Firewall R80.30 Log Exporter Configuration Help

zposz · ‎2020-10-15

Hello I am trying to send my CP Firewall logs to Azure and in order to reduce cost we are trying to tune which logs we are actually sending. I have been using the link below to try and set this up and I can't quite get it to work properly.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I am trying to exclude specific logs using destination ip, source ip and port. It is still exporting the logs.

This is what I have in my FilterConfiguration.xml. I have excluded the real IPs for security purposes.

<filters>
        <filterGroup operator="and">
                <field name="action" operator="and">
                </field>
                <field name="origin" operator="and">
                </field>
                <field name="product" operator="and">
                </field>
                <field name="dst_ip" operator="and">
                        <value operation="neq">1.2.3.4</value>
                </field>
                <field name="src_ip" operator="and">
                        <value operation="neq">1.2.3.4</value>
                </field>
				<field name="s_port" operator="and">
                        <value operation="neq">443</value>
                </field>
        </filterGroup>
</filters>

zposz · ‎2020-10-16

I ended up figuring this out on my own. Though it states that dst_ip and src_ip are available fields. It only worked if I used dst and src instead.

Are you a member of CheckMates?

Firewall R80.30 Log Exporter Configuration Help