I need to check/control all system events on many CheckPoint FW1 - don't misunderstand - not rules triggering, but events such admins log on, rules changes and etc.
I found out that I can make an log export using 2 methods:
- Grab logs
- Use special script that redirect Checkpoint log entries to syslog, FW1-Loggrabber
But it's not clear for me does such logs also contain information that i need (admins log on, rules changes)? And If yes is it possible to filter events?
I also suppose, that if system bases on *nix platform it must be a ploy - use based functions of the system to do what i want. Unfortunately i don't know where to "dig". May be you know?
Updated: New info "FW-1 can pipe its logs to syslog via Unix's logger
command, and there are third party log-reading utilities"
So, the main question is how do my task in the best way? Has anybody already resolved such problem?
P.S. I' m new with CheckPoint, so all information will be useful for me. Thank you.
Checkpoint has an add-on for that.
http://www.checkpoint.com/products/softwareblades/smartworkflow.html
I just know a very cool tool we use here.
Its called Tufin SecureTrack: http://tufin.com/products_securetrack.php
Its very very good and makes a complete filtering and catching of the events and you can make reports of the changes or admin usage. It securely reads the input from database over the OpSec Api.
The big disadvantage of the product is that its not for free :) But you can test it for about 30 days. Give it a try.
Otherwise you can look for something free that grabs from the OpSec Api - its a Api which allows Software to read and write from the checkpoint Database !
I dont have a good free product i can give you as a recommendation. But you can look around!
I hope this will help you out little bit.