Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jmcclymont
Participant

Set export filter for every product without security gateway

hello @All,

 

i have the problem, that i want only export data from ips, threat emulation, application control, etc. BUT without data from security gateway. all normal firewall drops, rejected etc. should be not transfered.

how can i do this?

thx

jeff

4 Replies
Dan_Zada
Employee Alumnus
Employee Alumnus

Hi,
Do you mean export the logs using log exporter to a 3rd party syslog/SIEM?
If this is what you are looking for, you can read more about the log exporter filtering capabilities in SK122323.
jmcclymont
Participant

hello dan,

 

yes, i want to export it to the splunk with checkpoint app.

 

in the knowledgebase i find samples and infos to filter to an product: filter-product-in "". in this case i must add all products. i search a filter like filter-product-out "Security Gateway".

 

might be i can use the xml file for filter:

<filters>
   <filterGroup operator="or">
      <field name="product" operator="or">
         <value operation="eq">Secure Gateway</value>
      </field>
   </filterGroup>
</filters>

 

thx jeff

Dror_Aharony
Employee
Employee

If you'd only like to exclude FW connections, then you may be able to use the other filter-out connections option, instead of the filtering options - see #1 option:

#1 . Only filtering-out the FW-connections maybe simpler & good enough for you.

Go to relevant exporter: cd $EXPORTERDIR/targets/<deployment_name>.

Backup file: cp targetConfiguration.xml{,.Orig}

Edit: vim targetConfiguration.xml

Change false to true.

<filter filter_out_by_connection="true">

save & restart: cp_log_export restart <name>


#2. You could also set filter-blade-in "TP" for all threat prevention blades, but that won't include "application control other access blades, so 
add a few more blades like APPI & URL-F & more...

filter-blade-in "TP,"Application Control","URL Filtering""

Add all these access blades as well with comma(,) separated as I've shown here & in sk (FilterConfiguration).

<value operation="eq">Application Control</value>
<value operation="eq">URL Filtering</value>
<value operation="eq">Content Awareness</value>
<value operation="eq">Connectra</value>
<value operation="eq">Mobile Access</value>
<value operation="eq">Compliance blade</value>
<value operation="eq">Core</value>
<value operation="eq">DDoS Protector</value>
<value operation="eq">Identity Awareness</value>
<value operation="eq">Identity Logging</value>
<value operation="eq">UA WebAccess</value>

 

save & restart: cp_log_export restart <name>

 

from the log-exporter sk (relevant section here)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

Filter out firewall connections Parameters

The Log Exporter solution supports several filtering options, as detailed in the section above. In this section, we will go over each option.

Filters logs based on blade

In the current release, we have a limited blade related filtering. This functionality will be expanded upon in future releases.

You can filter out firewall connection logs ('Firewall-1 & VPN-1', 'HTTPS Inspection' and 'Security Gateway/Management').

 

Parameter Description Possible/Default Values
<filter filter_out_by_connection="false">

 Determines if the Access logs should be filtered out.

When set to 'true' VPN-1 & Firewall-1 connection logs will be filtered out

Note: No other blade filters are currently supported. This will be expanded upon in future releases.

 true / false

Note: Firewall session logs will still be exported (Generated by tracking a firewall rule by per Session).  

          Limitation: HTTPS inspection logs, Non-rulebase generated Firewall logs & a few Firewall NAT update logs will still be exported.

 

jmcclymont
Participant

hi,

 

you are my hero. i think thts what i need. i will tested it.

 

thx and greetings from germany

jeff

0 Kudos