How to collect data from Check Point Firewall
In this page we describe how to add a new data source to interpret syslog events.
Before you can add the data source to CyberQuest, you must forward events to the IP Address of the CQ server on port 5140 UDP. More details about how to forward syslog can be found by following the link bellow: forward syslog.
To add a new data source you will need to follow the steps below:
You must be logged in to the CyberQuest web interface with a user with administrative rights.
Navigate to "Settings > Management > Data Source Manager".
This page contains all the data sources added in the Cyberquest application.
Press the "Add data-source" button and complete de following form:
DataSource Type: Select "Syslog / CheckPoint Firewall Syslog (LogName: CheckPointFirewall)" data source to interpret Check Point Firewall events;
DataSource Information: This field is filled in automatically with data source information;
Tag: This field is filled in automatically, but you can change the information;
Annonymize Fields: You can select certain information to be anonymized. You can select one or more options;
IPList: Complete IP of this data source. You can add one or more;
Click the "Save" button to save the data source.
The next step is to assign the Cyberquest agent to this data source. Press the drop-down list and choose the agent.
To edit the data sources information, press "Edit" button. This process is almost identical to adding data sources.
You can also delete the data source by pressing "Delete" button. To delete data source you must remove Agent from data source.