I've spotted some flaws on CheckPoint collector.
I'm giving one example from blade "URL Filtering" in CheckPoint
These fields are : appi_name, matched_category, app_properties, web_client_type
If you open the ESM and get the raw data into dump file. You'll see all these fields were sent successfully from CheckPoint syslog but did not parse properlyon Sentinel.
Here's the example of raw_dump file I've got from the ESM.
product=\"URL Filtering\"
src=\"172.21.218.118\"
src-unresolved=\"172.21.218.118\"
s_port=\"56993\"
s_port-unresolved=\"56993\"
dst=\"54.67.17.119\"
dst-unresolved=\"54.67.17.119\"
service=\"http\"
service-unresolved=\"80\"
proto=\"tcp\"
appi_name=\"advertising.com\"
app_id=\"1817409082\"
matched_category=\"Web Advertisements\"
app_properties=\"Web Advertisements,Business \/ Economy,URL Filtering\"
app_risk=\"0\"
app_rule_id=\"{FC77EDBC-01ED-4832-9454-5AE6925A5FD7}\"
app_rule_name=\"log remaining test group\"
web_client_type=\"Other: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\"
resource=\"http:\/\/pixel.advertising.com\/ups\/364\/sync?uid=LGkEhmn_&_origin=1&redir=true\"
And what's showing on Sentinel be like.
Message: allow tcp ssl_v3 172.21.218.118 54.67.17.119
TargetDataName: http:\/\/pixel.advertising.com\/ups\/364\/sync?uid=LGkEhmn_&_origin=1&redir=true
There's no such field of app_rule_name, web_client_type and etc ...
It'd be really nice if CheckPoint Colloctor can be improved in such a way. As these are critical information for security.
by: Pat S. | over a year ago | Integrations
Comments
I think you should rather open a ticket for it, as it seems a *bug* or deficiency in the collector.
Well the funny thing is I created the SR and they told me to come here.