Event Forwarding

Introduction

Event Forwarding is an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. The SIEM server processes large amounts of data and shows it in dashboards or notifications. To set up Event Forwarding, you must use certificates to establish secure communication between the Infinity Portal and your SIEM server.

Use Case

A typical use case is an organization that uses a number of security vendors, along with Check Point, to protect itself from cyber attacks. The organization uses an external analytics platform to see all data from every vendor in a single pane of glass.

Prerequisite

The SIEM server must support TLS 1.2.

The OpenSSL CLI must be installed on your computer.

Glossary

File 

Description

<CA>.key

Private key

<CA>.pem

Public key

.csr

Certificate Sign Request.

.crt

File you create when you sign the .csr file with the <CA>.key file and the <CA>.pem file.

.pfx

If you use an existing Domain Certificate, this file contains the [CA].key file and <CA>.pem file.

Configuration

Managing Destinations

After you configure destination(s) for an external-analytics platform, you can review, edit, delete, and search them in the Manage Destinations window.

Managing Forwarding Rules

On the Events page, Forwarding Rules show with the rule name, the services you forward data from, and the name of the destination to which you forward the data.

To add a new Forwarding Rule:

Click the [+] icon or the + Add.

To edit a Forwarding Rule

Put the cursor on the rule and click , then select Edit. Change the rule settings as necessary.

To delete a Forwarding Rule

Put the cursor on the rule and click , then select Delete.