Configure Check Point Quantum NGFW SmartConsole to send logs to Arctic Wolf

You can configure Check Point Quantum® using the SmartConsole to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • Check Point NGFW and NGTP software bundles
  • An activated Arctic Wolf Sensor
  • Access to the Gaia Portal with administrator permissions
  • Access to the SmartConsole

Configure system logging

  1. Sign in to the Gaia Portal with administrator permissions using the format https://Gaia_ip_address.
  2. In the navigation menu, click System Management > System Logging.
  3. In the System Logging section, select these checkboxes:
    • Send Syslog messages to management server
    • Send audit logs to management server upon successful configuration
  4. Click Apply.

Configure log export

  1. Sign in to the SmartConsole.
  2. Click the Objects tab.
  3. Click Network Objects > Gateways and Servers.
  4. In the Gateways and Servers section, click the relevant Management Server.
    For example, click CPQ-SMS.
  5. In the General Properties section, click Logs > Export.
  6. In the table, select the relevant Syslog/SIEM server.
  7. In the General section, configure these settings:
    • Target Server — Enter the IP address of the Arctic Wolf Sensor.
    • Target Port — Enter 514.
    • Protocol — Select UDP.
  8. In the Data Manipulation section, configure these options:
    • Format — Select Syslog.
    • Select the Aggregate log updates before export checkbox.
  9. Click OK.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.