Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-checkpoint/generator.yml \
--id checkpoint-gw \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| fw-accept | Firewall Accept | ~55% | network |
| fw-drop | Firewall Drop | ~20% | network |
| app-control | Application Control | ~6% | network |
| url-filter | URL Filtering | ~5% | network |
| fw-reject | Firewall Reject | ~3% | network |
| ips-detect | IPS Detect | ~3% | intrusion_detection |
| vpn | VPN Encrypt/Decrypt | ~3% | network |
| ips-prevent | IPS Prevent | ~1.5% | intrusion_detection |
| anti-bot | Anti-Bot detection | ~1.5% | malware |
| anti-virus | Anti-Virus detection | ~1% | malware |
| identity | Identity Awareness login/logout | ~1% | authentication |
Realism Features
- Zone-aware routing — Internal→External, External→DMZ, Internal→Internal with interface assignment
- NAT translation — Source NAT for 70% of outbound accepted connections
- 15 named firewall rules with UUIDs, layer hierarchy, and weighted selection
- 15 IPS signatures with CVE references, severity, and confidence levels
- 16 applications with risk scores (0–5) and risk-based allow/block decisions
- 15 URL categories including blocked (gambling, malware, phishing)
Sample Output
{
"@timestamp": "2026-02-21T14:30:15.000000+00:00",
"checkpoint": {
"rule_action": "Accept",
"layer_name": "Network",
"sequencenum": 42
},
"event": {
"action": "Accept",
"category": ["network"],
"dataset": "checkpoint.firewall",
"outcome": "success",
"type": ["allowed", "connection"]
},
"source": { "ip": "10.1.1.30", "port": 52481 },
"destination": { "ip": "93.184.216.34", "port": 443 },
"network": { "direction": "outbound", "transport": "tcp" },
"observer": {
"product": "VPN-1 & FireWall-1",
"type": "firewall",
"vendor": "Checkpoint"
},
"rule": { "name": "Allow Outbound HTTPS" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | cpgw-01 | Security Gateway hostname |
| domain | example.com | Domain name |
| gateway_ip | 192.168.10.1 | Gateway management IP |
| nat_ip | 198.51.100.1 | Public NAT IP address |
| agent_id | 7b2c5f1a-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Filebeat agent version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.
Network DNS Traffic
Passive DNS transaction logs — query/response pairs for A, AAAA, CNAME, MX, TXT, PTR, SRV, SOA, NS, and DNSKEY records. Mixed internal/external resolvers with NXDOMAIN, SERVFAIL, and REFUSED errors.