Help required with CheckPoint Decoder

10 views
Skip to first unread message

Hari Sapte

unread,
Jan 30, 2026, 6:24:17 AM (3 days ago) Jan 30
to Wazuh | Mailing List
Hello ,

I am looking for help with decoder for CheckPoint logs- 

Jan 29 00:17:11 192.168.17.1  2026-01-29T00:17:10+05:1800 192.168.17.1 CP-GW - Log [Fie...@1.3.6.1.4.1.2620 inzone="External" outzone="Internal" service_id="https" src="20.204.108.125" dst="192.168.1.14" proto="6" xlatesrc="" xlatedst="192.168.16.54" NAT_rulenum="6" NAT_addtnl_rulenum="0" NAT_src_origin="" user="" src_user_name="" src_machine_name="" src_user_dn="" snid="" dst_user_name="" dst_machine_name="" dst_user_dn="" UP_match_table="TABLE_START" ROW_START="0" match_id="20" layer_uuid="63b7fe60-76d2-4287-bca5-21af87337b0a" layer_name="Network" rule_uid="9778365d-7429-4fef-aece-89d1e202cb2c" rule_name="PHP App" ROW_END="0" UP_match_table="TABLE_END" NAT_rule_uid="9dbefb72-b9b3-497b-b784-de87ce0ab39c" NAT_addtnl_rule_uid="" ProductName="VPN-1 & FireWall-1" svc="443" sport_svc="40580" xlatedport_svc="" xlatesport_svc="" ProductFamily="Network" ]

i have tried below decoders, it matches but can't extract the related field orders.
<decoder name="checkpoint-syslog">
  <prematch>CP-GW - Log</prematch>
</decoder>

<decoder name="checkpoint-fields-network">
  <parent>checkpoint-syslog</parent>
  <regex>
    inzone="([^"]+)".*?
    outzone="([^"]+)".*?
    service_id="([^"]+)".*?
    src="([^"]+)".*?
    dst="([^"]+)".*?
    proto="([^"]+)".*?
    rule_name="([^"]+)"
  </regex>
  <order>
    checkpoint.inzone
    checkpoint.outzone
    checkpoint.service_id
    checkpoint.srcip
    checkpoint.dstip
    checkpoint.proto
    checkpoint.rule_name
  </order>
</decoder>

Regards
Hari

Md. Nazmur Sakib

unread,
Jan 30, 2026, 6:54:29 AM (3 days ago) Jan 30
to Wazuh | Mailing List

Hi Hari,

The format of the decoders is not correct. AI tools can be helpful for writing decoders and rules, but I will suggest following the Wazuh document to review them.
Decoders Syntax

I have written some sample decoders based on your log.

Add the new decoder to /var/ossec/etc/decoders/local_decoder.xml to decode the log information.

<decoder name="checkpoint-firewall">

  <prematch>CP-GW - Log </prematch>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>inzone="(\.*)"</regex>

  <order>inzone</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>outzone="(\.*)"</regex>

  <order>outzone</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>service_id="(\.*)"</regex>

  <order>service_id</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>src="(\.*)"</regex>

  <order>srcip</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>dst="(\.*)"</regex>

  <order>dstip</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>proto="(\.*)"</regex>

  <order>protocol</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>xlatesrc="(\.*)"</regex>

  <order>xlatesrcip</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>xlatedst="(\.*)"</regex>

  <order>xlatedstip</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>NAT_rulenum="(\.*)"</regex>

  <order>nat_rulenum</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>svc="(\.*)"</regex>

  <order>dstport</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>sport_svc="(\.*)"</regex>

  <order>srcport</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>rule_name="(\.*)"</regex>

  <order>rule_name</order>

</decoder>


<decoder name="checkpoint-firewall-child">

  <parent>checkpoint-firewall</parent>

  <regex>layer_name="(\.*)"</regex>

  <order>layer_name</order>

</decoder>




Restart the Wazuh manager or reload the analysisd to apply the changes:

systemctl restart wazuh-manager
 2026-01-30 17 51 08.png
You can make further changes to your decoder following these documents.
Decoders Syntax
Regular Expression Syntax
Custom decoders


Let me know if this works for you.

Reply all
Reply to author
Forward
0 new messages