CHECK POINT ENFORCEMENT MODULE

Instructions for forwarding Check Point Enforcement Module logs to your Log Management device

PREREQUISITES

Check Point Security Management Server running Gaia OS
  • The IP Address for the Check Point Security Management Server
  • Credentials to access the Check Point Security Management Server
  • Secure Shell (SSH) access configured on the Check Point Security Management Server
Clone Systems Log Management Device
  • The IP Address for the Clone Systems Log Management device
Instructions

1. Open a command prompt and SSH into the Check Point appliance using a tool like PuTTY.

2. Log into CLISH by entering the Login name and Password and then clicking Enter.

  • Login name: login name
  • Password: login password

Click Enter.

3. After logging in to CLISH you need to access the bash shell in expert mode. Execute the expert command and enter the password to get to the bash shell.

  • [HostName]# expert
  • Password: expert password

4. Backup the cpboot script.

  • [Expert@HostName]# cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot_ORIGINAL

5. Edit the current cpboot script using the VI editor.

  • [Expert@HostName]# vi /etc/rc.d/init.d/cpboot

6. Add the following line at the very bottom of the cpboot script.

  • fw log –f –t –n -1 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger –p local4.info –t CP_FireWall &

7. Save the changes and exit from the VI editor

  • Press :wq

8. Reboot the Security Management Server.

  • [Expert@HostName]# reboot

Click Enter

9. If the Check Point Security Management Server logs do not appear on the Clone Systems Log Management device, then repeat the steps above and replace the following line at the very bottom of the cpboot script instead of the line noted in Step 5 above.

  • While read line ; do if [ “’echo — $line’” != “—“ ] ; then logger –p local4.err –t CP_FireWall $line ; fi ; done < <(fw log –f –t –n -1 2>/dev/null) &