Syslog Integration with CheckPoint

Forwarding CheckPoint Logs to Syslog Server

This document captures the configuration of Syslog and logs of different blades that will be seen in SmartView Tracker and syslog with the following scenarios:

Scenario 1: R77.30 Mgmt and R77.30 GW, Syslog forwarded through Gateway (Limitation some logs will be hidden)

Scenario 2: R77.30 Mgmt and R77.30 GW, Syslog forwarded through Mgmt (Limitation all logs forwarded to /var/log/messages and then to syslog server)

Scenario 3: R80 Mgmt and R77.30 GW, Syslog forwarded through Mgmt (Limitation all logs forwarded to /var/log/messages and then to syslog server)

In this article, we have shown the logs of the below software blades:

1. Firewall

2. IPS

3. Anti-Virus

4. Anti-Bot

5. Application Control &

6. URL Filtering

Scenario 1: Forwarding the Traffic Logs from R77.30 Firewall to Syslog Server

In this scenario, am making the firewall to send the traffic logs to both Management Server and Syslog Server directly.

Note: Only Traffic logs can be seen on the Syslog server and there will be no /var/log/messages.

1. Install the R77.30 Add-on on Management Server via CPUSE.

2. Create the Syslog Server object in SmartDashboard.

3. Under “Send logs and alerts to these log servers”, add the Syslog server object along with the original management server object.

4. Enable the fwsyslog_enable parameter on the Firewall either on-the fly or permanent and install the Policy.

Firewall Software Blade Log:

1. Accessed the website https://qostechnology.in/ whose ip-address is 166.62.28.120.

2017-01-30 16:07:33 System0.Notice 10.10.10.254 Jan 30 16:07:33+05:1800 10.10.10.254 Action=”accept” UUid=”{0x588f176d,0x3,0xfe0a0a0a,0xc0000000}” inzone=”Internal” outzone=”External” rule=”3″ rule_uid=”{E6149B4A-DF60-4500-A097-5557F547A675}” rule_name=”Internet Access” service_id=”http” src=”10.10.10.5″ dst=”166.62.28.120″ pro to=”6″ xlatesrc=”10.10.18.254″ NAT_rulenum=”4″ NAT_addtnl_rulenum=”1″ product=”VPN-1 & FireWall-1″ service=”80″ s_port=”1445″ xlatesport=”10381″ product_family=”Network”

URL Filtering Software Blade Log:

1. Accessed the website https://qostechnology.in/

2017-01-30 16:07:36 System0.Notice 10.10.10.254 Jan 30 16:07:34+05:1800 10.10.10.254 Action=”allow” UUid=”{0x588f176e,0x0,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”166.62.28.120″ pro to=”6″ appi_name=”******” app_desc=”******” app_id=”******” app_category=”******” matched_category=”******” app_properties=”******” app_risk=”******” app_rule_id=”******” app_rule_name=”******” web_client_type=”Firefox” web_server_type=”Apache” resource=”https://qostechnology.in/” proxy_src_ip=”10.10.10.5″ product=”URL Filtering” service=”80″ s_port=”1445″ product_family=”Network”

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below:

2017-01-30 17:37:18 System0.Notice 10.10.10.254 Jan 30 17:37:18+05:1800 10.10.10.254 Action=”block” UUid=”{0x588f2c76,0x3,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”194.29.38.122″ pro to=”6″ appi_name=”******” app_desc=”******” app_id=”******” app_category=”******” matched_category=”******” app_properties=”******” app_risk=”******” app_rule_id=”******” app_rule_name=”******” app_sig_id=”60343744:1″ proxy_src_ip=”10.10.10.5″ product=”Application Control” service=”22″ s_port=”1846″ product_family=”Network”

IPS Software Blade Log:

1. Performed a port scan on my firewall.

01-30-2017 16:25:24 System0.Notice 10.10.10.254 Jan 30 16:25:22+05:1800 10.10.10.254 Action=”reject” UUid=”{0x0,0x0,0x0,0x0}” Protection Name=”Non-MD5 Authenticated BGP Connections” Severity=”3″ Confidence Level=”3″ protection_id=”bgp_pro tos” SmartDefense Profile=”Recommended_Protection” Performance Impact=”3″ Industry Reference=”CAN-2004-0589, CAN-2004-0230″ Protection Type=”protection” Attack Info=”Non-MD5 Authenticated BGP Pro tocol Detected on Connection” attack=”BGP Enforcement Violation” rule=”1″ rule_uid=”{547FE81C-AC6A-47A3-981F-9DCBB2606E80}” rule_name=”Mgmt Access” Total logs=”12″ Suppressed logs=”11″ pro to=”6″ dst=”10.10.10.254″ src=”10.10.10.1″ product=”SmartDefense” service=”179″ FollowUp=”Not Followed” product_family=”Network”

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below URL:

http://www.wicar.org/test-malware.html

01-30-2017 16:32:59 System0.Notice 10.10.10.254 Jan 30 16:32:59+05:1800 10.10.10.254 Action=”moni tor” UUid=”{0x588f1d63,0x4,0xfe0a0a0a,0xc0000000}” src=”10.10.10.5″ dst=”62.0.58.94″ pro to=”6″ session_id=”{0x588f1d63,0x4,0xfe0a0a0a,0xc0000000}” Protection name=”REP.ianwwg” description=”Connections to IP associated by DNS trap with malicious domain. See sk74060 for more information.” Source OS=”Windows” Confidence Level=”1″ severity=”2″ malware_action=”Access to site known to contain malware” Protection Type=”DNS Trap” malware_rule_id=”{1E90B500-246E-1F43-82F4-4E99FAD647B6}” Destination DNS Hostname=”malware.wicar.org” protection_id=”000AC512A” vendor_list=”Check Point ThreatCloud” log_id=”2″ scope=”10.10.10.5″ product=”New Anti Virus” service=”80″ s_port=”1687″

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 .

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

2017-01-30 16:00:28 System0.Notice 10.10.10.254 Jan 30 16:00:26+05:1800 10.10.10.254 Action=”redirect” UUid=”{0x588f1348,0x3,0xfe0a0a0a,0xc0000000}” web_client_type=”Firefox” resource=”http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html” src=”10.10.10.5″ dst=”184.31.212.234″ pro to=”6″ session_id=”{0x588f1348,0x3,0xfe0a0a0a,0xc0000000}” Protection name=”Check Point – Testing Bot” malware_family=”Check Point” Source OS=”Windows” Confidence Level=”5″ severity=”2″ malware_action=”Communication with C&C site” rule_uid=”{E6149B4A-DF60-4500-A097-5557F547A675}” rule_name=”Internet Access” Protection Type=”URL reputation” malware_rule_id=”{1E90B500-246E-1F43-82F4-4E99FAD647B6}” protection_id=”00233CFEE” log_id=”2″ proxy_src_ip=”10.10.10.5″ scope=”10.10.10.5″ product=”Anti Malware” service=”80″ s_port=”1414″

Scenario 2: Forwarding Traffic Logs s tored on the R77.30 Management Server to Syslog Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file.

fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &

2. After this we are able to see the firewall logs in the /var/log/message direc tory.

Note: We can able to see the /var/log/message logs along with the Firewall logs as well.

3. Now, send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

4. Able to see the Logs on the Syslog server from the Management Server (10.10.10.10).

a) Traffic logs on the Syslog server.

b) /var/log/messages of the Management Server on Syslog Server.

Firewall Software Blade Log:

1. Accessed the website https://qostechnology.in/ whose ip-address is 166.62.28.120.

01-30-2017 19:41:43 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:41:35 accept 10.10.10.254 >eth0 inzone:Internal; outzone:External;rule:3;rule_uid:{E6149B4A-DF60-4500-A097-5557F547A675};rule_name:Internet Access; service_id:http; src:10.10.10.5;dst:166.62.28.120; pro to:tcp; xlatesrc:10.10.18.254;NAT_rulenum:4;NAT_addtnl_rulenum:1;product:VPN-1 & FireWall-1;service:http;s_port:2158;xlatesport:11003;product_family:Network

URL Filtering Software Blade Log:

1. Accessed the website https://qostechnology.in/

01-30-2017 19:41:43 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:41:36 allow 10.10.10.254 <eth1 src:10.10.10.5;dst:166.62.28.120;pro to:tcp; appi_name:qostechnology.in; app_id:1109311486;matched_category:Business / Economy;app_properties:Business / Economy,URL Filtering;app_risk:0; app_rule_id:{62C84CA0-0C82-4C07-B9BF-CD8F1CD67E17}; web_client_type:Firefox; web_server_type:Apache; resource:https://www.qostechnology.in/; proxy_src_ip:10.10.10.5; product:URL Filtering;service:http; s_port:2158;product_family:Network

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below:

01-30-2017 19:47:36 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:46:29 block 10.10.10.254 <eth0 src:10.10.10.5;dst:194.29.38.122; pro to:tcp;appi_name:WinSCP; app_desc:WinSCP (Windows Secure CoPy) is a free and open source SFTP, SCP, and FTP client for Microsoft Windows. WinSCP’s main function is secure file transfer between a local and a remote computer. Supported from: R75.;app_id:60343744;app_category:Network Utilities;matched_category:Network Utilities;app_properties:Supports File Transfer, Encrypts communications, Medium Risk, Network Utilities;app_risk:3;app_rule_id:{4564C8D7-0A9C-4DA0-A353-B1D3428C95E4};app_rule_name:Block VLC; app_sig_id:60343744:1; proxy_src_ip:10.10.10.5;product:Application Control; service:ssh; s_port:2204; product_family:Network

IPS Software Blade Log:

1. Performed a port scan on my firewall.

01-30-2017 19:54:50 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:54:11 reject 10.10.10.254 > Protection Name:Non-MD5 Authenticated BGP Connections;Severity:3; Confidence Level:3; protection_id:bgp_pro tos; SmartDefense Profile:Recommended_Protection; Performance Impact:3; Industry Reference:CAN-2004-0589, CAN-2004-0230;Protection Type:protection;Attack Info:Non-MD5 Authenticated BGP Pro tocol Detected on Connection;attack:BGP Enforcement Violation;rule:1;rule_uid:{547FE81C-AC6A-47A3-981F-9DCBB2606E80};rule_name:Mgmt Access;Total logs:12; Suppressed logs:11;pro to:tcp;dst:10.10.10.254; src:10.10.10.1;product:SmartDefense;service:BGP;FollowUp:Not Followed;product_family:Network

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below url:

http://www.wicar.org/test-malware.html

01-30-2017 19:57:48 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 19:57:41 moni tor 10.10.10.254>eth0 src:10.10.10.5; dst:62.0.58.94; pro to:tcp;session_id:{0x588f4058,0x3,0xfe0a0a0a,0xc0000000}; Protection name:REP.ianwwg; description:Connections to IP associated by DNS trap with malicious domain. See sk74060 for more information.;Source OS:Windows;Confidence Level:1;severity:2;malware_action:Access to site known to contain malware;Protection Type:DNS Trap;malware_rule_id:{1E90B500-246E-1F43-82F4-4E99FAD647B6};Destination DNS Hostname:malware.wicar.org; protection_id:000AC512A; vendor_list:Check Point ThreatCloud;log_id:2;scope:10.10.10.5; product:New Anti Virus;service:http;s_port:2211

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 .

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

2017-01-30 20:03:35 Local4.Info 10.10.10.10 CP_FireWall: 30Jan2017 20:02:05 block 10.10.10.254<eth0;web_client_type:Firefox;resource:http://sc1.checkpoint.com/za/images
/threatwiki/pages/TestAntiBotBlade.html;src:10.10.10.5;dst:184.31.212.234;pro to:tcp;session_id:{0x588f4e65,0x2,0xfe0a0a0a,0xc0000000};Protection name:Check Point – Testing Bot;malware_family:Check Point;Source OS:Windows;Confidence Level:5;severity:2;malware_action:Communication with C&C site;rule_uid:{E6149B4A-DF60-4500-A097-5557F547A675};rule_name:Internet Access;Protection Type:URLreputation;malware_rule_id:{1E90B500-246E-1F43-82F4-4E99FAD647B6}; protection_id:00233CFEE;log_id:9999;proxy_src_ip:10.10.10.5;scope:10.10.10.5;Suppressed logs:1;sent_bytes:0;received_bytes:0;packet_capture_unique_id:10.10.10.5_maildir_sent_new_
time1485786726.mail-1565954732-392261992.localhost; packet_capture_time:1485786726; packet_capture_name:src-10.10.10.5.eml;UserCheck_incident_uid:7105BAFB-08F2-DF01-F36B-2F232920DC61;UserCheck:1;dlp_incident_uid:{588F4E65-0000-0002-FE0A-0A0AC0000000};portal_m…

2017-01-30 20:03:47 Local4.Info 10.10.10.10 CP_FireWall: r is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: 2920DC61 ;UserCheck_Confirmation_Level:Application;frequency:1 days ;product:Anti Malware;service:http;s_port:2226

Scenario 3: Syslog forwarded through R80 Management Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file.

fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &

2. After this we are able to see the firewall logs in the /var/log/message direc tory.

Note: We can able to see the /var/log/message logs along with the Firewall logs as well.

3. Now, send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

4. Able to see the Logs on the Syslog server from the Management Server (192.168.10.253).

Firewall Software Blade Log:

1. Accessed the website http://acme.com/ whose ip-address is 216.27.178.28.

01-30-2017 21:27:14 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:17:09 1 accept 192.168.1.3 >Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; inzone: Internal; outzone: External; rule: 17; rule_uid: {C73E055B-3678-4257-AADF-434FAD7006A5}; rule_name: Complete Allow For Int Net; service_id: http; src: 192.168.12.153; dst: 216.27.178.28; pro to: tcp; xlatesrc: 192.168.1.3; NAT_rulenum: 21; NAT_addtnl_rulenum: 1; ProductName: VPN-1 & FireWall-1; svc: http; sport_svc: 34891; xlatesport_svc: 26752; ProductFamily: Network;

URL Filtering Software Blade Log:

1. Accessed the website http://ndtv.com/

01-30-2017 21:39:36 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:29:31 1 allow 192.168.1.3 <Mgmt LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 52.2.229.194; pro to: tcp; appi_name: ndtv.com; app_id: 2894003724; matched_category: News / Media; app_properties: News / Media,URL Filtering; app_risk: 0; app_rule_id: {F741EBE9-D97B-4DF6-B3A3-55CC29C49CEE}; web_client_type: Chrome; web_server_type: Other: nginx/1.8.0; resource: http://ndtv.com/; proxy_src_ip: 192.168.12.153; ProductName: URL Filtering; svc: http; sport_svc: 36098; ProductFamily: Network;

Application Control Software Blade Log:

1. Tried to block Winscp Application and the logs are shown below.

01-30-2017 21:53:50 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 21:43:46 1 block 192.168.1.3 <Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 194.29.38.122; pro to: tcp; appi_name: WinSCP; app_desc: WinSCP (Windows Secure CoPy) is a free and open source SFTP, SCP, and FTP client for Microsoft Windows. WinSCP’s main function is secure file transfer between a local and a remote computer. Supported from: R75.; app_id: 60343744; app_category: Network Utilities; matched_category: Network Utilities; app_properties: Supports File Transfer, Encrypts communications, Medium Risk, Network Utilities; app_risk: 3; app_rule_id: {D46D297F-B53A-475E-98DA-B34F7265CE3C}; app_rule_name: Raghu Testing Winscp Block; app_sig_id: 60343744:1; proxy_src_ip: 192.168.12.153; ProductName: Application Control; svc: ssh_version_2; sport_svc: 36909; ProductFamily: Network;

IPS Software Blade Log:

1. performed a port scan on our QOS firewall.

2017-01-30 22:34:19 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:24:13 1 reject 192.168.1.3 > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; Protection Name: Non-MD5 Authenticated BGP Connections; Severity: 0; Confidence Level: 3; protection_id: bgp_pro tos; SmartDefense Profile: Default_Protection_2df2f915b4001bd5; Performance Impact: 3; Industry Reference: CAN-2004-0589, CAN-2004-0230; Protection Type: protection; Attack Info: Non-MD5 Authenticated BGP Pro tocol Detected on Connection; attack: BGP Enforcement Violation; rule: 14; rule_uid: {C3A95356-AFCF-4897-8337-A2448109B4E5}; rule_name: Between all QOS LANs; Total logs: 12; Suppressed logs: 11; pro to: tcp; dst: 192.168.12.1; src: 192.168.12.153; ProductName: SmartDefense; svc: BGP; ProductFamily: Network;

Anti-Virus Software Blade Log:

1. Tested Downloading a malicious file with the below url:

2017-01-30 22:23:09 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:12:51 1 prevent 192.168.1.3 >Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; src: 192.168.12.153; dst: 62.0.58.94; pro to: tcp; session_id: {0x588f6d0b,0x10000,0x301a8c0,0xc0000001}; Protection name: REP.ianwwg; description: Connection to DNS trap bogus IP. See sk74060 for more information.; Source OS: Windows; Confidence Level: 1; severity: 1; malware_action: Access to site known to contain malware; Protection Type: DNS Trap; malware_rule_id: {ABA61341-AC30-3149-AF91-E5AC2B6B8E80}; Destination DNS Hostname: malware.wicar.org; protection_id: 000AC512A; vendor_list: Check Point ThreatCloud; log_id: 2; scope: 192.168.12.153; ProductName: New Anti Virus; svc: http; sport_svc: 44001; ProductFamily: Network;

Anti-Bot Software Blade Log:

1. Tested the Bot link given by checkpoint article sk110481 .

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

2017-01-30 22:19:02 Local4.Info 192.168.10.253 CP_FireWall: 30Jan2017 22:08:57 1 block 192.168.1.3 <Lan3 LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; web_client_type:Chrome;resource:http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html ; src: 192.168.12.153; dst: 23.211.213.229; pro to: tcp; session_id: {0x588f6c21,0x10007,0x301a8c0,0xc0000002}; Protection name: Check Point – Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence Level: 5; severity: 2; malware_action: Communication with C&C site; rule_uid: {C73E055B-3678-4257-AADF-434FAD7006A5}; rule_name: Complete Allow For Int Net; Protection Type: URL reputation; malware_rule_id: {ABA61341-AC30-3149-AF91-E5AC2B6B8E80}; protection_id: 00233CFEE; log_id: 9999; proxy_src_ip: 192.168.12.153; scope: 192.168.12.153; Suppressed logs: 1; sent_bytes: 0; received_bytes: 0; packet_capture_unique_id: 192.168.12.153_maildir_sent_new_time1485794338.mail-989086109-484857403.localhost; packet_capture_time: 1485794338; packet_capture_name: s…

2017-01-30 22:19:02 Local4.Info 192.168.10.253 CP_FireWall: l; UserCheck_incident_uid: 9E71CD67-C8C2-DB14-D926-6F97BC2003CE; UserCheck: 1; dlp_incident_uid: {588F6C21-0001-0007-0301-A8C0C0000002}; portal_message: Your computer is trying to access a malicious server. It is probably infected by malware. For more information and remediation, please contact your help desk. Click here to report an incorrect classification. Activity: Communication with C&C site URL: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html Reference: BC2003CE ; UserCheck_Confirmation_Level: Application; frequency: 1 days ; LastUpdateTime: 30Jan2017 22:08:59; ProductName: Anti Malware; svc: http; sport_svc: 43860; ProductFamily: Network;