From 835eb057614362128b2aeeab266d41d7ab2f9703 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Wed, 9 Jun 2021 16:32:02 +0200 Subject: [PATCH] [Checkpoint] updating checkpoint package to ECS 1.10.0 (#1033) * updating checkpoint package to ECS 1.10.0 * updating changelog and adding menu entris * updating UI file * updating changelog and manifest * adding last changes and making ready for review * format files * linting --- packages/checkpoint/changelog.yml | 5 + .../pipeline/test-checkpoint-with-time.log | 1 + .../test-checkpoint-with-time.log-config.yml | 2 - ...est-checkpoint-with-time.log-expected.json | 122 ++- .../pipeline/test-checkpoint.log-config.yml | 2 - .../test-checkpoint.log-expected.json | 803 +++++++++++------- .../_dev/test/pipeline/test-common-config.yml | 5 + .../firewall/agent/stream/log.yml.hbs | 49 +- .../firewall/agent/stream/tcp.yml.hbs | 32 +- .../firewall/agent/stream/udp.yml.hbs | 50 +- .../elasticsearch/ingest_pipeline/default.yml | 20 +- .../data_stream/firewall/fields/fields.yml | 6 + .../data_stream/firewall/manifest.yml | 78 ++ packages/checkpoint/docs/README.md | 3 +- packages/checkpoint/manifest.yml | 29 +- 15 files changed, 774 insertions(+), 433 deletions(-) delete mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-config.yml delete mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-config.yml create mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 4cd96e53c2a..9ea65623099 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.0" + changes: + - description: update to ECS 1.10.0 and syncing module changes + type: enhancement + link: https://github.com/elastic/integrations/pull/1033 - version: "0.5.2" changes: - description: update to ECS 1.9.0 diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log index c2a7b014e15..afa04893969 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log @@ -1 +1,2 @@ <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] +<134>1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:"Drop"; flags:"278528"; ifdir:"inbound"; ifname:"bond1.3999"; loguid:"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}"; origin:"127.0.0.1"; originsicname:"CN=CP,O=cp.com.9jjkfo"; sequencenum:"62"; time:"1620217629"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]"; action_reason:"Dropped by multiportal infrastructure"; dst:"1.1.1.1"; product:"VPN & FireWall"; proto:"6"; s_port:"52780"; service:"80"; src:"1.1.1.1"] \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-config.yml b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json index 9afc9c3d4e3..03046ce10ce 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json @@ -7,6 +7,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -23,26 +43,19 @@ } }, "@timestamp": "2020-07-13T13:29:14.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.100", "192.168.1.153" ] }, - "destination": { - "port": 514, - "ip": "192.168.1.153" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 43103, - "ip": "192.168.1.100" - }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:52:59.915203905Z", + "ingested": "2021-06-09T09:59:46.801105800Z", + "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1594646954\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -55,12 +68,89 @@ "connection" ], "outcome": "success" + } + }, + { + "checkpoint": { + "action_reason_msg": "Dropped by multiportal infrastructure" }, + "destination": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 80, + "ip": "1.1.1.1" + }, + "source": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 52780, + "ip": "1.1.1.1" + }, + "tags": [ + "preserve_original_event" + ], "network": { - "name": "Network", - "application": "syslog", - "iana_number": "17", - "direction": "outbound" + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "name": "127.0.0.1", + "ingress": { + "interface": { + "name": "bond1.3999" + } + }, + "product": "VPN \u0026 FireWall", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2021-05-05T12:27:09.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "1.1.1.1", + "1.1.1.1" + ] + }, + "event": { + "sequence": 62, + "ingested": "2021-06-09T09:59:46.801132800Z", + "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"1.1.1.1\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"1.1.1.1\"]", + "kind": "event", + "module": "checkpoint", + "action": "Drop", + "id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}", + "category": [ + "network" + ] } } ] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-config.yml b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index cfc43372498..53408b41f25 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -16,16 +16,23 @@ "vendor": "Checkpoint" }, "@timestamp": "2020-03-29T13:19:20.000Z", + "ecs": { + "version": "1.10.0" + }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007228139Z", + "ingested": "2021-06-09T09:59:47.105461100Z", + "original": "\u003c134\u003e1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"1\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk\"]", + "kind": "event", + "module": "checkpoint", "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", "category": [ "network" - ], - "kind": "event", - "module": "checkpoint" + ] }, + "tags": [ + "preserve_original_event" + ], "network": { "direction": "inbound" } @@ -46,16 +53,23 @@ "vendor": "Checkpoint" }, "@timestamp": "2020-03-29T13:19:21.000Z", + "ecs": { + "version": "1.10.0" + }, "event": { "sequence": 2, - "ingested": "2021-04-23T12:53:00.007235099Z", + "ingested": "2021-06-09T09:59:47.105486500Z", + "original": "\u003c134\u003e1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"2\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"installed Standard\"]", + "kind": "event", + "module": "checkpoint", "id": "{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}", "category": [ "network" - ], - "kind": "event", - "module": "checkpoint" + ] }, + "tags": [ + "preserve_original_event" + ], "network": { "direction": "inbound" } @@ -67,6 +81,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 53, + "ip": "192.168.1.1" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 46915, + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "outbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -83,26 +117,19 @@ } }, "@timestamp": "2020-03-29T13:19:22.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.100", "192.168.1.1" ] }, - "destination": { - "port": 53, - "ip": "192.168.1.1" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 46915, - "ip": "192.168.1.100" - }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007237129Z", + "ingested": "2021-06-09T09:59:47.105495500Z", + "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"46915\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -115,12 +142,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "domain-udp", - "iana_number": "17", - "direction": "outbound" } }, { @@ -132,28 +153,6 @@ "nat_rulenum": "0", "match_id": "1" }, - "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "interface": { - "name": "eth0" - }, - "zone": "Internal" - } - }, - "@timestamp": "2020-03-29T13:19:22.000Z", - "related": { - "ip": [ - "192.168.1.100", - "194.29.39.10" - ] - }, "destination": { "geo": { "continent_name": "Asia", @@ -186,9 +185,44 @@ "port": 61794, "ip": "192.168.1.100" }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "https", + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "Internal" + } + }, + "@timestamp": "2020-03-29T13:19:22.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "192.168.1.100", + "194.29.39.10" + ] + }, "event": { "sequence": 2, - "ingested": "2021-04-23T12:53:00.007253178Z", + "ingested": "2021-06-09T09:59:47.105502400Z", + "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"194.29.39.10\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61794\"; service:\"443\"; service_id:\"https\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"26680\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -201,12 +235,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "https", - "iana_number": "6", - "direction": "outbound" } }, { @@ -216,6 +244,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 53, + "ip": "192.168.1.1" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 36749, + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "outbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -232,26 +280,19 @@ } }, "@timestamp": "2020-03-29T13:19:22.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.100", "192.168.1.1" ] }, - "destination": { - "port": 53, - "ip": "192.168.1.1" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 36749, - "ip": "192.168.1.100" - }, "event": { "sequence": 3, - "ingested": "2021-04-23T12:53:00.007254694Z", + "ingested": "2021-06-09T09:59:47.105510300Z", + "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"36749\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -264,12 +305,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "domain-udp", - "iana_number": "17", - "direction": "outbound" } }, { @@ -285,16 +320,23 @@ "vendor": "Checkpoint" }, "@timestamp": "2020-03-29T23:18:44.000Z", + "ecs": { + "version": "1.10.0" + }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007523249Z", + "ingested": "2021-06-09T09:59:47.105517100Z", + "original": "\u003c134\u003e1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", + "kind": "event", + "module": "checkpoint", "id": "{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}", "category": [ "network" - ], - "kind": "event", - "module": "checkpoint" + ] }, + "tags": [ + "preserve_original_event" + ], "network": { "direction": "inbound" } @@ -308,28 +350,6 @@ "nat_rulenum": "0", "match_id": "1" }, - "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "interface": { - "name": "eth0" - }, - "zone": "External" - } - }, - "@timestamp": "2020-03-29T23:18:43.000Z", - "related": { - "ip": [ - "192.168.1.100", - "192.124.249.41" - ] - }, "destination": { "geo": { "continent_name": "North America", @@ -359,9 +379,44 @@ "port": 61180, "ip": "192.168.1.100" }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "http", + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-29T23:18:43.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "192.168.1.100", + "192.124.249.41" + ] + }, "event": { "sequence": 8, - "ingested": "2021-04-23T12:53:00.007529794Z", + "ingested": "2021-06-09T09:59:47.105523500Z", + "original": "\u003c134\u003e1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"8\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.124.249.41\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61180\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"10860\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -374,12 +429,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "http", - "iana_number": "6", - "direction": "outbound" } }, { @@ -391,24 +440,6 @@ "rule_action": "Accept", "match_id": "1" }, - "observer": { - "name": "192.168.1.100", - "ingress": { - "interface": { - "name": "eth1" - } - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint" - }, - "@timestamp": "2020-03-29T23:18:53.000Z", - "related": { - "ip": [ - "192.168.2.2", - "8.8.8.8" - ] - }, "destination": { "geo": { "continent_name": "North America", @@ -435,9 +466,40 @@ "port": 55039, "ip": "192.168.2.2" }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "inbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "interface": { + "name": "eth1" + } + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2020-03-29T23:18:53.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "192.168.2.2", + "8.8.8.8" + ] + }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007531854Z", + "ingested": "2021-06-09T09:59:47.105529600Z", + "original": "\u003c134\u003e1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; conn_direction:\"Outgoing\"; flags:\"6703366\"; ifdir:\"inbound\"; ifname:\"eth1\"; logid:\"0\"; loguid:\"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"8.8.8.8\"; log_delay:\"1585523933\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"55039\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.2.2\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -450,12 +512,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "domain-udp", - "iana_number": "17", - "direction": "inbound" } }, { @@ -470,16 +526,23 @@ "vendor": "Checkpoint" }, "@timestamp": "2020-03-30T01:18:44.000Z", + "ecs": { + "version": "1.10.0" + }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007533502Z", + "ingested": "2021-06-09T09:59:47.105535400Z", + "original": "\u003c134\u003e1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Started\"; update_service:\"1\"; version:\"1.0\"]", + "kind": "event", + "module": "checkpoint", "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}", "category": [ "network" - ], - "kind": "event", - "module": "checkpoint" + ] }, + "tags": [ + "preserve_original_event" + ], "network": { "direction": "inbound" } @@ -493,28 +556,6 @@ "nat_rulenum": "0", "match_id": "1" }, - "observer": { - "name": "192.168.1.100", - "ingress": { - "zone": "Local" - }, - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "interface": { - "name": "eth0" - }, - "zone": "External" - } - }, - "@timestamp": "2020-03-30T01:18:46.000Z", - "related": { - "ip": [ - "192.168.1.100", - "192.124.249.36" - ] - }, "destination": { "geo": { "continent_name": "North America", @@ -544,9 +585,44 @@ "port": 51894, "ip": "192.168.1.100" }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "http", + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "ingress": { + "zone": "Local" + }, + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + }, + "zone": "External" + } + }, + "@timestamp": "2020-03-30T01:18:46.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "192.168.1.100", + "192.124.249.36" + ] + }, "event": { "sequence": 2, - "ingested": "2021-04-23T12:53:00.007535119Z", + "ingested": "2021-06-09T09:59:47.105541300Z", + "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.124.249.36\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"51894\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"11157\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -559,12 +635,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "http", - "iana_number": "6", - "direction": "outbound" } }, { @@ -574,6 +644,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 53, + "ip": "192.168.1.1" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 47919, + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "domain-udp", + "iana_number": "17", + "direction": "outbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -590,26 +680,19 @@ } }, "@timestamp": "2020-03-30T01:18:46.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.100", "192.168.1.1" ] }, - "destination": { - "port": 53, - "ip": "192.168.1.1" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 47919, - "ip": "192.168.1.100" - }, "event": { "sequence": 3, - "ingested": "2021-04-23T12:53:00.007536627Z", + "ingested": "2021-06-09T09:59:47.105547400Z", + "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"47919\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -622,12 +705,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "domain-udp", - "iana_number": "17", - "direction": "outbound" } }, { @@ -643,26 +720,53 @@ "vendor": "Checkpoint" }, "@timestamp": "2020-03-30T01:18:46.000Z", + "ecs": { + "version": "1.10.0" + }, "event": { "sequence": 5, - "ingested": "2021-04-23T12:53:00.007538513Z", + "ingested": "2021-06-09T09:59:47.105553300Z", + "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"5\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", + "kind": "event", + "module": "checkpoint", "id": "{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}", "category": [ "network" - ], - "kind": "event", - "module": "checkpoint" + ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "inbound" + } + }, + { + "checkpoint": { + "logid": "0", + "parent_rule": "0", + "rule_action": "Accept", + "match_id": "1" + }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" }, + "tags": [ + "preserve_original_event" + ], "network": { - "direction": "inbound" - } - }, - { - "checkpoint": { - "logid": "0", - "parent_rule": "0", - "rule_action": "Accept", - "match_id": "1" + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" }, "observer": { "name": "192.168.1.100", @@ -680,26 +784,19 @@ } }, "@timestamp": "2020-03-30T06:12:45.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.100", "192.168.1.153" ] }, - "destination": { - "port": 514, - "ip": "192.168.1.153" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 43103, - "ip": "192.168.1.100" - }, "event": { "sequence": 13, - "ingested": "2021-04-23T12:53:00.007540084Z", + "ingested": "2021-06-09T09:59:47.105559200Z", + "original": "\u003c134\u003e1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"13\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -712,12 +809,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "syslog", - "iana_number": "17", - "direction": "outbound" } }, { @@ -733,10 +824,14 @@ "vendor": "Checkpoint" }, "@timestamp": "2020-03-30T06:12:51.000Z", + "ecs": { + "version": "1.10.0" + }, "event": { "severity": 1, "sequence": 1, - "ingested": "2021-04-23T12:53:00.007541599Z", + "ingested": "2021-06-09T09:59:47.105565600Z", + "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"Application Control\"; severity:\"1\"; update_status:\"updated\"]", "kind": "event", "module": "checkpoint", "id": "{0x5e818de4,0x0,0x6401a8c0,0x108620ab}", @@ -744,6 +839,9 @@ "network" ] }, + "tags": [ + "preserve_original_event" + ], "network": { "direction": "outbound" } @@ -761,10 +859,14 @@ "vendor": "Checkpoint" }, "@timestamp": "2020-03-30T06:12:51.000Z", + "ecs": { + "version": "1.10.0" + }, "event": { "severity": 1, "sequence": 2, - "ingested": "2021-04-23T12:53:00.007543161Z", + "ingested": "2021-06-09T09:59:47.105572Z", + "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"URL Filtering\"; severity:\"1\"; update_status:\"updated\"]", "kind": "event", "module": "checkpoint", "id": "{0x5e818de4,0x1,0x6401a8c0,0x108620ab}", @@ -772,6 +874,9 @@ "network" ] }, + "tags": [ + "preserve_original_event" + ], "network": { "direction": "outbound" } @@ -783,6 +888,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 138, + "ip": "192.168.1.255" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 138, + "ip": "192.168.1.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "nbdatagram", + "iana_number": "17", + "direction": "inbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -799,26 +924,19 @@ } }, "@timestamp": "2020-03-30T06:13:21.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.1", "192.168.1.255" ] }, - "destination": { - "port": 138, - "ip": "192.168.1.255" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 138, - "ip": "192.168.1.1" - }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007544705Z", + "ingested": "2021-06-09T09:59:47.105578200Z", + "original": "\u003c134\u003e1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"138\"; service:\"138\"; service_id:\"nbdatagram\"; src:\"192.168.1.1\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -831,12 +949,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "nbdatagram", - "iana_number": "17", - "direction": "inbound" } }, { @@ -845,24 +957,6 @@ "tcp_flags": "FIN-ACK", "logid": "1" }, - "observer": { - "name": "192.168.1.100", - "product": "VPN-1 \u0026 FireWall-1", - "type": "firewall", - "vendor": "Checkpoint", - "egress": { - "interface": { - "name": "eth0" - } - } - }, - "@timestamp": "2020-03-30T06:13:42.000Z", - "related": { - "ip": [ - "192.168.1.100", - "2.21.41.118" - ] - }, "destination": { "geo": { "continent_name": "Europe", @@ -886,9 +980,38 @@ "port": 65488, "ip": "192.168.1.100" }, + "tags": [ + "preserve_original_event" + ], + "network": { + "iana_number": "6", + "direction": "outbound" + }, + "observer": { + "name": "192.168.1.100", + "product": "VPN-1 \u0026 FireWall-1", + "type": "firewall", + "vendor": "Checkpoint", + "egress": { + "interface": { + "name": "eth0" + } + } + }, + "@timestamp": "2020-03-30T06:13:42.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "192.168.1.100", + "2.21.41.118" + ] + }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007546355Z", + "ingested": "2021-06-09T09:59:47.105585Z", + "original": "\u003c134\u003e1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:\"Drop\"; flags:\"425984\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"1\"; loguid:\"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"2.21.41.118\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"65488\"; service:\"80\"; src:\"192.168.1.100\"; tcp_flags:\"FIN-ACK\"; tcp_packet_out_of_state:\"First packet isn't SYN\"]", "kind": "event", "module": "checkpoint", "action": "Drop", @@ -896,10 +1019,6 @@ "category": [ "network" ] - }, - "network": { - "iana_number": "6", - "direction": "outbound" } }, { @@ -909,6 +1028,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -925,26 +1064,19 @@ } }, "@timestamp": "2020-03-30T07:18:59.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.100", "192.168.1.153" ] }, - "destination": { - "port": 514, - "ip": "192.168.1.153" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 43103, - "ip": "192.168.1.100" - }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007547854Z", + "ingested": "2021-06-09T09:59:47.105590900Z", + "original": "\u003c134\u003e1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -957,12 +1089,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "syslog", - "iana_number": "17", - "direction": "outbound" } }, { @@ -972,6 +1098,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 137, + "ip": "192.168.1.255" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 50024, + "ip": "192.168.1.196" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "nbname", + "iana_number": "17", + "direction": "inbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -988,26 +1134,19 @@ } }, "@timestamp": "2020-03-30T07:19:22.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.196", "192.168.1.255" ] }, - "destination": { - "port": 137, - "ip": "192.168.1.255" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 50024, - "ip": "192.168.1.196" - }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007549342Z", + "ingested": "2021-06-09T09:59:47.105599200Z", + "original": "\u003c134\u003e1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"50024\"; service:\"137\"; service_id:\"nbname\"; src:\"192.168.1.196\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -1020,12 +1159,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "nbname", - "iana_number": "17", - "direction": "inbound" } }, { @@ -1035,6 +1168,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 22, + "ip": "192.168.1.100" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 60226, + "ip": "192.168.1.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "ssh", + "iana_number": "6", + "direction": "inbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -1051,26 +1204,19 @@ } }, "@timestamp": "2020-03-30T07:20:33.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.205", "192.168.1.100" ] }, - "destination": { - "port": 22, - "ip": "192.168.1.100" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 60226, - "ip": "192.168.1.205" - }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007550842Z", + "ingested": "2021-06-09T09:59:47.105606Z", + "original": "\u003c134\u003e1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.100\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"60226\"; service:\"22\"; service_id:\"ssh\"; src:\"192.168.1.205\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -1083,12 +1229,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "ssh", - "iana_number": "6", - "direction": "inbound" } }, { @@ -1098,6 +1238,26 @@ "rule_action": "Accept", "match_id": "1" }, + "destination": { + "port": 514, + "ip": "192.168.1.153" + }, + "rule": { + "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" + }, + "source": { + "port": 43103, + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "name": "Network", + "application": "syslog", + "iana_number": "17", + "direction": "outbound" + }, "observer": { "name": "192.168.1.100", "ingress": { @@ -1114,26 +1274,19 @@ } }, "@timestamp": "2020-03-30T07:20:35.000Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.1.100", "192.168.1.153" ] }, - "destination": { - "port": 514, - "ip": "192.168.1.153" - }, - "rule": { - "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" - }, - "source": { - "port": 43103, - "ip": "192.168.1.100" - }, "event": { "sequence": 1, - "ingested": "2021-04-23T12:53:00.007552355Z", + "ingested": "2021-06-09T09:59:47.105612Z", + "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "module": "checkpoint", "action": "Accept", @@ -1146,12 +1299,6 @@ "connection" ], "outcome": "success" - }, - "network": { - "name": "Network", - "application": "syslog", - "iana_number": "17", - "direction": "outbound" } } ] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/checkpoint/data_stream/firewall/agent/stream/log.yml.hbs b/packages/checkpoint/data_stream/firewall/agent/stream/log.yml.hbs index cf321d3adea..dfdc54383cd 100644 --- a/packages/checkpoint/data_stream/firewall/agent/stream/log.yml.hbs +++ b/packages/checkpoint/data_stream/firewall/agent/stream/log.yml.hbs @@ -4,6 +4,9 @@ paths: {{/each}} exclude_files: [".gz$"] tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - {{tag}} {{/each}} @@ -11,27 +14,25 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ - {{#if internal_zones.length}} - - add_fields: - target: _temp_ - fields: - internal_zones: - {{#each internal_zones as |zone i|}} - - {{zone}} - {{/each}} - {{/if}} - {{#if external_zones.length}} - - add_fields: - target: _temp_ - fields: - external_zones: - {{#each external_zones as |zone i|}} - - {{zone}} - {{/each}} - {{/if}} - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 - +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_zones.length}} +- add_fields: + target: _temp_ + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} +- add_fields: + target: _temp_ + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} diff --git a/packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs index 7c05af8b40a..6d4d6d654c3 100644 --- a/packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs +++ b/packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -1,14 +1,34 @@ host: "{{syslog_host}}:{{syslog_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} -- {{tag}} + - {{tag}} {{/each}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_zones.length}} +- add_fields: + target: _temp_ + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} +- add_fields: + target: _temp_ + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/checkpoint/data_stream/firewall/agent/stream/udp.yml.hbs index 1038f646062..6d4d6d654c3 100644 --- a/packages/checkpoint/data_stream/firewall/agent/stream/udp.yml.hbs +++ b/packages/checkpoint/data_stream/firewall/agent/stream/udp.yml.hbs @@ -1,32 +1,34 @@ host: "{{syslog_host}}:{{syslog_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} -- {{tag}} + - {{tag}} {{/each}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ - {{#if internal_zones.length}} - - add_fields: - target: _temp_ - fields: - internal_zones: - {{#each internal_zones as |zone i|}} - - {{zone}} - {{/each}} - {{/if}} - {{#if external_zones.length}} - - add_fields: - target: _temp_ - fields: - external_zones: - {{#each external_zones as |zone i|}} - - {{zone}} - {{/each}} - {{/if}} - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_zones.length}} +- add_fields: + target: _temp_ + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} +- add_fields: + target: _temp_ + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 5ce254c9def..7c36c7a87f6 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -1,11 +1,18 @@ --- description: Pipeline for parsing checkpoint firewall logs processors: + - set: + field: ecs.version + value: "1.10.0" - set: field: event.ingested value: "{{_ingest.timestamp}}" - - grok: + - rename: field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original patterns: - '%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) @@ -38,7 +45,6 @@ processors: - syslog5424_pri - syslog5424_proc - syslog5424_ver - - message - host ignore_missing: true - rename: @@ -626,6 +632,11 @@ processors: source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null ignore_failure: true + - rename: + field: checkpoint.action_reason + target_field: checkpoint.action_reason_msg + if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ") + ignore_missing: true - geoip: field: source.ip target_field: source.geo @@ -750,6 +761,11 @@ processors: - syslog5424_ts - _temp_ ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - set: field: error.message diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index 9797edff848..a61254120d9 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -1296,6 +1296,12 @@ type: integer description: | Connection drop reason. + - name: action_reason_msg + type: keyword + overwrite: true + description: > + Connection drop reason message. + - name: c_bytes type: integer description: | diff --git a/packages/checkpoint/data_stream/firewall/manifest.yml b/packages/checkpoint/data_stream/firewall/manifest.yml index 5d3a47ccb44..996fe409ce0 100644 --- a/packages/checkpoint/data_stream/firewall/manifest.yml +++ b/packages/checkpoint/data_stream/firewall/manifest.yml @@ -3,14 +3,92 @@ title: Check Point firewall logs release: experimental streams: - input: udp + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: udp.yml.hbs title: Check Point firewall logs (syslog over UDP) description: Collect Check Point firewall logs using udp input - input: tcp + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: tcp.yml.hbs title: Check Point firewall logs (syslog over TCP) description: Collect Check Point firewall logs using tcp input - input: logfile + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: log.yml.hbs title: Check Point firewall logs (log) description: Collect Check Point firewall logs using log input diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 38c557db1c7..3ebbf7ba7c2 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -21,6 +21,7 @@ Consists of log entries from the Log Exporter in the Syslog format. |---|---|---| | @timestamp | Event timestamp. | date | | checkpoint.action_reason | Connection drop reason. | integer | +| checkpoint.action_reason_msg | Connection drop reason message. | keyword | | checkpoint.additional_info | ID of original file/mail which are sent by admin. | keyword | | checkpoint.additional_ip | DNS host name. | keyword | | checkpoint.additional_rdata | List of additional resource records. | keyword | @@ -501,7 +502,7 @@ Consists of log entries from the Log Exporter in the Syslog format. | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index e47d53f991f..a075c133808 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: 0.5.2 +version: 0.6.0 release: experimental description: Check Point Integration type: integration @@ -23,15 +23,6 @@ policy_templates: title: "Collect Check Point firewall logs (input: logfile)" description: "Collecting firewall logs from Check Point instances (input: logfile)" vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - checkpoint-firewall - - forwarded - name: paths type: text title: Paths @@ -63,15 +54,6 @@ policy_templates: required: true show_user: true default: localhost - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - checkpoint-firewall - - forwarded - name: syslog_port type: integer title: Syslog Port @@ -102,15 +84,6 @@ policy_templates: required: true show_user: true default: localhost - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - checkpoint-firewall - - forwarded - name: syslog_port type: integer title: Syslog Port