Initializing rule counting for Check Point

When trust is established and the policies are updated, you can view rule counting in IBM QRadar. Complete the final configurations in QRadar and Check Point to tie the configurations together so that you can use rule counting in QRadar.

Before you begin

To increase the rule count, the following prerequisites must be considered:
  • Make sure that custom event property for an existing Policy Name is created for Check Point log source. LEEF Key or RegEx must be configured depending on the extraction. Event category must be the same as your event payload falls into. For example: Firewall Permit, Firewall Deny.
  • Make sure that your event payload contains the cep file configured at the first point to get parsed and extracted.
    Note: The extracted value must match with your topology ACLs > Policy > Rule Ids for increasing the rule event count.
  • To optimize the performance, rule event count is updated once event queue reach configurable size. In the current case, it is 1000.

About this task

QRadar Risk Manager needs approximately 1 hour to process counts.

Procedure

  1. In QRadar, click Risks > Configuration Monitor.
  2. Double-click a Check Point device to view the rule counting.
    • Verify that the log source is auto mapping by looking in the Log Sources column.

    • Look for the Event Count column of the rules table.