[SPAM] RE: [logs] Checkpoint Firewall rulebase - logs

[Pauls, Nicole]

On 8/6/07, James <jimbob.coffey at gmail.com> wrote:

> LEA looks like the way to go and when I get around to it I will put an
> rfi into checkpoint to add a switch to fw log to disable service name
> reolution so that the logs will actually be useful (in a multi vendor
> or SIM SEM environment).
>
> Unless someone allready knows a way ...

LEA does provide the most flexibility in this regard. You can disable all hostname and service resolution.

You may want to check out fw1-loggrabber as a free LEA integration:

http://sourceforge.net/projects/fw1-loggrabber

Not much movement since 2005, but it appears from the forum that people are still actively using it. There have been OPSEC (and firewall) revisions since 2005, but the core protocol is still the same. You may run into some stability issues, and problems with things like logswitches (which were improved in later OPSEC API revisions).

Caveat: last time I tried to use fw1-loggrabber it was difficult to get working, but in a particularly OPSEC sort of way that you should be able to work out. If anything, it may provide a working basis to get your own LEA integration working, as it's not necessarily the best API to work with. The CheckPoint examples provided with the OPSEC API download do work as examples as well, but aren't very robust (and haven't changed in years).

I have also experimented with the fw log (or fw logexport) to 'logger' method, and on a high traffic system, it had significant negative CPU impact on the management station, in turn causing the log data to get exceedingly delayed in transmission (I presume eventually data could get dropped, though I never waited that long).

--
nicole pauls, cissp-issap,issmp
director, product management
www.trigeo.com