Logs and events correlation for your NGFWs
What do you like best?
1. The Check Point SmartEvent Event Management software blade is easy to configure. For the management server software version R80.10 and above, the configuration is performed from the unified Smart Console. After just a few clicks the blade is activated, with a bunch of the useful pre-defined rules, which led us to the second point:
2. A lot of the built-in, predefined event categories and types present after the blade activation. You don't have to be the SIEM expert to make use of the logs correlation. Check Point concentrated the are knowledge to the reusable rules available by default.
3. Great visibility and alerting capabilities. E.g. while using the Smart Console, you may see the live SmartEvent correlation events in parallel with the Firewall and VPN blade log events in the real time.
What do you dislike?
If you have a huge number of the security events/logs and are trying to find the correlation with the help of SmartEvent blade, it may impact the performance of your Check Point management server.
In such a case it's better to perform the distributed installation, but:
1. That requires additional licenses for Check Point management servers.
2. Requires additional compute resources (more a problem for hardware installations; for OpenServer you could always give more CPU/RAM to the Virtual Machine).
So, plan it carefully in advance.
Recommendations to others considering the product:
Estimate the number of security events needed to be analyzed before purchasing the licenses for management servers - may be you will need to perform the distributed installation.
What problems are you solving with the product? What benefits have you realized?
In our company we use the Check Point Next Generation Firewalls (NGFW) with a bunch of software blades to protect the edges of our offices. The NGFWs produce a numbers of security logs every second, for every connection passing through it. As per many security regulations (e.g. our company must comply with ISO 27001 and PCI DSS), all the firewall logs and event must be stored, analyzed and correlated to find additional threats, which are not seen by standalone blade checks. The Check Point SmartEvent Event Management software blade lets us to do all these tasks in one place, and without purchasing the additional products from the 3rd party vendors. It serves as SIEM solution quite well - the security events are checked on the Correlation Units, and the activity is reported directly to the unified Check Point SmartConsole in the real time. Our support team constantly monitors the alarms triggered, serving as a basic Security Operations Center with zero additional costs for the software.
