Check Point Collection: Step 4. Verify Collection Is Working

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on May 4, 2017
Version 4Show Document
  • View in full screen mode
  

This topic tells you what to check in Security Analytics to verify that you have configured Check Point Collection correctly.

Return to Procedures

You may need to verify that Check Point Collection is configured correctly, otherwise it won't work.

Procedure

The following figure illustrates how you can verify that Check Point collection is working from the Administration > Health & Wellness > Event Source Monitoring tab.

CPESVerify.png

Access the Event Source Monitoring tab from the Administration > Health & Wellness view.
Find checkpointfw1 in the Event Source Type column.
Look for activity in the Count column to verify that Check Point collection is accepting events.

The following figure illustrates how you can verify that Check Point collection is working from the Investigation > Events view.

VerfiyNtflwInvest1.png

Access the Investigation > Events view.
Select the Log Decoder (for example, LD1) collecting Check Point events in the Investigate a Device dialog.

CPESVerify2.png

Look for a Check Point event source parser (for example, checkpointfw1)in the device.type field in the Details column to verify that Check Point collection is accepting events.

Note: If the logs from the VSX Checkpoint firewall server is collected by the Log Collector checkpoint service, to translate the VSX IP in the logs to ip.orig meta, you must add the VSX hostname and the VSX IP address to the /etc/hosts file in the Log Collector.

You are here
Table of Contents > Check Point Collection Configuration Guide > Procedures > Step 4. Verify That Check Point Collection Is Working

Attachments

    Outcomes