I have setup LEM to pull logs from our Check Point firewall. How do I verify that everything is being logged? (Allowed traffic, dropped, etc.) I see a lot of traffic, but when I do a search I do not see any ICMP traffic when I was testing pinging from my computer to a server on the Internet.
Thank you in advance.
In CheckPoint's management center, you can set certain ACLs to the 'log' target. I think out of the box some level of info is logged, then you can specify each ACL to log if you want that in addition. I'm not 100% confident how - in other devices denied traffic is logged by default, but I can't remember if that's the case with Checkpoint.
You should also be seeing authentication/change activity (someone logging in to the management center, installing policies, etc).