From 5cc26cf06f19f9c4eb9cfa2da76ec08b556b1777 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 26 May 2020 17:16:22 -0400 Subject: [PATCH] Disable host.* fields by default for Checkpoint module For the Checkpoint module when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: #13920 --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/checkpoint.asciidoc | 7 + .../module/checkpoint/_meta/docs.asciidoc | 8 +- .../checkpoint/firewall/config/firewall.yml | 3 +- .../module/checkpoint/firewall/manifest.yml | 4 +- .../test/checkpoint.log-expected.json | 300 ++++++++++++------ 6 files changed, 219 insertions(+), 104 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 91c108dc815e..25878176e173 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -33,6 +33,7 @@ happened. {issue}13920[13920] {pull}18223[18223] - With the default configuration the cef and panw modules will no longer send the `host` field. You can revert this change by configuring tags for the module and omitting `forwarded` from the list. {issue}13920[13920] {pull}18223[18223] +* Checkpoint {pull}18754[18754] *Heartbeat* diff --git a/filebeat/docs/modules/checkpoint.asciidoc b/filebeat/docs/modules/checkpoint.asciidoc index 51427f640865..de72aabb2b35 100644 --- a/filebeat/docs/modules/checkpoint.asciidoc +++ b/filebeat/docs/modules/checkpoint.asciidoc @@ -62,6 +62,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9001. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[checkpoint-firewall, forwarded]`. + [float] ==== Check Point devices @@ -166,6 +172,7 @@ Check Point Syslog extensions are mapped as follows to ECS: :modulename!: + [float] === Fields diff --git a/x-pack/filebeat/module/checkpoint/_meta/docs.asciidoc b/x-pack/filebeat/module/checkpoint/_meta/docs.asciidoc index 86e7c510017e..b09dcde23333 100644 --- a/x-pack/filebeat/module/checkpoint/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/checkpoint/_meta/docs.asciidoc @@ -57,6 +57,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9001. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[checkpoint-firewall, forwarded]`. + [float] ==== Check Point devices @@ -159,4 +165,4 @@ Check Point Syslog extensions are mapped as follows to ECS: | xlatedport | destination.nat.port | |============================================================== -:modulename!: \ No newline at end of file +:modulename!: diff --git a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml index 32e87abc8388..637a28993150 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/checkpoint/firewall/manifest.yml b/x-pack/filebeat/module/checkpoint/firewall/manifest.yml index 9b1da1c03e60..dc93980532f7 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/manifest.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/manifest.yml @@ -4,12 +4,12 @@ var: - name: syslog_host default: localhost - name: tags - default: [checkpoint-firewall] + default: [checkpoint-firewall, forwarded] - name: syslog_port default: 9001 - name: input default: syslog -ingest_pipeline: +ingest_pipeline: - ingest/pipeline.json input: config/firewall.yml diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json index 4e8517f4794d..8a1446f3599c 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json @@ -22,7 +22,8 @@ "observer.vendor": "Checkpoint", "service.type": "checkpoint", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -48,7 +49,8 @@ "observer.vendor": "Checkpoint", "service.type": "checkpoint", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -74,7 +76,8 @@ "observer.vendor": "Checkpoint", "service.type": "checkpoint", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -127,7 +130,8 @@ "source.ip": "192.168.1.100", "source.port": "46915", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -192,7 +196,8 @@ "source.nat.port": "26680", "source.port": "61794", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -245,7 +250,8 @@ "source.ip": "192.168.1.100", "source.port": "36749", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -307,7 +313,8 @@ "source.nat.port": "10012", "source.port": "41566", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -360,7 +367,8 @@ "source.ip": "192.168.1.100", "source.port": "55799", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -422,7 +430,8 @@ "source.nat.port": "10013", "source.port": "48698", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -475,7 +484,8 @@ "source.ip": "192.168.1.100", "source.port": "48658", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -537,7 +547,8 @@ "source.nat.port": "10014", "source.port": "61150", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -590,7 +601,8 @@ "source.ip": "192.168.1.100", "source.port": "59800", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -652,7 +664,8 @@ "source.nat.port": "26681", "source.port": "55110", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -705,7 +718,8 @@ "source.ip": "192.168.1.100", "source.port": "49780", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -767,7 +781,8 @@ "source.nat.port": "26682", "source.port": "48718", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -820,7 +835,8 @@ "source.ip": "192.168.1.100", "source.port": "33536", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -882,7 +898,8 @@ "source.nat.port": "26683", "source.port": "62206", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -935,7 +952,8 @@ "source.ip": "192.168.1.100", "source.port": "61767", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -997,7 +1015,8 @@ "source.nat.port": "26684", "source.port": "41596", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1050,7 +1069,8 @@ "source.ip": "192.168.1.100", "source.port": "48728", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1112,7 +1132,8 @@ "source.nat.port": "10015", "source.port": "61180", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1165,7 +1186,8 @@ "source.ip": "192.168.1.100", "source.port": "64364", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1227,7 +1249,8 @@ "source.nat.port": "10016", "source.port": "48732", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1280,7 +1303,8 @@ "source.ip": "192.168.1.100", "source.port": "54002", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1342,7 +1366,8 @@ "source.nat.port": "43354", "source.port": "62222", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1395,7 +1420,8 @@ "source.ip": "192.168.1.100", "source.port": "40677", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1457,7 +1483,8 @@ "source.nat.port": "10017", "source.port": "61188", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1510,7 +1537,8 @@ "source.ip": "192.168.1.100", "source.port": "53589", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1572,7 +1600,8 @@ "source.nat.port": "26685", "source.port": "41624", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1625,7 +1654,8 @@ "source.ip": "192.168.1.100", "source.port": "36166", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1687,7 +1717,8 @@ "source.nat.port": "10018", "source.port": "48758", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1740,7 +1771,8 @@ "source.ip": "192.168.1.100", "source.port": "43736", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1802,7 +1834,8 @@ "source.nat.port": "10019", "source.port": "62246", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1855,7 +1888,8 @@ "source.ip": "192.168.1.100", "source.port": "46065", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1917,7 +1951,8 @@ "source.nat.port": "10020", "source.port": "41638", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -1970,7 +2005,8 @@ "source.ip": "192.168.1.100", "source.port": "43388", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2032,7 +2068,8 @@ "source.nat.port": "43355", "source.port": "61224", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2085,7 +2122,8 @@ "source.ip": "192.168.1.100", "source.port": "61851", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2129,7 +2167,8 @@ "source.user.id": "{FF0154DE-7D18-4396-B0C2-7E8951B393A4}", "source.user.name": "admin", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2191,7 +2230,8 @@ "source.nat.port": "43356", "source.port": "48776", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2217,7 +2257,8 @@ "observer.vendor": "Checkpoint", "service.type": "checkpoint", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2282,7 +2323,8 @@ "source.nat.port": "26686", "source.port": "51436", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2335,7 +2377,8 @@ "source.ip": "192.168.1.100", "source.port": "36896", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2388,7 +2431,8 @@ "source.ip": "192.168.1.100", "source.port": "38864", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2441,7 +2485,8 @@ "source.ip": "192.168.1.100", "source.port": "59284", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2503,7 +2548,8 @@ "source.nat.port": "26687", "source.port": "62396", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2556,7 +2602,8 @@ "source.ip": "192.168.1.100", "source.port": "43379", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2618,7 +2665,8 @@ "source.nat.port": "26688", "source.port": "48914", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2671,7 +2719,8 @@ "source.ip": "192.168.1.100", "source.port": "41365", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2733,7 +2782,8 @@ "source.nat.port": "10021", "source.port": "41844", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2786,7 +2836,8 @@ "source.ip": "192.168.1.100", "source.port": "47951", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2848,7 +2899,8 @@ "source.nat.port": "26689", "source.port": "62468", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2901,7 +2953,8 @@ "source.ip": "192.168.1.100", "source.port": "36526", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -2963,7 +3016,8 @@ "source.nat.port": "26690", "source.port": "61434", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3016,7 +3070,8 @@ "source.ip": "192.168.1.100", "source.port": "34981", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3078,7 +3133,8 @@ "source.nat.port": "26691", "source.port": "41856", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3122,7 +3178,8 @@ "source.user.id": "{597182F7-E1BA-460F-B6E0-D4996295B5CC}", "source.user.name": "admin", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3175,7 +3232,8 @@ "source.ip": "192.168.1.100", "source.port": "61445", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3237,7 +3295,8 @@ "source.nat.port": "26692", "source.port": "48990", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3290,7 +3349,8 @@ "source.ip": "192.168.1.100", "source.port": "64618", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3352,7 +3412,8 @@ "source.nat.port": "26693", "source.port": "62478", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3405,7 +3466,8 @@ "source.ip": "192.168.1.100", "source.port": "61203", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3467,7 +3529,8 @@ "source.nat.port": "10022", "source.port": "41864", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3520,7 +3583,8 @@ "source.ip": "192.168.1.100", "source.port": "35209", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3582,7 +3646,8 @@ "source.nat.port": "43357", "source.port": "61446", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3635,7 +3700,8 @@ "source.ip": "192.168.1.100", "source.port": "35787", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3697,7 +3763,8 @@ "source.nat.port": "43358", "source.port": "48998", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3759,7 +3826,8 @@ "source.nat.port": "43359", "source.port": "41870", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3812,7 +3880,8 @@ "source.ip": "192.168.1.100", "source.port": "46851", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3865,7 +3934,8 @@ "source.ip": "192.168.1.100", "source.port": "37927", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3927,7 +3997,8 @@ "source.nat.port": "26694", "source.port": "62488", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -3980,7 +4051,8 @@ "source.ip": "192.168.1.100", "source.port": "45589", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4042,7 +4114,8 @@ "source.nat.port": "10023", "source.port": "61454", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4068,7 +4141,8 @@ "observer.vendor": "Checkpoint", "service.type": "checkpoint", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4094,7 +4168,8 @@ "observer.vendor": "Checkpoint", "service.type": "checkpoint", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4120,7 +4195,8 @@ "observer.vendor": "Checkpoint", "service.type": "checkpoint", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4185,7 +4261,8 @@ "source.nat.port": "43360", "source.port": "62122", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4238,7 +4315,8 @@ "source.ip": "192.168.1.100", "source.port": "40928", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4291,7 +4369,8 @@ "source.ip": "192.168.1.100", "source.port": "51957", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4353,7 +4432,8 @@ "source.nat.port": "26695", "source.port": "55424", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4406,7 +4486,8 @@ "source.ip": "192.168.1.100", "source.port": "37029", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4468,7 +4549,8 @@ "source.nat.port": "26696", "source.port": "49026", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4521,7 +4603,8 @@ "source.ip": "192.168.1.100", "source.port": "61725", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4583,7 +4666,8 @@ "source.nat.port": "26697", "source.port": "62514", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4636,7 +4720,8 @@ "source.ip": "192.168.1.100", "source.port": "59562", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4698,7 +4783,8 @@ "source.nat.port": "10024", "source.port": "41902", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4751,7 +4837,8 @@ "source.ip": "192.168.1.100", "source.port": "60754", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4813,7 +4900,8 @@ "source.nat.port": "43361", "source.port": "61490", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4866,7 +4954,8 @@ "source.ip": "192.168.1.100", "source.port": "36577", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4928,7 +5017,8 @@ "source.nat.port": "26698", "source.port": "49042", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -4981,7 +5071,8 @@ "source.ip": "192.168.1.100", "source.port": "39956", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5043,7 +5134,8 @@ "source.nat.port": "26699", "source.port": "41914", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5096,7 +5188,8 @@ "source.ip": "192.168.1.100", "source.port": "46729", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5158,7 +5251,8 @@ "source.nat.port": "10025", "source.port": "62534", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5211,7 +5305,8 @@ "source.ip": "192.168.1.100", "source.port": "37133", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5273,7 +5368,8 @@ "source.nat.port": "10026", "source.port": "61500", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5326,7 +5422,8 @@ "source.ip": "192.168.1.100", "source.port": "44417", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5388,7 +5485,8 @@ "source.nat.port": "10027", "source.port": "41938", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5441,7 +5539,8 @@ "source.ip": "192.168.1.100", "source.port": "37245", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] }, { @@ -5503,7 +5602,8 @@ "source.nat.port": "43362", "source.port": "49102", "tags": [ - "checkpoint-firewall" + "checkpoint-firewall", + "forwarded" ] } ] \ No newline at end of file