Import pfsense syslog in Check Point

I wrote the manual code to import as much as possible from the syslog output of a pfsense 2.2 gateway into a Check Point firewall.

The code is based on the sk55020 article in Check Point Secure Knowledge and the pfsense 2.2 filter log format article.

It also requires a good understanding of the available log fields in Chekc Point and the best source for that is the SDK. You can find that in sk63026 and LEA Fields Update Document

Be warned that this may break your system if you make an error in the code and don’t know how to understand the Inspect code.

I named the file PFsense2.C but any name you like would propably do the trick.

You need to add the addParsingFile file to the proper directory as listed in sk55020
You should then execute it as: addParsingFile -p PFsense2.C -d PFsense_dict.ini

Then restart your Smart Center as instructed.

You can see the added Syslog parser(s) in $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDevices.C
and the dictionary file in $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDictionaries.C

This works on MDS domains and normal SmartCenters. For MDS domains just make sure you use mdsenv correctly before you add the parser.

A sample of the INSPECT code:

(       # Copyright 2015, Hugo van der Kooij
        # Format based on description on https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2
        :cmd_name (try)
        :parse_from  (last_position)
        :regexp (filterlog:)
        :add_field (
                :type (const)
                :field_name (product)
                :field_type (string_id)
                :field_value (PFsense2)
        )
        :on_success (
                :command (
                        :cmd_name (try)
                        :parse_from (start_position)
                        :regexp (".*filterlog:\s+(\d+),(\d+),(\w*),(\d+),(\w+),(\w+),(\w+),(\w+)")
                        # integer       Rule number
                        # integer       Sub rule number
                        # string?       Anchor
                        # integer       Tracker
                        # string        Interface (OS name)
                        :add_field (
                                :type (index)
                                :field_name (ifname)
                                :field_type (ifname)
                                :field_index (5)
                                :comment ("Interface (OS name)")
                        )
                        # string        Reason
                        # string        Action
                        :add_field (
                                :type (index)
                                :field_name (action)
                                :field_type (action)
                                :field_index (7)
                                :dict_name (PFsense_action)
                                :comment ("Action")
                        )
                        # string        Direction
                        :add_field (
                                :type (index)
                                :field_name (ifdir)
                                :field_type (ifdir)
                                :field_index (8)
                                :dict_name (PFsense_interface_dir)
                                :comment ("Interface direction")
                        )
                        # integer       IP version (4 = IPv4, 6 = IPv6)
                        :on_success (
                                :command (
                                        :cmd_name (group_try)
                                        :mode (try_until_success)
                                        : ( # IPv4
                                        )
                                        : ( # IPv6
                                        )
                                )
                        ) 
                )       
        )                       
)

The trick is in adding this code to your Smart Center.