Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Adding Devices to JSA Risk Manager That Are Managed by a CPSMS Console

 

Use Configuration Source Management to add devices from a Check Point Security Manager Server (CPSMS) to JSA Risk Manager.

Depending on your version of Check Point Security Manager Server, you must choose one of the following discovery methods to add your devices to JSA Risk Manager.

Adding Devices that are Managed by CPSMS by Using OPSEC

Add devices that are managed by Check Point Security Manager Server versions NGX R60 to R77 to JSA Risk Manager by using OPSEC to discover and add the devices.

Review the supported software versions, credentials, and required commands for your network devices. For more information, see Supported Adapters.

You must obtain the OPSEC Entity SIC name, OPSEC Application Object SIC name, and the one-time password for the pull certificate password before you begin this procedure. For more information, see your CPSMS documentation.

Note

The Device Import feature is not compatible with CPSMS adapters.

Repeat the following procedure for each CPSMS that you want to connect to, and to initiate discovery of its managed firewalls.

  1. On the navigation menu, click Admin to open the admin tab.
  2. On the Admin navigation menu, click Apps.
  3. On the Risk Manager pane, click Configuration Source Management.
  4. On the navigation menu, click Credentials.
  5. On the Network Groups pane, click Add a new network group.
    1. Type a name for the network group, and then click OK.

    2. Type the IP address of your CPSMS device, and then click Add.

      Note

      Do not replicate device addresses that exist in other network groups in Configuration Source Management.

    3. Ensure that the addresses that you add are displayed in the Network address box beside the Add address box.

  6. On the Credentials pane, click Add a new credential set.
    1. Type a name for the credential set, and then click OK.

    2. Select the name of the credential set that you created, and then type a valid user name and password for the device.

  7. Type the OPSEC Entity SIC name of the CPSMS that manages the firewall devices to be discovered. This value must be exact because the format depends on the type of device that the discovery is coming from. Use the following table as a reference to OPSEC Entity SIC name formats.

    Type

    Name

    Management Server

    CN=cp_mgmt,O=<take O value from DN field>

    Gateway to Management Server

    CN=cp_mgmt_<gateway hostname>,O=<take O value from DN field>

    For example, when you are discovering from the Management Server:

    • OPSEC Application DN: CN=cpsms226,O=vm226-CPSMS..bs7ocx

    • OPSEC Application Host: vm226-CPSMS

    The Entity SIC Name is CN=cp_mgmt,O=vm226-CPSMS..bs7ocx

    For example, when you are discovering from the Gateway to Management Server:

    • OPSEC Application DN: CN=cpsms230,O=vm226-CPSMS..bs7ocx

    • OPSEC Application Host: vm230-CPSMS2-GW3

    The Entity SIC Name is CN=cp_mgmt_vm230-CPSMS2-GW3,O=vm226-CPSMS..bs7ocx

  8. Use the Check Point SmartDashboard application to enter the OPSEC Application Object SIC name that was created on the CPSMS.
  9. Obtain the OPSEC SSL Certificate:
    1. Click Get Certificate.

    2. In the Certificate Authority IP field, type the IP address.

    3. In the Pull Certificate Password field, type the one-time password for the OPSEC Application.

    4. Click OK.

  10. Click OK.
  11. Click Protocols and verify that the CPSMS protocol is selected.

    The default port for the CPSMS protocol is 18190.

  12. Click Discover From Check Point OPSEC, and then enter the CPSMS IP address.
  13. Click OK.
  14. Repeat these steps for each CPSMS device that you want to add.

When you add all the required devices, back up the devices, and view them in the topology.

Adding Devices Managed by CPSMS by Using HTTPS

Add devices that are managed by Check Point Security Manager Server version R80 to JSA Risk Manager by using the HTTPS protocol to discover and add the devices.

  1. Open the Admin settings:
    • In JSA 7.3.0 or earlier, click the Admin tab.

    • In JSA 7.3.1, click the navigation menu icon, and then click Admin to open the admin tab.

  2. On the Admin navigation menu, click Plug-ins or Apps.
    • In JSA 7.3.0 or earlier, click Plug-ins.

    • In JSA 7.3.1, click Apps.

  3. On the Risk Manager pane, click Configuration Source Management.
  4. On the navigation menu, click Credentials.
  5. On the Network Groups pane, click Add a new network group.
    1. Type a name for the network group, and then click OK.

    2. Type the IP address of your Check Point device, and then click Add.

    3. Ensure that the address is displayed in the Network address box.

  6. On the Credentials pane, click Add a new credential set.
    1. Type a name for the credential set, and then click OK.

    2. Select the name of the credential set that you created, and then type a valid user name and password for the device.

  7. Click OK.
  8. Click Protocols and verify that the HTTPS protocol is selected.
  9. Click Discover From Check Point HTTPS, and then enter the Check Point IP address.
  10. Click OK.

After you add all the required devices, back up the devices, and view them in the topology.

Adding Devices that are Managed by the Palo Alto Panorama

Use Configuration Source Management to add devices from the Palo Alto Panorama to JSA Risk Manager.

  1. Open the Admin settings:
    • In JSA 7.3.0 or earlier, click the Admin tab.

    • In JSA 7.3.1, click the navigation menu icon, and then click Admin to open the admin tab.

  2. On the Admin navigation menu, click Plug-ins or Apps.
    • In JSA 7.3.0 or earlier, click Plug-ins.

    • In JSA 7.3.1, click Apps.

  3. On the Risk Manager pane, click Configuration Source Management.
  4. On the navigation menu, click Credentials.
  5. On the Network Groups pane, click Add a new network group.
    1. Type a name for the network group, and then click OK.

    2. Type the IP address of your Check Point device, and then click Add.

    3. Ensure that the address is displayed in the Network address box.

    The Palo Alto Panorama supports proxy backups.

  6. On the Credentials pane, click Add a new credential set.
    1. Type a name for the credential set, and then click OK.

    2. Select the name of the credential set that you created, and then type a valid user name and password for the device.

  7. Click OK.
  8. Click Discover From Palo Alto Panorama, and then enter the Palo Alto Panorama IP address.

    The Palo Alto Panorama uses the following command for backup:

  9. Click OK.

When you add all the required devices, back up the devices, and view them in the topology.