Skip to content
Find out how we support MDR.

Check Point Quantum Firewall

Log collector

Reports security issues in data on an enterprise's cloud, network, or mobiles.

You can integrate Check Point Quantum Firewall with Sophos Central so that it sends audit data to Sophos for analysis.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.

Note

A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure Quantum Firewall to send data to the log collector.

Add an integration

To integrate Quantum Firewall with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click Check Point Quantum Firewall.

    If you've already set up connections to Quantum Firewall, you see them here.

  3. Click Add integration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

Configure the VM

In Integration steps you configure a VM to receive data from Quantum Firewall. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the VM.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure Quantum Firewall to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It may take a few minutes for the OVA file to be ready for download.

Deploy the VM

Restriction

The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure Quantum Firewall

Now go to Quantum Firewall and configure the Check Point Log Exporter to send audit data to us.

You can do this using the command line interface (CLI), or the SmartConsole.

Use CLI

To configure Log Exporter using CLI commands, use the cp_log_export command on the log server.

The syntax is as follows:

cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP/host name> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)|(logrhythm)|(generic)> [optional arguments]

  1. Before you run the command, configure it with the following information:

    • In MDS or MLM mode the domain-server argument is required. Configure it as follows:

      • Use mds as the value for domain-server to export MDS level audit logs.
      • Use all as the value for domain-server to configure the integration on every domain.
    • Use the domain-server IP address or name to configure the integration on a specific domain. Target-server can use the IP address or DNS name.

      This creates a new target directory with the unique name specified in name, under $EXPORTERDIR/targets/<deployment_name>.

    • Set the following target-server parameters to the connection details for your Sophos log collector:

      • IP Address
      • Port
      • Protocol
      • Format
      • Read-mode.
  2. Run the add name command.

  3. To start the new log exporter with the new parameters run cp_log_export restart. It doesn't start automatically.

Your Quantum Firewall data should appear in the Sophos Data Lake after validation.

Use SmartConsole

To configure Log Exporter using SmartConsole, see the Check Point Logging and Monitoring Administration Guide. See Logging and Monitoring Administration Guide.