Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Check Point Provider-1 Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP

Host name, Firewall model and version, Network interfaces

Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

Availability and Performance Monitoring

LEA

All traffic and system logs

Security and Compliance

Event Types

There are no event types defined specifically for this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Configuration Overview

The configuration of  Check Point Provider-1 depends on the type of log that you want sent to FortiSIEM. There are two options: 

  • Domain level audit logs, which contain information such as domain creation, editing, etc.
  • Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs 

These logs are generated and stored among four different components:

  • Multi-Domain Server (MDS), where domains are configured and certificates have to be generated.
  • Multi-Domain Log Module (MLM), where domain logs are stored.
  • Customer Management Add-on (CMA), the customer management module.
  • Customer Log Module (CLM), which consolidates logs for an individual customer/domain.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.  

Component Configuration for Domain-Level Audit Logs

  1. Configure MDS.
  2. Use the Client SIC obtained while configuring MDS to configure MLM.
  3. Pull logs from MLM.

Component Configuration for Firewall Logs

  1. Configure CMA.
  2. Use the Client SIC obtained while configuring CMA to configure CLM.
  3. Pull logs from CLM.
    If you want to pull firewall logs from a domain, you have to configure CLM for that domain. 

See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.

Check Point Provider-1 Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP

Host name, Firewall model and version, Network interfaces

Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

Availability and Performance Monitoring

LEA

All traffic and system logs

Security and Compliance

Event Types

There are no event types defined specifically for this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Configuration Overview

The configuration of  Check Point Provider-1 depends on the type of log that you want sent to FortiSIEM. There are two options: 

  • Domain level audit logs, which contain information such as domain creation, editing, etc.
  • Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs 

These logs are generated and stored among four different components:

  • Multi-Domain Server (MDS), where domains are configured and certificates have to be generated.
  • Multi-Domain Log Module (MLM), where domain logs are stored.
  • Customer Management Add-on (CMA), the customer management module.
  • Customer Log Module (CLM), which consolidates logs for an individual customer/domain.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.  

Component Configuration for Domain-Level Audit Logs

  1. Configure MDS.
  2. Use the Client SIC obtained while configuring MDS to configure MLM.
  3. Pull logs from MLM.

Component Configuration for Firewall Logs

  1. Configure CMA.
  2. Use the Client SIC obtained while configuring CMA to configure CLM.
  3. Pull logs from CLM.
    If you want to pull firewall logs from a domain, you have to configure CLM for that domain. 

See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.