Troubleshooting
Problem
When configuring QRadar to receive Check Point logs from Check Point Manager, all the device logs are received by the same QRadar appliance. Is there a way to distribute Check Point firewall events coming from a Check Point Management device?
Symptom
All events from the Check Point Management Server OPSEC/LEA log source are duplicated to my other check point log source. I cannot seem to distribute my Check Point events to multiple QRadar appliances. When I configure multiple QRadar hosts to poll the Check Point Management Server, I receive duplicate events from my Check Point Firewalls due to the volume of events being generated.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Check Point;Log Source","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
31 March 2020
UID
ibm10725925