Event Forwarding
Event Forwarding is an easy and secure method to export Check Point Portal data. You can forward logs, events, and saved application data from your Check Point Portal account to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. The SIEM server processes large amounts of data and shows it on dashboards or in notifications. To set up Event Forwarding, you must purchase the required contract for your chosen method (log forwarding or log exporter) and use certificates to establish secure communication between Check Point Portal and your SIEM server.
Check Point Portal provides two event forwarding methods:
-
Push to SIEM - Forward logs to SIEM by Syslog, LEEF, or CEF with TLS. For more information, see Push to SIEM.
-
Pull from storage account - Send logs to the Check Point Azure storage account that provides access to JSON, LEEF, or CEF logs. For more information, see Pull from Storage Account.
|
Aspect |
Push to SIEM |
Pull from Storage |
|---|---|---|
|
Definition |
Portal actively sends events to SIEM |
SIEM polls and retrieves events from Azure blob storage |
|
Delivery Method |
Real-time push via Syslog over TCP |
Manual or scheduled pull from Azure blob storage |
|
Configuration |
SIEM host (FQDN) + port + Syslog format (CEF / LEEF / Syslog) + certificates |
Azure storage account details + access credentials |
|
Connectivity |
Requires continuous connectivity to SIEM |
SIEM can pull later; less dependent on uptime |
|
Security |
Syslog over TLS or mutual TLS (certificate-based authentication) |
Secure bucket access + IAM policies |
|
Use Cases |
Real-time monitoring and alerting |
Environments with intermittent connectivity |
|
Destinations |
Up to three SIEM destinations |
One destination |
|
Cost |
More expensive |
Less expensive |
|
|
Important - Event Forwarding requires a dedicated license. For more information about the license, see sk182879 - Check Point Portal Event Forwarding - Troubleshooting. |
Use Case
A typical use case is an organization that uses several security vendors, along with Check Point, to protect itself from cyber attacks. The organization uses an external analytics platform to see all data from every vendor in a single pane of glass.