Previous

Next

Checkpoint Quantum Firewall - Audit

Checkpoint Quantum Firewall - Application Control

Checkpoint Quantum Firewall - URL Filtering

Checkpoint Quantum Firewall - Identity Awareness

Checkpoint Quantum Firewall - IPS

Checkpoint Quantum Firewall - Firewall

Checkpoint Quantum Firewall - Threat Emulation

Checkpoint Quantum Firewall - Anti Bot

Overview

Check Point Next Generation Firewall is a security gateway that includes application control and IPS protection, with integrated management of security events. Additional features include Identity Awareness, URL Filtering, Anti-Bot, Anti-Virus, and Anti-Spam.

This integration ingests URL Filtering logs, Anti Bot logs, Application Control, Firewall, Identity Awareness, IPS, Threat Emulation, and miscellaneous event types with the integration log pipeline to enrich the logs and normalizes data to Datadog standard attributes. This integration offers dashboard visualizations with detailed insights into allowed or blocked URLs, bot details, insights into accessed application data, events generated by firewall, mapping between computer identities and machine IP address, and more.

Setup

Installation

To install the Checkpoint Quantum Firewall integration, follow the steps below:

Note: This step is not necessary for Agent version >= 7.52.0.

1. Install the 1.0 release (checkpoint_quantum_firewall==1.0.0).

Configuration

Log collection

Checkpoint Quantum Firewall:

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the datadog.yaml file:

   logs_enabled: true
   

2. Add this configuration block to your checkpoint_quantum_firewall.d/conf.yaml file to start collecting your Checkpoint Quantum Firewall logs.

   See the sample checkpoint_quantum_firewall.d/conf.yaml for available configuration options.

   logs:
     - type: tcp/udp
       port: <PORT>
       service: checkpoint-quantum-firewall
       source: checkpoint-quantum-firewall
   

3. Restart the Agent.

4. Configure Syslog Message Forwarding from Checkpoint Quantum Firewall:

   1. Connect to the command line on the Management Server / Log Server.
   2. Login to the Expert mode. Enter your administrative credentials (after entering credentials, expert mode is enabled).
   3. In order to configure a new target for the exported logs, enter the following commands:

      cp_log_export add name <Name of Log Exporter Configuration> target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {tcp | udp} format json
      

      • In the commands above, specify the following Syslog Server Details:

        • name: The Name of the syslog server. For example: datadog_syslog.
        • target-server: The destination where you want to send the Checkpoint Quantum Firewall logs.
        • target-port: The port on which the syslog server is listening (typically 514).
        • protocol: The protocol name, or which protocol will be used to send logs (TCP/UDP).
        • format: Format must be ‘json’.
   4. In order to save and add the syslog server configuration, use the following command:

      cp_log_export restart name <Name of Log Exporter Configuration>
      

   5. For more information about configuring syslog, see the official Checkpoint documentation.

Validation

Run the Agent’s status subcommand and look for checkpoint_quantum_firewall under the Checks section.

Data Collected

Logs

The Checkpoint Quantum Firewall integration collects Firewall, URL Filtering, IPS, Identity Awareness, Application Control, Threat Emulation, Audit, Anti Ransomware, Anti Spam & Email Security, Anti Exploit, Anti Bot, Anti Virus, HTTPS Inspection, DLP, and Anti Malware logs.

Metrics

The Checkpoint Quantum Firewall integration does not include any metrics.

Events

The Checkpoint Quantum Firewall integration does not include any events.

Service Checks

The Checkpoint Quantum Firewall integration does not include any service checks.

Troubleshooting

Checkpoint Quantum Firewall:

Permission denied while port binding

If you see a Permission denied error while port binding in the Agent logs, see the following instructions:

1. Binding to a port number under 1024 requires elevated permissions. Follow the instructions below to set this up.

   • Grant access to the port using the setcap command:

     sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
     

   • Verify the setup is correct by running the getcap command:

     sudo getcap /opt/datadog-agent/bin/agent/agent
     

     With the expected output:

     /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
     

     Note: Re-run this setcap command every time you upgrade the Agent.

2. Restart the Agent.

Data is not being collected

Make sure that traffic is bypassed from the configured port if the firewall is enabled.

Port already in use

If you see the Port <PORT-NO> Already in Use error, see the following instructions. The example below is for PORT-NO = 514:

On systems using Syslog, if the Agent listens for Checkpoint Quantum Firewall logs on port 514, the following error can appear in the Agent logs: Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use.

This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:

• Disable Syslog
• Configure the Agent to listen on a different, available port

For further assistance, contact Datadog support.