Push to SIEM

Check Point Portal can forward logs to SIEM in three formats: Syslog, LEEF, or CEF.

Supported Check Point Portal Services

Event Forwarding can send data from these Check Point Portal services:

  • Check Point Portal Audit logs

  • Browse Security

  • Connect

  • Email Security

  • Endpoint Security

  • Mobile Security

  • Management & Smart-1 Cloud

  • Check Point SASE

  • Spark Management

  • WAF Application Security - Application Security

  • Workforce AI Security

Prerequisites

  • The SIEM server must support TLS 1.2.

  • The OpenSSL CLI must be installed on your computer.

Network Access Requirements

To receive events from Check Point Portal, the SIEM must accept inbound connections on a dedicated listener port.

Configure your network and firewall policy to allow inbound traffic from Check Point Portal regional endpoints, using FQDN-based filtering.

Use the regional Fully Qualified Domain Name (FQDN) that corresponds to your Check Point Portal location:

Region

FQDN

Ports

Europe (EU)

whitelist-cidr.eu.datatube.checkpoint.com/

514, 6514

United States (US)

whitelist-cidr.us.datatube.checkpoint.com/

514, 6514

Asia-Pacific (AP, Australia)

whitelist-cidr.ap.datatube.checkpoint.com/

514, 6514

India (IN)

whitelist-cidr.in.datatube.checkpoint.com/

514, 6514

United Arab Emirates (AE)

whitelist-cidr.ae.datatube.checkpoint.com/

514, 6514

Important - FQDN-based filtering is required for new deployments and recommended for existing deployments to prevent connectivity issues when backend infrastructure changes. Do not replace the FQDN endpoints with fixed network addresses.

Note - During onboarding, new customers can use only ports 514 and 6514.

If FQDN-based filtering is not supported

Use IP-based filtering only if your firewall platform does not support FQDN-based rules.

Allow an IP address If FQDN based rules are not supported. Configure your firewall to allow inbound traffic from the IP address returned by a DNS lookup of the required regional domain.

Important - The resolved IP address is not static and may change over time. When using IP-based rules, review and update the configured IP address periodically to maintain connectivity.

Reference IP addresses (IP-based filtering only)

Data Region

Example IP Address

Source Ports

Australia

20.53.179.128/29

514, 6514

Canada

20.116.186.248/29

514, 6514

India

20.207.91.248/29

514, 6514

UAE

20.233.160.96/29

514, 6514

US

20.22.10.32/29

514, 6514

Europe

20.23.152.176/29

514, 6514

Note - These IP addresses are provided for convenience, but they are not guaranteed to remain static. Always prefer FQDN-based rules when possible.

File Extensions

File 

Description

<CA>.key

Private key

<CA>.pem

Public key

.csr

Certificate Sign Request

.crt

File you create when you sign the .csr file with the <CA>.key file and the <CA>.pem file.

.pfx

If you use an existing domain certificate, this file contains the [CA].key file and <CA>.pem file.

If you already have a <CA>.key file and a <CA>.pem file, then skip this step.

Skip this step if any of these is correct:

  • You use TLS, not mutual TLS encryption.

  • You already have a <CA>.key file and a <CA>.pem file.

If you do not have a <CA>.key file and a <CA>.pem file, follow one of these procedures to prepare your organization's domain certificate:

  1. On your computer, in OpenSSL CLI, generate a Client CA:

    1. Create the <CA>.key file:

      openssl genrsa -out <CA>.key 2048

    2. Create <CA>.pem file:

      openssl req -x509 -new -nodes -key <CA>.key -sha256 -days 825 -out <CA>.pem

  2. On your computer, in the OpenSSL CLI, create a certificate for the SIEM server:

    1. Create a key for the SIEM server:

      openssl genrsa -out <SERVER>.key 2048

    2. Generate a .csr file for the SIEM server:

      openssl req -new -key <SERVER>.key -out <SERVER>.csr

    3. Generate a Client Certificate (.crt) file for the SIEM server. To do this, sign the .csr file using your organization's CA:

      openssl x509 -req -in <SERVER>.csr -CA <CA>.pem -CAkey <CA>.key -CAcreateserial -out <SERVER>.crt -days 825 -sha256

  3. Install your SIEM server certificate, SIEM server key, and the CA on your SIEM server (for example, Splunk, Syslog, or QRadar).

  4. In the configuration of the SIEM server, define the <CA>.pem file as a trusted certificate.

If you already have a .pfx file, then use this method.

Prerequisites:

  • The .pfx file that contains the <CA>.key file and the <CA>.pem file.

  • The passphrase of the .pfx file.

Note - For OpenSSL 3.x users:

If you get an error when extracting from a .pfx file, add the -legacy flag in bash:

openssl pkcs12 -in <CERTIFICATE>.pfx -out <CA>.pem –noenc -legacyopenssl pkcs12 -in <CERTIFICATE>.pfx -nocerts -out <CA>.key -legacy

To verify your OpenSSL version and available providers, run this command in bash:

openssl versionopenssl list -providers

If only the default provider is listed, the -legacy flag is required.

Procedure

Do these steps in OpenSSL CLI on your computer:

  1. Extract the <CA>.pem file from the .pfx file:

    openssl pkcs12 -in <CERTIFICATE>.pfx -out <CA>.pem –noenc

  2. Extract the <CA>.key file from the .pfx file:

    openssl pkcs12 -in <CERTIFICATE>.pfx -nocerts -out <CA>.key

  3. Remove the passphrase from the <CA>.key file:

    openssl rsa -in <CA>.key -out <my-key-nopass>.key

On your SIEM server, open a dedicated port to receive logs from Check Point Portal.

Region

FQDN

Ports

Europe (EU)

whitelist-cidr.eu.datatube.checkpoint.com/

514, 6514

United States (US)

whitelist-cidr.us.datatube.checkpoint.com/

514, 6514

Asia-Pacific (AP, Australia)

whitelist-cidr.ap.datatube.checkpoint.com/

514, 6514

India (IN)

whitelist-cidr.in.datatube.checkpoint.com/

514, 6514

United Arab Emirates (AE)

whitelist-cidr.ae.datatube.checkpoint.com/

514, 6514

A Destination object in the Check Point Portal defines a connection between the Check Point Portal and a SIEM server.

After you configure a Destination for your SIEM server, you can review, edit, search, and delete the destination(s) in the Manage Destinations window. For more information, see Managing Destinations.

  1. In the Check Point Portal, click > Event Forwarding.

  2. Click Create Destination or Manage Destinations.

    The New Destination window opens.

  3. From the Forwarding method list, select Push to SIEM.

  4. Enter a name for the destination.

  5. From the list, select a SIEM server.

  6. In the Host field, enter the address of the SIEM server as an FQDN.

  7. In the Port field, enter the port to use for the SIEM server.

    Note - Below the Port field, default configurations appear. You cannot change these configurations:

    • Protocol - The communication protocol. Currently, only TCP is supported.

    • Encryption - The encryption protocol. You can select TLS or mutual TLS.

  8. Click Next.

    The Certificates tab opens.

For this step, keep the Certificates tab of the Check Point Portal open and the SIEM server active. Then, follow the workflow:

  • For mutual TLS encryption, follow the numbered workflow in the Certificates tab.

  • For TLS encryption, skip to Step 3 to upload your CA certificate.

  1. Client Certification Sign Request (.csr file)

    1. In the Check Point Portal, click Certificate Sign Request.

      Your web browser downloads the Check Point Portal's .csr file to your computer.

    2. On your computer, use the OpenSSL command line to open the .csr file.

    3. On your computer, use the openssl x509 command to sign the downloaded Client Certificate. To do this, it is necessary to enter your private and public keys.

      Note - Make sure you are in the same working folder as the <CA>.key and <CA>.pem files.

      openssl x509 -req -in <CERTIFICATE>.csr -CA <CA>.pem -CAkey <CA>.key -CAcreateserial -out <YOUR-CERTIFICATE>.crt -days 825 -sha256

  2. Client Certificate (.crt file) - In the Check Point Portal, click Browse and upload the signed Client Certificate (.crt file).

    Best Practice - For a more secure connection, Check Point recommends to also upload the signed Client Certificate (.crt file) to your SIEM server.

  3. Certificate Authority (CA) certificate (.pem file) - Click Browse and upload the CA certificate (<CA>.pem).

  4. Test Connectivity - Click Test Connectivity.

    This test allows you to confirm that the server communicates with Event Forwarding and that Event Forwarding is not impersonated by an attacker.

    Important - In a first-time configuration, you must do a successful test before you can continue configuring Event Forwarding.

    5. If the connection is successful, then Connect successfully appears.

    If the connection is not successful, refer to sk182879 - Check Point Portal Event Forwarding - Troubleshooting.

  5. Click Finish.

After configuring the destination, add a forwarding rule with this destination. For more information, see Managing Forwarding Rules.