IBM Support

QRadar: Can Check Point Log Management events be received by different QRadar appliances?

Troubleshooting


Problem

When configuring QRadar to receive Check Point logs from Check Point Manager, all the device logs are received by the same QRadar appliance. Is there a way to distribute Check Point firewall events coming from a Check Point Management device?

Symptom

All events from the Check Point Management Server OPSEC/LEA log source are duplicated to my other check point log source. I cannot seem to distribute my Check Point events to multiple QRadar appliances. When I configure multiple QRadar hosts to poll the Check Point Management Server, I receive duplicate events from my Check Point Firewalls due to the volume of events being generated.

Cause

When using a Check Point Management Server to collect events from a each Check Point Firewall, the OPSEC/LEA stream collects events from each Check Point Firewall connected to the management server. The OPSEC/LEA stream received from the Check Point Management Server contains all events from all firewall appliances and QRadar sorts the data from the LEA stream in to individual  log sources as we parse the event data from the OPSEC/LEA subscription.

image-20180814131714-1

Fig 1: The LEA feed contains all events from the firewalls managed by the Check Point Management Server. At this time, there is no method to distribute this LEA feed.


Why am I seeing duplicate Check Point Firewall events?
Administrators who are receiving duplicate events from their Check Point Firewalls should verify that multiple log sources are not configured to poll the Check Point Management Server. If there are multiple log sources configured to poll for events, two subscriptions are generated and each QRadar managed host will poll for the same data.
image-20180814140105-1

Fig 2: Two managed hosts that poll a Check Point Management Server will generate duplicate events in QRadar as the LEA stream contains events from each firewall appliance.

Resolving The Problem

Administrators who want to distribute events from individual Check Point Firewall appliances to multiple QRadar hosts will need to create a log source for each Check Point Firewall. This allows each QRadar appliance to poll for events from the Check Point appliance and the subscription contains events for the individual firewall appliance, but requires more maintenance from the administrator.


image-20180814131949-2
Fig 3: Administrators who want to distribute events across QRadar can create individual Check Point log sources so the LEA feed contains only data from a single firewall.

 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Check Point;Log Source","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 March 2020

UID

ibm10725925