Event Forwarding to Storage Account

Check Point creates a designated storage container for you on the Microsoft AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. platform. You can pull log data directly from this storage account using access tokens. This method is available for accounts in the EU and US regions only.

Note - The storage account retains data for only 7 days.

Forwarding to Azure Storage

To configure the destination:

  1. In the Infinity Portal, click > Event Forwarding.

  2. Click Create Destination or Manage Destinations.

    The New Destination window opens.

  3. From the Forwarding method list, select Forward to Storage account and click Next.

  4. On the Details page, you can see the selected forwarding method and the data format (only JSON is supported).

    Best Practice - You can add the IP address of the server that will access the logs. This IP-based access list is allowed as an optional security feature.

    Note - The IP address must be public.

  5. Click Next.

  6. On the Generate Resources page, click Generate Resources. The system creates blob storage for you to store data in QZIP-compressed format making it retrievable. The process takes about 1-2 minutes.

    When the resources are generated, you can see these storage details:

    • Storage account name

    • Storage account container name

  7. In the SAS token section, select the token expiration period. This shared access signature (SAS) token is generated by Azure Storage to grant you permissions to storage resources. The token can be valid for 30, 90, or 180 days. You can have a maximum of two SAS tokens simultaneously. Save each SAS token in a secure location. A lost token cannot be recovered.

  8. Click Finish.

Fetching from Azure Storage using SAS token

The SAS token you received through the Infinity Portal allows you to access the events stored in Check Point Azure Storage.

Data Layout

The data is organized in a time-based hierarchy under an Azure blob container.

  • Container Name: {containerId}

  • Path: checkpoint.eventforwarding.events/ef-{tenantId}/{Year}/{Month}/{Day}/{Hour}/

  • Format: Compressed JSON files (.json.gz)

Continuous Data Retrieval

  • SIEM - Check with your SIEM provider if it has a native integration with Azure Blob Storage.

  • Azure CLI & SDK Options - Choose to transfer the data to a storage of your choice.

    Azure provides CLI tools and SDKs in multiple programming languages (Python, Node.js, Go, etc.) that support SAS token authentication.

    For detailed guidance on using Azure CLI with SAS tokens, refer to: Azure Storage - Use SAS tokens with Azure CLI.

Continuous Retrieval Strategy

  • Use the time-based path structure to retrieve new data: ef-{tenantId}/YYYY/MM/DD/HH.

  • Track previously processed files to avoid duplication.

Creating a Forwarding Rule

To forward the data, you must create a forwarding rule. For more information, see Managing Forwarding Rules.