elastic · P1llus · May 10, 2021 · May 7, 2021
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -396,6 +396,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix s3 input when there is a blank line in the log file. {pull}25357[25357]
 - Fix Nginx module pipelines. {issue}19088[19088] {pull}24699[24699]
 - Remove space from field `sophos.xg.trans_src_ ip`. {issue}25154[25154] {pull}25250[25250]
+- Fix `checkpoint.action_reason` when its a string, not a Long. {issue}25575[25575] {pull}25609[25609]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -20117,6 +20117,16 @@ type: integer
 
 --
 
+*`checkpoint.action_reason_msg`*::
++
+--
+Connection drop reason message.
+
+
+type: keyword
+
+--
+
 *`checkpoint.c_bytes`*::
 +
 --

diff --git a/x-pack/filebeat/module/checkpoint/fields.go b/x-pack/filebeat/module/checkpoint/fields.go
diff --git a/x-pack/filebeat/module/checkpoint/firewall/_meta/fields.yml b/x-pack/filebeat/module/checkpoint/firewall/_meta/fields.yml
@@ -1949,6 +1949,12 @@
  description: >
  Connection drop reason.
 
+ - name: action_reason_msg
+ type: keyword
+ overwrite: true
+ description: >
+ Connection drop reason message.
+
  - name: c_bytes
  type: integer
  overwrite: true

diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml
@@ -741,6 +741,11 @@ processors:
  source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets"
  if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null
  ignore_failure: true
+- rename:
+ field: checkpoint.action_reason
+ target_field: checkpoint.action_reason_msg
+ if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ")
+ ignore_missing: true
 - geoip:
  field: source.ip
  target_field: source.geo

diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log
@@ -1 +1,2 @@
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
+<134>1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:"Drop"; flags:"278528"; ifdir:"inbound"; ifname:"bond1.3999"; loguid:"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}"; origin:"127.0.0.1"; originsicname:"CN=CP,O=cp.com.9jjkfo"; sequencenum:"62"; time:"1620217629"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]"; action_reason:"Dropped by multiportal infrastructure"; dst:"1.1.1.1"; product:"VPN & FireWall"; proto:"6"; s_port:"52780"; service:"80"; src:"1.1.1.1"]
diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json
@@ -52,5 +52,60 @@
  "checkpoint-firewall",
  "forwarded"
  ]
+ },
+ {
+ "@timestamp": "2021-05-05T12:27:09.000Z",
+ "checkpoint.action_reason_msg": "Dropped by multiportal infrastructure",
+ "client.ip": "1.1.1.1",
+ "client.port": 52780,
+ "destination.as.number": 13335,
+ "destination.as.organization.name": "Cloudflare, Inc.",
+ "destination.geo.continent_name": "Oceania",
+ "destination.geo.country_iso_code": "AU",
+ "destination.geo.country_name": "Australia",
+ "destination.geo.location.lat": -33.494,
+ "destination.geo.location.lon": 143.2104,
+ "destination.ip": "1.1.1.1",
+ "destination.port": 80,
+ "event.action": "Drop",
+ "event.category": [
+ "network"
+ ],
+ "event.dataset": "checkpoint.firewall",
+ "event.id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}",
+ "event.kind": "event",
+ "event.module": "checkpoint",
+ "event.sequence": 62,
+ "event.timezone": "-02:00",
+ "fileset.name": "firewall",
+ "input.type": "log",
+ "log.offset": 797,
+ "network.direction": "inbound",
+ "network.iana_number": "6",
+ "observer.ingress.interface.name": "bond1.3999",
+ "observer.name": "127.0.0.1",
+ "observer.product": "VPN & FireWall",
+ "observer.type": "firewall",
+ "observer.vendor": "Checkpoint",
+ "related.ip": [
+ "1.1.1.1",
+ "1.1.1.1"
+ ],
+ "server.ip": "1.1.1.1",
+ "server.port": 80,
+ "service.type": "checkpoint",
+ "source.as.number": 13335,
+ "source.as.organization.name": "Cloudflare, Inc.",
+ "source.geo.continent_name": "Oceania",
+ "source.geo.country_iso_code": "AU",
+ "source.geo.country_name": "Australia",
+ "source.geo.location.lat": -33.494,
+ "source.geo.location.lon": 143.2104,
+ "source.ip": "1.1.1.1",
+ "source.port": 52780,
+ "tags": [
+ "checkpoint-firewall",
+ "forwarded"
+ ]
  }
 ]