Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=checkpoint-overview

Check Point Quantum Firewall integration

Log collector Firewall

You can integrate Check Point Quantum Firewall with Sophos Central so that it sends audit data to Sophos for analysis.

This page gives you an overview of the integration.

Check Point Quantum Firewall product overview

Check Point's ITP Firewall is an integrated security solution designed to provide comprehensive threat protection across the entire IT infrastructure. Leveraging real-time threat intelligence and advanced prevention technologies, it ensures that networks remain secure against both known and emerging threats.

Sophos documents

Integrate Check Point Quantum Firewall

What we ingest

Sample alerts seen by Sophos:

  • Streaming Engine: TCP anomaly detected
  • Malformed Packet
  • SSL Enforcement Violation
  • Backdoor.WIN32.Zegost.A
  • Trojan.Win32.HackerDefender.A
  • Malware.TC.268bRWCT
  • Phishing.RS.TC.29f5jdTi
  • SYN Attack
  • Virus.WIN32.Sality.DY
  • Microsoft Exchange Server Remote Code Execution
  • Network Denial of Service Based Attack Detected on Connection
  • Nostromo Web Server Directory Traversal (CVE-2019-16278)

Filtering

We filter messages as follows:

  • We only ALLOW alerts that use valid Common Event Format (CEF).

Sample threat mappings

We use one of these fields to determine the alert type, depending on the alert classification and the fields it includes.

  • cef.deviceEventClassID
  • cef.name
  • msg
  • product 
    "value": "=> is(fields.product, 'SmartDefense') && !isEmpty(fields.flexString2) && !isEmpty(fields.flexString2Label) && is(fields.flexString2Label, 'Attack Information') && !is(fields.flexString2, 'Other') ? searchRegexList(fields.flexString2, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(fields.flexString2, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : fields.flexString2 : is(fields.product, 'Application Control') ? cef.deviceEventClassID : is(fields.product, 'New Anti Virus') && !isEmpty(fields.flexString2) && !isEmpty(fields.flexString2Label) && is(fields.flexString2Label, 'Malware Action') && !is(fields.flexString2, 'Other') ? fields.flexString2 : is(fields.product, 'Anti Malware') && !isEmpty(fields.flexString2) && !isEmpty(fields.flexString2Label) && is(fields.flexString2Label, 'Malware Action') && !is(fields.flexString2, 'Other') ? fields.flexString2 : is(fields.product, 'New Anti Virus') && !isEmpty(fields.flexString2) && !isEmpty(fields.flexString2Label) && is(fields.flexString2Label, 'Malware Action') && is(fields.flexString2, 'Other') ? cef.name : is(fields.product, 'Anti Malware') && !isEmpty(fields.flexString2) && !isEmpty(fields.flexString2Label) && is(fields.flexString2Label, 'Malware Action') && is(fields.flexString2, 'Other') ? cef.name : !isEmpty(fields.msg) ? searchRegexList(fields.msg, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(fields.msg, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : fields.msg : !isEmpty(fields.product) ? fields.product : undefined"

Sample mappings:

{"alertType": "Extracted files name: NAME Extracted files type: TYPE Extracted files sha1: SHA Extracted files verdict: VERDICT", "threatId": "T1598.002", "threatName": "Spearphishing Attachment"}
{"alertType": "Gallery search engine cross-site scripting", "threatId": "T1189", "threatName": "Drive-by Compromise"}
{"alertType": "Address spoofing", "threatId": "T1036", "threatName": "Masquerading"}

Vendor documentation

Logging and Monitoring R80.30 Administration Guide