How to collect data from Check Point Firewall
This document describes how to add a new data source - Check Point Firewall, via syslog forwarding.
Before you can add the data source to CYBERQUEST, you must forward events to the IP Address of the CQ server on port 5140 UDP.
To add a new data source you will need to follow the steps below:
Navigate to Settings
You must be logged in to the CYBERQUEST web interface with a user with administrative rights.
Navigate to "Settings > Management > Data Source Manager".
This page contains all the data sources added in the CYBERQUEST application.
Add data source
Press the "Add data-source" button and complete de following form:
DataSource Type: Select "Syslog / CheckPoint Firewall Syslog (LogName: CheckPointFirewall)" data source to interpret Check Point Firewall events;
DataSource Information: This field is filled in automatically with data source information;
Tag: This field is filled in automatically, but you can change the information;
Annonymize Fields: You can select certain information to be anonymized. You can select one or more options;
IPList: Complete IP of this data source. You can add one or more;
Click the "Save" button to save the data source.
Assign the CYBERQUEST agent
The next step is to assign the CYBERQUEST agent to this data source. Press the drop-down list and choose the agent:
To edit the data sources information, press "Edit" button. This process is almost identical to adding data sources.
Bulk Clone : Clone the current data source settings for each element of the field “Bulk Clone”.
Clone : Clone the data source.
You can also delete the data source by pressing "Delete" button. To delete data source you must remove Agent from data source.