In The INVESTIGATE->Events page applying query device.type=checkpointfw1 && device.class !exists shows unparsed CEF logs as below.
Go to LogDecoder->Config->Parser Mappings shows checkpoint device.ip mapped to checkpointfw1. Deleting this entry makes the parsing issue solved. But, parser mapping reappears back after some time, and logs are parsed again.
This is due to the automap feature maps the checkpoint device.ip with checkpointfw1 parser. Generally, CEF logs are parsed with cef parser.
Follow below steps to disable automap permanently.
Note: These steps permanently disable the future ESM Discovery to map device.ip with device.type automatically in ADMIN->Event Sources.
Log in to NwServer(Node0) putty to add below lines to /usr/lib/systemd/system/rsa-sms.service file. ExecStartPost=/usr/bin/sleep 30 ExecStartPost=/opt/rsa/sms/bin/automap -off