Check Point Firewall

OverviewResources

Once CheckPoint is configured to deliver events to EventTracker manager alerts, dashboards, and reports can be configured into EventTracker.

Security

Alerts

CheckPoint: Attacks detected - This alert is triggered when an event associated with intrusion prevention is logged by CheckPoint.
CheckPoint: Configuration Changes detected - This alert is triggered when a user performs configuration changes in CheckPoint.
CheckPoint: DLP event has been detected – This alert is triggered when an event associated with data Loss and prevention is logged by CheckPoint.
CheckPoint: Failed login attempt detected - This alert is triggered when an endpoint user/machine had a failed login attempt.

Reports

Checkpoint - Failed login activity – This report outlines the summary of endpoint user/machine failed login activity. It includes, username, source IP address, authentication type, Identity type, log datetime, etc.
Checkpoint - URL Filtering activities – This report outlines the summary of events that are related to URL filtering that controls access to millions of web sites by category, users, groups, and machines to protect users from malicious sites. It includes, URL accessed, endpoint IP, user agent, log datetime, etc.
Checkpoint - Attacks Detected - This report outlines the summary of events that are related to intrusion prevention. It includes, URL, protocol type, attack severity, protection name/type, attack category, etc.
Checkpoint - DLP activities – This report outlines the summary of data loss and prevention events. It includes, action type, sender address, recipient address, email subject, scanning direction, etc.
Checkpoint - Anti Malware activities - This report outlines the summary of events that are associated with anti-malware activities, i.e. events where viruses, spyware, keystroke loggers, trojans and rootkits are identified using signatures, behavior blockers and heuristic analysis. It includes, endpoint username, anti-virus name, event type, OS name/version, scan status, etc.
Checkpoint - Denied traffic activities – This report outlines the summary of denied traffic in CheckPoint firewall. It includes, source IP address, destination address, action type, service Id, etc.

Operations

Reports

Checkpoint - VPN login and logout – This report outlines the summary of VPN/SSLVPN login and logout activities. It includes, endpoint IP address, login option, failure reason, etc.
Checkpoint - Logout activity - This report outlines the summary of endpoint user/machine logout activity. It includes, username, source IP address, authentication type, Identity type, log datetime, etc.
Checkpoint - Login activity - This report outlines the summary of endpoint user login activity. It includes, username, source IP address, authentication type, log datetime, etc.

Compliance

Reports

Checkpoint - HTTPS Inspection activities – This report outlines the summary of events that are related to traffic that are encrypted by HTTPS. It includes, URL, endpoint IP address, source port, action type, application category, etc.

Scope

The configuration details are consistent with EventTracker version 9.2 and later, CheckPoint version R80.10 and above.

Documentation:

To configure CheckPoint to send logs to EventTracker, refer the How to Guide.

For more information please refer the Integration guide