Tag Archives: checkpoint

Checkpoint Log Exporter and MCAS

A customer wanted to start using Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) and for this they had to ensure that the log files are sent to Microsoft. After a lot of reading and a lot of trial-and-error I finally got it working.

We initially assumed that we could send this in the Syslog format, but this didn't work for us.

This step-by-step plan is for the most part about the configuration of the Checkpoint firewall and not about the Microsoft Defender for Cloud Apps part. I don't have access to the customer's Azure environment, so I can't visually support this or explain it in detail. In any case, I will also put links for more detailed information.

Step 1.

First I created a firewall rule, so that the log files are actually allowed to go out.
Syslog is still included, but in principle this is not necessary because the files are sent over https.

Step 2.

Creating a Log Exporter rule on the Checkpoint Management Server is especially important because here you indicate in which format you want to send the logs to the Microsoft Log Collector. In this link there is very extensive information about what you can set, we have chosen to send everything to the Log Collector. For this we used the following command:
cp_log_export add name FW3-LOG target-server 20.71.xx.xx target-port 443 protocol tcp format cef

With the command cp_log_export show you can check your settings.

This makes the log export active immediately and the log files are sent over https to the specified IP address.
I used to have Syslog as format here and it didn't work well with the Log Collector and the MDCA together. After we changed this to the CEF format and also changed the settings on the Azure side to CEF and changed the docker instance of the Log Collector, we saw all relevant information come in, such as which cloud apps, (source) IP addresses are used. This is the information my customer wants to see and they are happy.

Step 3.

In Azure you also have to specify a configuration. Unfortunately I don't have access to the customer environment in Azure, so I can only say that here (Microsoft) can learn more about provisioning from the Azure side.
What you definitely need is a Log Collector, there you send the information that comes from the Checkpoint to the Microsoft Defender for Cloud Apps environment of your company or customer.

Wake-On-LAN

To route broadcast traffic from the SCCM server over different vlans, an access list must be set on the core switch (where the routing takes place). You can do this with the extended access list below. Give the access list a recognizable name and then set an entry per SCCM server. 

  1. Configure Access-list
    With the access list you indicate that the SCCM servers are allowed to send a broadcast
    In place of the xx you enter the IP address of your own SCCM server
ip access-list extended "<naam acl>"
     10 permit ip xx.xx.xx.xx 0.0.0.0 0.0.0.0 255.255.255.255


ip directed-broadcast access-group "<naam acl>"

If the customer uses 802.1x, the switch port must also be configured to allow WOL traffic on 802.1x ports. This is closed by default.
But with the command below you set that this is allowed through

aaa port-access <port-list> controlled-direction in

Finally, you also have to set the firewall to allow broadcast traffic. This is blocked by default on a CheckPoint firewall. But you can configure it through the Gaia interface or via clish. You can do this for

3. Configure ip-broadcast helper on the firewall 3

Via the Gaia WebGui you can set this up by choosing the interface that your customer vlans are behind. With UDP Port you choose 9 and as relay the ip address of the vlan interface.