Integration Name

Check Point [checkpoint]

Dataset Name

checkpoint.firewall

Integration Version

1.34.2

Agent Version

N/A

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.4

OS Version and Architecture

Debian

Software/API Version

No response

Error Message

No error per say, bet enhancements to be made on additional fields.

Event Original

<134>1 2024-11-27T11:36:45Z MY-CONSOLE CheckPoint 9482 - [action:"Accept"; flags:"16384"; ifdir:"inbound"; ifname:"eth4"; logid:"352"; loguid:"{0x00112233,0x44556677,0x889900aa,0xbbccddee}"; origin:"1.2.3.4"; originsicname:"CN=MY-FW,O=MY-CLUSTER"; sequencenum:"5"; time:"1732707405"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={9EEC9326-58F9-48C5-8A7A-564C4BB33B34};mgmt=MY-CLUSTER;date=1732294260;policy_name=POLICY]"; aggregated_log_count:"5"; connection_count:"5"; creation_time:"1732696605"; dst:"4.3.2.1"; duration:"10800"; hll_key:"3099159939289077744"; https_inspection_action:"Bypass"; inzone:"Internal"; last_hit_time:"1732704732"; layer_name:"POLICY Layer"; layer_uuid:"346ca329-396a-44b6-b7d6-a65b1f363fe6"; match_id:"37"; parent_rule:"0"; rule_action:"Accept"; rule_name:"Rule name"; rule_uid:"168b0622-335f-4ad3-8c56-0d9d2226399c"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; service:"443"; service_id:"https"; src:"192.168.0.10"; update_count:"6"]

What did you do?

The Check Point integration is installed as-is, no agent were configured as I am using direct API POSTs to ingest data into my Elasticsearch cluster. The raw event isn't touched in anyway.

We configured our Check Point firewalls to send session logs instead of connection logs to optimize bandwidth and storage usage for our logs. Consequently, some fields were added to the raw logs and their processing by Elasticsearch need enhancements.

What did you see?

The following checkpoint specific fields were created:

{
  "checkpoint": {
    "creation_time": "1732696605",
    "last_hit_time": "1732704732",
    "duration": "10800",
    "aggregated_log_count": "5",
    "https_inspection_action": "Bypass",
    "rule_action": "Accept",
    "origin_sic_name": "CN=MY-FW,O=MY-CLUSTER",
    "match_id": "37",
    "update_count": "6",
    "parent_rule": "0",
    "connection_count": "5",
    "logid": "352"
  },
  "...": "..."
}

As for the mappings:

• checkpoint.creation_time is mapped as a keyword
• checkpoint.last_hit_time is mapped as a number
• checkpoint.duration is mapped as a keyword
• checkpoint.aggregated_log_count is mapped as a keyword
• checkpoint.update_count is mapped as a keyword
• checkpoint.connection_count is mapped as a keyword

What did you expect to see?

{
  "checkpoint": {
    "aggregated_log_count": "5",
    "https_inspection_action": "Bypass",
    "rule_action": "Accept",
    "origin_sic_name": "CN=MY-FW,O=MY-CLUSTER",
    "match_id": "37",
    "update_count": "6",
    "parent_rule": "0",
    "connection_count": "5",
    "logid": "352"
  },
  "event": {
    "start": "2024-11-27T08:36:45.000Z",
    "end": "2024-11-27T10:52:12.000Z",
    "duration": 10800000000000,
    "...": "..."
  },
  "...": "..."
}

• checkpoint.creation_time should be parsed as a date and stored into event.start
• checkpoint.last_hit_time should be parsed as a date and stored into event.end
• checkpoint.duration should be converted from seconds to nanoseconds (as per the event.duration documentation) and stored into event.duration
• checkpoint.aggregated_log_count is mapped as a number
• checkpoint.update_count is mapped as a number
• checkpoint.connection_count is mapped as a number

Anything else?

This is not an error in itself leading to an event being identified as a pipeline_error document, but more an enhancement in the Check Point log normalization process to map more closely to the ECS.