Tag Archives: cloud apps

Checkpoint Log Exporter and MCAS

A customer wanted to start using Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) and for this they had to ensure that the log files are sent to Microsoft. After a lot of reading and a lot of trial-and-error I finally got it working.

We initially assumed that we could send this in the Syslog format, but this didn't work for us.

This step-by-step plan is for the most part about the configuration of the Checkpoint firewall and not about the Microsoft Defender for Cloud Apps part. I don't have access to the customer's Azure environment, so I can't visually support this or explain it in detail. In any case, I will also put links for more detailed information.

Step 1.

First I created a firewall rule, so that the log files are actually allowed to go out.
Syslog is still included, but in principle this is not necessary because the files are sent over https.

Step 2.

Creating a Log Exporter rule on the Checkpoint Management Server is especially important because here you indicate in which format you want to send the logs to the Microsoft Log Collector. In this link there is very extensive information about what you can set, we have chosen to send everything to the Log Collector. For this we used the following command:
cp_log_export add name FW3-LOG target-server 20.71.xx.xx target-port 443 protocol tcp format cef

With the command cp_log_export show you can check your settings.

This makes the log export active immediately and the log files are sent over https to the specified IP address.
I used to have Syslog as format here and it didn't work well with the Log Collector and the MDCA together. After we changed this to the CEF format and also changed the settings on the Azure side to CEF and changed the docker instance of the Log Collector, we saw all relevant information come in, such as which cloud apps, (source) IP addresses are used. This is the information my customer wants to see and they are happy.

Step 3.

In Azure you also have to specify a configuration. Unfortunately I don't have access to the customer environment in Azure, so I can only say that here (Microsoft) can learn more about provisioning from the Azure side.
What you definitely need is a Log Collector, there you send the information that comes from the Checkpoint to the Microsoft Defender for Cloud Apps environment of your company or customer.