Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Integration with a Nokia Firewall by Using Syslog

 

This method gives you the option to configure your Nokia Firewall to accept Check Point syslog events that are forwarded from your Nokia Firewall appliance.

To configure JSA to integrate with a Nokia Firewall device, take the following steps:

  1. Configure iptables on yourJSA console or Event Collector to receive syslog events from Nokia Firewall.

  2. Configure your Nokia Firewall to forward syslog event data.

  3. Configure the events that are logged by the Nokia Firewall.

  4. Optional. Configure a log source in JSA.

Configuring IPtables

Nokia Firewalls require a TCP reset (rst) or a TCP acknowledge (ack) from JSA on port 256 before they forward syslog events.

The Nokia Firewall TCP request is an online status request that is designed to ensure that JSA is online and able to receive syslog events. If a valid reset or acknowledge is received from JSA, then Nokia Firewall begins forwarding events to JSA on UDP port 514. By default, JSA does not respond to any online status requests from TCP port 256.

You must configure IPtables on your JSA console or any Event Collector that receives Check Point events from a Nokia Firewall to respond to an online status request.

  1. Using SSH, log in to JSA as the root user.

    Login: root

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.pre

    The IPtables configuration file is displayed.

  3. Type the following command to instruct JSA to respond to your Nokia Firewall with a TCP reset on port 256:

    -A INPUT -s <IP address> -p tcp --dport 256 -j REJECT --reject-with tcp-reset

    Where <IP address> is the IP address of your Nokia Firewall. You must include a TCP reset for each Nokia Firewall IP address that sends events to your JSA console or Event Collector, for example,

    • -A INPUT -s 10.10.100.10/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset

    • -A INPUT -s 10.10.110.11/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset

    • -A INPUT -s 10.10.120.12/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset

  4. Save your IPtables configuration.
  5. Type the following command to update IPtables in JSA:

    ./opt/qradar/bin/iptables_update.pl

  6. Repeat steps 1 - 5 to configure any additional JSA Event Collectors that receive syslog events from a Nokia Firewall.

    You are now ready to configure your Nokia Firewall to forward events to JSA.

Configuring Syslog

To configure your Nokia Firewall to forward syslog events to JSA:

  1. Log in to the Nokia Voyager.
  2. Click Config.
  3. In the System Configuration pane, click System Logging.
  4. In the Add new remote IP address to log to field, type the IP address of your JSA console orEvent Collector.
  5. Click Apply.
  6. Click Save.

    You are now ready to configure which events are logged by your Nokia Firewall to the logger.

Configuring the Logged Events Custom Script

To configure which events are logged by your Nokia Firewall and forwarded to JSA, you must configure a custom script for your Nokia Firewall.

  1. Using SSH, log in to Nokia Firewall as an administrative user.

    If you cannot connect to your Nokia Firewall, check that SSH is enabled. You must enable the command-line by using the Nokia Voyager web interface or connect directly by using a serial connection. For more information, see your Nokia Voyager documentation.

  2. Type the following command to edit your Nokia Firewall rc.local file:

    vi /var/etc/rc.local

  3. Add the following command to your rc.local file:

    $FWDIR/bin/fw log -ftn | /bin/logger -p local1.info &

  4. Save the changes to your rc.local file.

    The terminal is displayed.

  5. To begin logging immediately, type the following command:

    nohup $FWDIR/bin/fw log -ftn | /bin/logger -p local1.info &

    You can now configure the log source in JSA.

Configuring a Log Source

Events that are forwarded by your Nokia Firewall are automatically discovered by the Check Point Firewall-1 DSM. The automatic discovery process creates a log source for syslog events from Nokia Firewall appliances.

The following steps are optional.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Check Point Firewall-1.
  9. Using the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your Nokia Firewall appliance.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The syslog configuration for receiving Check Point events from Nokia Firewalls over syslog is complete. Check Point events from your Nokia Firewall are displayed in the Log Activity tab in JSA.