Event Forwarding

Event Forwarding is an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. The SIEM server processes large amounts of data and shows it in dashboards or notifications. To set up Event Forwarding, you must use certificates to establish secure communication between Infinity Portal and your SIEM server.

The Infinity Portal provides two forwarding methods, where you can:

  • Use Syslog receiver - Forward logs to SIEM by Syslog with mTLS.

  • Forward to Storage account - Send logs to the Check Point Azure storage account that provides JSON log access.

You can create up to three SIEM destinations with Syslog receiver or one destination with forwarding to an Azure storage account.

Important - This feature requires a dedicated license. For more information about the license, see sk182879 - Infinity Portal Event Forwarding - Troubleshooting.

Use Case

A typical use case is an organization that uses several security vendors, along with Check Point, to protect itself from cyber attacks. The organization uses an external analytics platform to see all data from every vendor in a single pane of glass.

Supported Infinity Portal Services

Event Forwarding can send data from these Infinity Portal services:

  • Quantum Security Management (Smart-1 Cloud)

  • Quantum Spark Management

  • CloudGuard WAF

  • Harmony SASE

  • Harmony Connect

  • Harmony Endpoint

  • Harmony Mobile

  • Harmony Email & Collaboration

  • Harmony Email & Office 2.0

Event Forwarding with Syslog Receiver

Prerequisites:

  • The SIEM server must support TLS 1.2.

  • The OpenSSL CLI must be installed on your computer.

File Extensions

File 

Description

<CA>.key

Private key

<CA>.pem

Public key

.csr

Certificate Sign Request

.crt

File you create when you sign the .csr file with the <CA>.key file and the <CA>.pem file.

.pfx

If you use an existing Domain Certificate, this file contains the [CA].key file and <CA>.pem file.

If you already have a <CA>.key file and a <CA>.pem file, then skip this step.

If you do not have a <CA>.key file and a <CA>.pem file, follow one of these procedures to prepare your organization's Domain Certificate:

  1. On your computer, in OpenSSL CLI, generate a Client CA:

    1. Create the <CA>.key file:

      openssl genrsa -out <CA>.key 2048

    2. Create <CA>.pem file:

      openssl req -x509 -new -nodes -key <CA>.key -sha256 -days 825 -out <CA>.pem

  2. On your computer, in the OpenSSL CLI, create a certificate for the SIEM server:

    1. Create a key for the SIEM server:

      openssl genrsa -out <SERVER>.key 2048

    2. Generate a .csr file for the SIEM server:

      openssl req -new -key <SERVER>.key -out <SERVER>.csr

    3. Generate a Client Certificate (.crt) file for the SIEM server. To do this, sign the .csr file using your organization's CA:

      openssl x509 -req -in <SERVER>.csr -CA <CA>.pem -CAkey <CA>.key -CAcreateserial -out <SERVER>.crt -days 825 -sha256

  3. Install your SIEM server certificate, SIEM server key, and the CA on your SIEM server (for example, Splunk, Syslog, or QRadar).

  4. In the configuration of the SIEM server, define the <CA>.pem file as a trusted certificate.

If you already have a .pfx file, then use this method.

Prerequisites:

  • The .pfx file that contains the <CA>.key file and the <CA>.pem file.

  • The passphrase of the .pfx file.

Procedure

Do these steps in OpenSSL CLI on your computer:

  1. Extract the <CA>.pem file from the .pfx file:

    openssl pkcs12 -in <CERTIFICATE>.pfx -out <CA>.pem –noenc

  2. Extract the <CA>.key file from the .pfx file:

    openssl pkcs12 -in <CERTIFICATE>.pfx -nocerts -out <CA>.key

  3. Remove the passphrase from the <CA>.key file:

    openssl rsa -in <CA>.key -out <my-key-nopass>.key

On your SIEM server, open a dedicated port to receive logs from Event Forwarding.

Region

IP Addresses

Port

EU

  • 20.73.193.110

No specific port required

AUS

  • 20.92.158.64

  • 20.92.158.102

No specific port required

US

  • 20.85.1.184

No specific port required

UAE

  • 20.74.203.248

514

A Destination object in the Infinity Portal defines a connection between the Infinity Portal and a SIEM server.

After you configure a Destination for your SIEM server, you can review, edit, search, and delete the destination(s) in the Manage Destinations window. For more information, see Managing Destinations.

  1. In the Infinity Portal, click > Event Forwarding.

  2. Click Create Destination or Manage Destinations.

    The New Destination window opens.

  3. From the Forwarding method list, select Syslog.

  4. Enter a name for the destination.

  5. From the list, select a SIEM server.

  6. In the Host field, enter the address of the SIEM server as an IP address or FQDN.

  7. In the Port field, enter the port to use for the SIEM server.

    Note - Below the Port field, default configurations appear. You cannot change these configurations:

    • Type - The type of logs that your external analytics platform receives. Currently, only Syslog is supported.

    • Protocol - The communication protocol. Currently, only TCP is supported.

    • Encryption - The encryption protocol. Currently, only mutual TLS is supported.

  8. Click Next.

    The Certificates tab opens.

For this step, keep the Certificates tab of the Infinity Portal open and the SIEM server active. Then, follow the numbered workflow in the Certificates tab.

  1. Client Certification Sign Request (.csr file)

    1. In the Infinity Portal, click Certificate Sign Request.

      Your web browser downloads the Infinity Portal's .csr file to your computer.

    2. On your computer, use the OpenSSL command line to open the .csr file.

    3. On your computer, use the openssl x509 command to sign the downloaded Client Certificate. To do this, it is necessary to enter your private and public keys.

      Note - Make sure you are in the same working folder as the <CA>.key and <CA>.pem files.

      openssl x509 -req -in <CERTIFICATE>.csr -CA <CA>.pem -CAkey <CA>.key -CAcreateserial -out <YOUR-CERTIFICATE>.crt -days 825 -sha256

  2. Client Certificate (.crt file) - In the Infinity Portal, click Browse and upload the signed Client Certificate (.crt file).

    Best Practice - For a more secure connection, Check Point recommends to also upload the signed Client Certificate (.crt file) to your SIEM server.

  3. Certificate Authority (CA) certificate (.pem file) - Click Browse and upload the CA certificate (<CA>.pem).

  4. Test Connectivity - Click Test Connectivity.

    This is to confirm that the server communicates with Event Forwarding and that Event Forwarding is not impersonated by an attacker.

    Important - In a first-time configuration, you must do a successful test before you can continue configuring Event Forwarding.

    5. If the connection is successful, then Connect successfully appears.

    If the connection is not successful, refer to sk182879 - Infinity Portal Event Forwarding - Troubleshooting.

  5. Click Finish.

A forwarding rule is a set of conditions for data forwarding from the Infinity Portal to a SIEM server.

To create a forwarding rule:

  1. Click the Add Rule button.

    The New Forwarding Rule window opens.

  2. Fill in the relevant fields.

  3. Click Create.

Event Forwarding to Storage Account

Check Point creates a designated storage container for you on the Microsoft AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. platform. You can pull log data directly from this storage account using access tokens. This method is available for accounts in the EU and US regions only.

Configuring the Forwarding to Azure Storage

To configure the destination:

  1. In the Infinity Portal, click > Event Forwarding.

  2. Click Create Destination or Manage Destinations.

    The New Destination window opens.

  3. From the Forwarding method list, select Forward to Storage account and click Next.

  4. On the Details page, you can see the selected forwarding method and the data format (only JSON is supported).

    Best Practice - You can add the IP address of the server that will access the logs. This IP-based access list is allowed as an optional security feature.

    Note - The IP address must be public.

  5. Click Next.

  6. On the Generate Resources page, click Generate Resources. The system creates blob storage for you to store the data in QZIP-compressed format and makes the data retrievable. The process takes about 1-2 minutes.

    When the resources are generated, you can see these storage details:

    • Storage account name

    • Storage account container name

  7. In the SAS token section, select the token expiration period. This shared access signature (SAS) token is generated by Azure Storage to grant you permissions to storage resources. The token can be valid for 30, 90, or 180 days. You can have a maximum of two SAS tokens simultaneously. Save each SAS token in a secure location. A lost token cannot be recovered.

  8. Click Finish.

Fetching from Azure Storage using SAS token

The SAS token you received through the Infinity Portal allows you to access the events stored in a Check Point Azure Storage.

Data Layout

The data is organized in a time-based hierarchy under an Azure blob container.

  • Container Name: {containerId}

  • Path: checkpoint.eventforwarding.events/ef-{tenantId}/{Year}/{Month}/{Day}/{Hour}/

  • Format: Compressed JSON files (.json.gz)

Continuous Data Retrieval

  • SIEM - Check with your SIEM provider if it has a native integration with Azure Blob Storage.

  • Azure CLI & SDK Options - Choose to transfer the data to a storage of your choice.

    Azure provides CLI tools and SDKs in multiple programming languages (Python, Node.js, Go, etc.) that support SAS token authentication.

    For detailed guidance on using Azure CLI with SAS tokens, refer to: Azure Storage - Use SAS tokens with Azure CLI.

Continuous Retrieval Strategy

  • Use the time-based path structure to retrieve new data: ef-{tenantId}/YYYY/MM/DD/HH.

  • Track previously processed files to avoid duplication.

Managing Destinations

After you configure destination(s) for an external analytics platform, you can review, edit, delete, and search for them in the Manage Destinations window.

To review destinations:

In the Manage Destinations window, on the left pane, select the name of the destination. The right pane shows the settings for the destination and the rules that use the destination.

To edit destinations:

  1. In the Destinations window, on the left pane, select the destination's name.

  2. Click the edit icon .

    The Edit Destination window opens.

  3. Change the settings as necessary.

  4. Click Apply.

  5. Click Close.

To delete a destination:

  1. In the Manage Destinations window, on the left pane, select the destination's name.

  2. Make sure that no rule uses this destination. A destination cannot be deleted if it corresponds to a rule.

    If there is no destination configured with the Used by Rule, then the right pane is empty. If some rules use the destination, replace the destination or delete the rules.

  3. Click the delete icon.

To search for a destination:

  1. In the Manage Destinations window, in the search field, start to enter the destination's name.

    A list of destinations opens.

  2. Click the destination to see more details about the configuration.

  3. To exit, click Close.

Managing Forwarding Rules

On the Event Forwarding page, Forwarding Rules show the rule name, the services from which you forward data, and the name of the destination to which you forward the data.

The calculation of the forwarded data depends on the selected services:

The calculated GB value is displayed next to the selected service(s) in parentheses.

For example, if you select only the SaaS service, the Infinity Portal shows the expected data usage for SaaS. If additional services are selected, the Infinity Portal updates the calculation to reflect the combined data usage of the selected services.

To add a new forwarding rule:

  1. Click Add Rule.

  2. In the New Forwarding Rule window, enter these details:

    1. Rule Name - Enter a distinctive name

    2. Services - Select one of these:

      • All (XGB/day) - The expected amount of exported event logs for all services for one day.

      • Specific services (XGB/day) - The expected amount of exported events for selected services for one day. Select each of the services from which you forward the data. The consumption depends on the selected services.

        Note - Harmony Endpoint data does not include Threat Hunting data, which can accumulate a large amount of events. If you require this data to be included, click Include Threat Hunting data and make sure that your contract capacity includes these provisions. For more information, see sk182879 - Infinity Portal Event Forwarding - Troubleshooting.

    3. Destination - Select one of the configured destinations.

  3. Click Create.

To edit a forwarding rule:

Put the cursor on the rule and click , then select Edit. Change the rule settings as necessary.

To delete a forwarding rule:

Put the cursor on the rule and click , then select Delete.