USM Anywhere™

CheckPoint FW1 R77.30

When you configure Check Point Firewall-1 to send log data to USM Anywhere, you can use the CheckPoint FW1 R77.30 plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Check Point
Device Type Firewall
Connection Type Syslog

Integrating Check Point Firewall-1

Before you configure the Check Point Firewall-1 integration, you must have the IP Address of the USM Anywhere Sensor and the firewall must have the Add-On Package R77.30 installed.

Note: This procedure does not support the Provider-1 / Multi-Domain Server.

To configure Check Point Firewall-1 to send data to USM Anywhere

  1. On the Check Point appliance, back up the current /etc/syslog.conf script:

    cp /etc/syslog.conf /etc/syslog.conf_ORIGINAL

  2. Edit the current /etc/syslog.conf script by adding the following line: @<IP address of the USM Anywhere Sensor>

    Note: Press TAB after

  3. Save your configuration edits and close the file.

  4. Back up the /etc/rc.d/init.d/cpboot script, and edit the current version of /etc/rc.d/init.d/cpboot by adding the following line at the bottom of the script:

    fw log -f -t -n -l 2> /dev/null | awk 'NF' | logger –p -t CP_FireWall &


    & = run command in the background. If & is not included, the operating system stops before loading the syslogd service. No login prompt then appears at the console.

    For help on available flags, enter:

    fw log --help

  5. Save the configuration edits and close the file.
  6. Restart the machine.

    Important: Restarting the Check Point services with the cpstop;cpstart commands does not suffice. Only a restart achieves the desired result.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • customfield_0
  • destination_address
  • destination_hostname
  • destination_ntdomain
  • destination_port
  • event_name
  • event_outcome
  • event_severity
  • file_path
  • rep_device_inbound_interface
  • rep_device_mac
  • session
  • source_address
  • source_hostname
  • source_port
  • source_process
  • source_process_commandline
  • source_userid
  • source_username
  • timestamp_occured
  • timestamp_received
  • transport_protocol


For troubleshooting, refer to the vendor documentation: