Skip to content
Find out how we support MDR.

Check Point Quantum Firewall

Log collector

You must have the Firewall integrations license pack to use this feature.

You can integrate Check Point Quantum Firewall with Sophos Central so that it sends audit data to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called an appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.

Note

You can add multiple Quantum Firewalls to the same Sophos appliance.

To do this, set up your Quantum Firewall integration in Sophos Central, then configure one firewall to send logs to it. Then configure your other Quantum firewalls to send logs to the same Sophos appliance.

You don't have to repeat the Sophos Central part of the setup.

The key steps are as follows:

  • Configure an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure Quantum Firewall to send data to the appliance.

Requirements

Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Configure an integration

To integrate Quantum Firewall with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click Check Point Quantum Firewall.

    The Check Point Quantum Firewall page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

Configure the VM

In Integration setup steps you configure a VM as an appliance to receive data from Quantum Firewall. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the appliance.

    If you've already set up a Sophos appliance, you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure Quantum Firewall to send data to your appliance.

  6. Select a Protocol.

    You must use the same protocol when you configure Quantum Firewall to send data to your appliance.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure Quantum Firewall to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

Configure Quantum Firewall

Now go to Quantum Firewall and configure the Check Point Log Exporter to send audit data to us.

You can do this using the command line interface (CLI), or the SmartConsole.

Use CLI

To configure Log Exporter using CLI commands, use the cp_log_export command on the log server.

The syntax is as follows:

cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP/host name> target-port <target-port> protocol <(udp|tcp)> format <(cef)|(syslog)> [optional arguments]

  1. Before you run the command, configure it with the following information:

    • In MDS or MLM mode the domain-server argument is required. Configure it as follows:

      • Use mds as the value for domain-server to export MDS level audit logs.
      • Use all as the value for domain-server to configure the integration on every domain.
    • The domain-server IP address or name configures the integration on a specific domain. Target-server can use the IP address or DNS name.

      This creates a new target directory with the unique name specified in name, under $EXPORTERDIR/targets/<deployment_name>.

    • Set the following target-server parameters to the connection details for your Sophos appliance:

      • IP Address
      • Port
      • Protocol

        You must enter the same IP address, port and protocol settings you entered in Sophos Central when you added the integration.

    • We recommend you set format to cef.

  2. Run the add name command.

  3. To start the new log exporter with the new parameters run cp_log_export restart. It doesn't start automatically.

For more details on the cp_log_export command, see Log Exporter - Basic Deployment.

Your Quantum Firewall data should appear in the Sophos Data Lake after validation.

Use SmartConsole

To configure Log Exporter using SmartConsole, see the Check Point Logging and Monitoring Administration Guide. See Logging and Monitoring Administration Guide.