This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TSOL
Advisor
a month ago

Direct log forwarding from Quantum Spark to on-prem SIEM

Hi experts,

We are currently using multiple Quantum Spark appliances managed by Smart-1 Cloud.
We are planning to introduce an on-prem SIEM(include syslog feature) in order to perform correlation analysis
together with logs from our other network devices.

However, when using the Smart-1 Cloud Log Exporter, log forwarding is subject to
ingestion-based billing. To avoid additional costs, we would prefer to have the
Gateway itself send logs directly to our on-prem SIEM server.

I would like to ask for clarification on the following points:

1. Under Smart-1 Cloud management, is it possible for a Gateway to send logs
both to an external SIEM server and to Smart-1 Cloud at the same time?

2. If direct log forwarding from the Gateway is supported, does it require any
additional licenses?

Our intention is to continue using Smart-1 Cloud for management, while forwarding logs
independently from the Gateway directly to our SIEM.

If anyone has experience with this setup or detailed knowledge of the official
specifications, your guidance would be greatly appreciated.

Thank you in advance.

0 Kudos
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
a month ago

Typically configuring a syslog server entry in GAiA OS would yield only local OS logs, security logs come via the Management.

CCSM R77/R80/ELITE
0 Kudos
Pedro_Espindola
Advisor
3 weeks ago
In response to Chris_Atkinson

In Spark appliances, both system logs and security logs are available. They are Gaia Embedded, a whole different creature.

0 Kudos
AkosBakos
MVP Silver
MVP Silver
a month ago

Hi @TSOL 

Maybe this is what are you looking for 🙂

https://sc1.checkpoint.com/documents/Appliances/Quantum_Spark_R82.00.X/CLI/EN/Content/Topics/add-net...

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin
4 weeks ago
In response to AkosBakos

Not sure SIEMs can injest Netflow.
Also, Netflow only communicates active connections.

0 Kudos
PhoneBoy
Admin
Admin
4 weeks ago

For regular (non-SMB) gateways, there is: https://support.checkpoint.com/results/sk/sk87560 
Note this only gets firewall logs, not logs for other blades.
Not sure you can set an external syslog server for security logs on a centrally managed SMB.

0 Kudos
Pedro_Espindola
Advisor
3 weeks ago

Yes, you can send logs directly to a SIEM, but it is done locally on the Spark appliance, not through Smart-1 Cloud.

Just go to the WebUI and create an external log server and check the system logs and security logs boxes.

The downside is that the logs sent by Spark are a pain to parse, while Smart-1 cloud will give you a beautiful JSON.

The upside is that you can send the logs to a local forwarder with a queue/cache and not lose logs in case the internet is down.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events