Check Point Firewall
Version: CheckPoint version R80.10 and above
CheckPoint is a cyber security architecture which offers the perfect combination of proven security, easy deployment, and effective management by consolidating key security applications (firewall, VPN, intrusion prevention, and antivirus and more) into a single, efficiently managed solution.
Netsurion’s Open XDR platform integrates with CheckPoint, collects logs from it and creates detailed reports, alerts, dashboards, and saved searches. These attributes of Netsurion helps user to view and receive the critical and relevant information with respect to security, operations and compliance.
Reports contain a detailed summary of events such as failed user authentications, passed authentications in network devices, firewall allowed and denied traffic, anti-malware events, data loss and prevention events, VPN login and logout, and many more in column-value pair.
Alerts are triggered as soon as a critical event are received by Netsurion’s Open XDR platform for CheckPoint, such as failed authentications, invalid HTTP request from an endpoint, or detection of an DLP event, etc.
Dashboards represent activities occurring in CheckPoint. These includes, actions applied on endpoint requests, summary of DLP events, firewall traffic events by source and destination IP address, etc.
These attributes or configurations of Netsurion allows administrators to quickly take appropriate actions against any threat/adversaries trying to jeopardize an organization’s normal operation.
Once CheckPoint is configured to deliver events to Netsurion manager alerts, dashboards, and reports can be configured into Netsurion.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | CheckPoint – Attacks detected | This alert is triggered when an event associated with intrusion prevention is logged by CheckPoint. |
| Security | CheckPoint – Configuration Changes detected | This alert is triggered when a user performs configuration changes in CheckPoint. |
| Security | CheckPoint – DLP event has been detected | This alert is triggered when an event associated with data Loss and prevention is logged by CheckPoint. |
| Security | CheckPoint – Failed login attempt detected | This alert is triggered when an endpoint user/machine had a failed login attempt. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Checkpoint – Failed login activity | This report outlines the summary of endpoint user/machine failed login activity. It includes, username, source IP address, authentication type, Identity type, log datetime, etc. |
| Security | Checkpoint – URL Filtering activities | This report outlines the summary of events that are related to URL filtering that controls access to millions of web sites by category, users, groups, and machines to protect users from malicious sites. It includes, URL accessed, endpoint IP, user agent, log datetime, etc. |
| Security | Checkpoint – Attacks Detected | This report outlines the summary of events that are related to intrusion prevention. It includes, URL, protocol type, attack severity, protection name/type, attack category, etc. |
| Security | Checkpoint – DLP activities | This report outlines the summary of data loss and prevention events. It includes, action type, sender address, recipient address, email subject, scanning direction, etc. |
| Security | Checkpoint – Anti Malware activities | This report outlines the summary of events that are associated with anti-malware activities, i.e. events where viruses, spyware, keystroke loggers, trojans and rootkits are identified using signatures, behavior blockers and heuristic analysis. It includes, endpoint username, anti-virus name, event type, OS name/version, scan status, etc. |
| Security | Checkpoint – Denied traffic activities | This report outlines the summary of denied traffic in CheckPoint firewall. It includes, source IP address, destination address, action type, service Id, etc. |
| Operations | Checkpoint – VPN login and logout | This report outlines the summary of VPN/SSLVPN login and logout activities. It includes, endpoint IP address, login option, failure reason, etc. |
| Operations | Checkpoint – Logout activity | This report outlines the summary of endpoint user/machine logout activity. It includes, username, source IP address, authentication type, Identity type, log datetime, etc. |
| Operations | Checkpoint – Login activity | This report outlines the summary of endpoint user login activity. It includes, username, source IP address, authentication type, log datetime, etc. |
| Compliance | Checkpoint – HTTPS Inspection activities | This report outlines the summary of events that are related to traffic that are encrypted by HTTPS. It includes, URL, endpoint IP address, source port, action type, application category, etc. |
Documentation:
The configuration details are consistent with Netsurion version 9.2 and later, CheckPoint version R80.10 and above.
Download Integration guide and How-to Guide for more information and to configuration instructions.