Troubleshooting
Problem
When configuring QRadar to receive Check Point logs from Check Point Manager, all the device logs are received by the same QRadar appliance. Is there a way to distribute Check Point firewall events coming from a Check Point Management device?
Symptom
All events from the Check Point Management Server OPSEC/LEA log source are duplicated to my other check point log source. I cannot seem to distribute my Check Point events to multiple QRadar appliances. When I configure multiple QRadar hosts to poll the Check Point Management Server, I receive duplicate events from my Check Point Firewalls due to the volume of events being generated.
Cause
When using a Check Point Management Server to collect events from a each Check Point Firewall, the OPSEC/LEA stream collects events from each Check Point Firewall connected to the management server. The OPSEC/LEA stream received from the Check Point Management Server contains all events from all firewall appliances and QRadar sorts the data from the LEA stream in to individual log sources as we parse the event data from the OPSEC/LEA subscription.
Fig 1: The LEA feed contains all events from the firewalls managed by the Check Point Management Server. At this time, there is no method to distribute this LEA feed.
Why am I seeing duplicate Check Point Firewall events?
Administrators who are receiving duplicate events from their Check Point Firewalls should verify that multiple log sources are not configured to poll the Check Point Management Server. If there are multiple log sources configured to poll for events, two subscriptions are generated and each QRadar managed host will poll for the same data.
Fig 2: Two managed hosts that poll a Check Point Management Server will generate duplicate events in QRadar as the LEA stream contains events from each firewall appliance.
Resolving The Problem
Administrators who want to distribute events from individual Check Point Firewall appliances to multiple QRadar hosts will need to create a log source for each Check Point Firewall. This allows each QRadar appliance to poll for events from the Check Point appliance and the subscription contains events for the individual firewall appliance, but requires more maintenance from the administrator.
Fig 3: Administrators who want to distribute events across QRadar can create individual Check Point log sources so the LEA feed contains only data from a single firewall.
Was this topic helpful?
Document Information
Modified date:
31 March 2020
UID
ibm10725925