!-- End of filter out -->
</fields>

 

the export is working but i do not see all exported field

 

i can only see below

 

Aug 5 12:11:50 10.10.10.20 time="" xlatesrc="1.1.1.1" xlatedst="0.0.0.0" nat_rulenum="787" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={6EAEC28E-0EBC-FB49-A16A-023A1F73AF95};mgmt=MGMT-SERVER;date=1659604047;policy_name=Test]"

 

why i do not see 

xlatesint

xlatedint

 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Security Gateway - NAT Fields
allocated_portsAllocated PortsintAmount of allocated NAT portsR80.40
capacityCapacityintCapacity of the NAT portsR80.40
ports_usagePorts UsageintPercentage of allocated NAT portsR80.40
nat_exhausted_pool

Nat Exhausted Pool

string4-tuple of an exhausted NAT pool

R80.40

R80.10 - R80.30 Jumbo Hotfixes

xlatesrcXlate (NAT) Source IPipaddrSource IPv4 address after applying NAT 
xlatedstXlate (NAT) Destination IPipaddrDestination IPv4 address after applying NAT 
xlatesintXlate (NAT) Source PortintSource port after applying Hide NAT on the source IP address 
xlatedintXlate (NAT) Destination PortintDestination port after applying NAT 
nat_rulenumNAT Rule NumberintNAT rulebase first matched rule 
nat_addtnl_rulenumNAT Additional Rule NumberintWhen matching 2 automatic rules, the second rule match is shown. Otherwise, this field has the value 0. 
message_infoMessage InformationstringUsed for information messages, for example:
NAT connection has ended
 
nat46N/AstringNAT46 status
In most cases "enabled"
 
end_timeN/AtimestmpTCP connection end time 
tcp_end_reasonN/AstringReason for TCP connection closure 
nat_rulenumNAT Rule NumberintNAT rulebase first matched rule 
cgnetN/AstringDescribes the NAT allocation for specific subscriber 
subscriberN/AipaddrSource IP address before CGNAT 
hide_ipN/AipaddrSource IP address to be used after CGNAT 
int_startN/AintSubscriber start integer to be used for NAT 
int_endN/AintSubscriber end integer to be used for NAT 
Security Gateway - SecureXL Fields
drop_reasonDrop ReasonstringAggregated logs of dropped packets 
packet_amountN/AintNumber of packets dropped 
packetsPacketsstringConnection tuple:
Source IP address
Source Port
Destination IP address
Destination Port
Protocol Number
 
monitor_reasonN/AstringAggregated logs of monitored packets 
message_infoMessage InformationstringInformation on multicast packet dropped 
drops_amountN/AintAmount of multicast packets dropped 
securexl_messageN/AstringTwo options for a SecureXL message:
1. Missed accounting records after heavy load on the logging system
2. FireWall log message regarding a packet drop
 
conns_amountN/AintNumber of connections in the aggregated log 
aggregation_infoN/AstringList of aggregated source connections

 

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend

So you can see the fields 

xlatesint

xlatedint

in CP logs but not in log export ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Prashant_YADAV1
Contributor

Hello Albrecht,

yes, we can see the entry in the smart log.

Thanks 

Prashant

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Then I would suggest to contact TAC to get this resolved !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events