How to collect data from Check Point Firewall

This document describes how to add a new data source - Check Point Firewall, via syslog forwarding.

Before you can add the data source to CYBERQUEST, you must forward events to the IP Address of the CQ server on port 5140 UDP.

To add a new data source you will need to follow the steps below:

You must be logged in to the CYBERQUEST web interface with a user with administrative rights.

Navigate to "Settings > Management > Data Source Manager".

Alt text

This page contains all the data sources added in the CYBERQUEST application.

Alt text

Press the "Add data-source" button and complete de following form:

Alt text

DataSource Type: Select "Syslog / CheckPoint Firewall Syslog (LogName: CheckPointFirewall)" data source to interpret Check Point Firewall events;

DataSource Information: This field is filled in automatically with data source information;

Tag: This field is filled in automatically, but you can change the information;

Annonymize Fields: You can select certain information to be anonymized. You can select one or more options;

IPList: Complete IP of this data source. You can add one or more;

Click the "Save" button to save the data source.

The next step is to assign the CYBERQUEST agent to this data source. Press the drop-down list and choose the agent:

Alt text

To edit the data sources information, press "Edit" button Alt text . This process is almost identical to adding data sources.

Bulk Clone Alt Image : Clone the current data source settings for each element of the field “Bulk Clone”.

Clone Alt Image : Clone the data source.

You can also delete the data source by pressing "Delete" button. To delete data source you must remove Agent from data source.