Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Check Point

 

You can configure JSA to integrate with a Check Point device by employing one of several methods.

Employ one of the following methods:

Note

Depending on your Operating System, the procedures for the Check Point device might vary. The following procedures are based on the Check Point SecurePlatform Operating system.

Integration Of Check Point by Using OPSEC

This section describes how to ensure that JSA accepts Check Point events using Open Platform for Security (OPSEC/LEA).

To integrate Check Point OPSEC/LEA with JSA, you must create two Secure Internal Communication (SIC) files and enter the information in to JSA as a Check Point log source.

Check Point Configuration Overview

To integrate Check Point with JSA, you must complete the following procedures in sequence:

  1. Add JSA as a host for Check Point.

  2. Add an OPSEC application to Check Point.

  3. Locate the Log Source Secure Internal Communications DN.

  4. In JSA, configure the OPSEC LEA protocol.

  5. Verify the OPSEC/LEA communications configuration.

Adding a Check Point Host

You can add JSA as a host in Check Point SmartCenter:

  1. Log in to the Check Point SmartDashboard user interface.
  2. Select Objects > New Host.
  3. Enter the information for your Check Point host:
    • Name: JSA

    • IP address: IP address of JSA

  4. Click OK.

You are now ready to create an OPSEC Application Object for Check Point.

Creating an OPSEC Application Object

After you add JSA as a host in Check Point SmartCenter, you can create the OPSEC Application Object:

  1. Open the Check Point SmartConsole user interface.
  2. Select Objects >More Object Types >Server >OPSEC Application >New Application.
  3. Configure your OPSEC Application:
    1. Configure the following OPSEC Application Properties parameters.

      Table 1: OPSEC Application Properties

      Parameter

      Value

      Name

      JSA-OPSEC

      Host

      JSA

      Client Entities

      LEA

    2. Click Communication.

    3. In the One-time password field, type the password that you want to use.

    4. In the Confirm one-time password field, type the password that you used for One-time password.

    5. Click Initialize.

    6. Click Close.

  4. Select Menu >Install Policy
  5. Click Publish & Install.
  6. Click Install.
  7. Select Menu >Install Database.
  8. Click Install.Note

    The SIC value is required for the OPSEC Application Object SIC attribute parameter when you configure the Check Point log source in JSA. The value can be found by viewing the OPSEC Application Object after it is created.

    The OPSEC Application Object resembles the following example:

    CN=QRadar=OPSEC,0=cpmodule..tdfaaz

If you have issues after you install the database policy, contact your system administrator to restart Check Point services on the central SmartCenter server that hosts the policy files. After services restart, the updated policies are pushed to all Check Point appliances.

Locating the Log Source SIC

After you create the OPSEC Application Object, you can locate the Log Source SIC from the Check Point SmartDashboard:

  1. Select Objects > Object Explorer.
  2. In the Categories tree, select Gateways and Servers under Networks Objects.
  3. Select your Check Point Log Host object.Note

    You must confirm whether the Check Point Log Host is a separate object in your configuration from the Check Point Management Server. In most cases, the Check Point Log Host is the same object as the Check Point Management Server.

  4. Click Edit.

    The Check Point Host General Properties window is displayed.

  5. Copy the Secure Internal Communication (SIC).Note

    Depending on your Check Point version, the Communication button does display the SIC attribute. You can locate the SIC attribute from the Check Point Management Server command-line interface. You must use the cpca_client lscert command from the command-line interface of the Management Server to display all certificates.

    Note

    The Log Source SIC Attribute resembles the following example: cn=cp_mgmt,o=cpmodule...tdfaaz. For more information, see your Check Point Command Line Interface Guide.

    You must now install the Security Policy from the Check Point SmartDashboard user interface.

  6. Select Policy >Install >OK.
  7. Select Policy >Install Database >OK

You are now ready to configure the OPSEC LEA protocol.

Configuring an OPSEC/LEA Log Source in JSA

After you locate the Log Source SIC, you configure the OPSEC LEA protocol:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. Click the Log Sources icon.
  4. Click Add.
  5. In the Log Source Name field, type a name for your log source.
  6. In the Log Source Description field, type a description for the log source.
  7. From the Log Source Type list, select Check Point.
  8. Using the Protocol Configuration list, select OPSEC/LEA.
  9. Configure the following values:

    Table 2: OPSEC/LEA Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address for the log source. This value must match the value that is configured in the Server IP parameter.

    The log source identifier must be unique for the log source type.

    Server IP

    Type the IP address of the Check Point host or Check Point Management Server IP.

    Server Port

    Type the port number that is used for OPSEC communication.

    Administrators must ensure that the existing firewall policy allows the LEA/OPSEC connection from your JSA.

    Use Server IP for Log Source

    Select the check box to use the LEA server's IP address instead of the managed device's IP address for a log source. All events that are received by JSA are funneled into a single log source. Clear the check box to have all events that are forwarded by Check Point Management Server to go into their individual log sources. By default, this parameter is enabled.

    Statistics Report Interval

    Type the interval, in seconds, during which the number of syslog events are recorded in the JSA .log file. The valid range is 4 - 2,147,483,648 and the default is 600.

    Authentication Type

    From the list, select the Authentication Type that you want for this LEA configuration.

    The options are as follows:

    • sslca (default)

    • sslca_clear

    • clear

    This value must match the authentication method that is configured on the Check Point Firewall or Check Point custom log management server.

    OPSEC Application Object SIC Attribute (SIC Name)

    Type the Secure Internal Communications (SIC) name of the OPSEC Application Object.

    The SIC name is the distinguished name (DN) of the application, for example: CN=LEA, o=fwconsole..7psasx.

    Log Source SIC Attribute (Entity SIC Name)

    Type the SIC name for the server that generates log sources.

    Specify Certificate

    Select the Specify Certificate check box to define a certificate for this LEA configuration.

    Certificate Filename

    Type the file name of the certificate that you want to use for this configuration. The certificate file must be located in the /opt/qradar/conf/trusted_certificates/lea directory.

    Certificate Authority IP

    Type the IP address of the SmartCenter server from which you want to pull your certificate.

    Pull Certificate Password

    Type the password that you want to use when you request a certificate.

    OPSEC Application

    Type the name of the application you want to use when you request a certificate. This value can be up to 255 characters in length.

  10. Click Save.
  11. On the Admin tab, click Deploy Changes.

You are now ready to verify your OPSEC/LEA communications for Check Point.

Edit Your OPSEC Communications Configuration

This section describes how to modify your Check Point configuration to allow OPSEC communications on non-standard ports.

It also explains how to configure communications in a clear text, unauthenticated stream, and verify the configuration in JSA.

Change Your Check Point Custom Log Manager (CLM) IP Address

If your Check Point configuration includes a Check Point Custom Log Manager (CLM), you might eventually need to change the IP address for the CLM, which impacts any of the automatically discovered Check Point log sources from that CLM in JSA. When you manually add the log source for the CLM by using the OPSEC/LEA protocol, all Check Point firewalls that forward logs to the CLM are automatically discovered by JSA. These automatically discovered log sources cannot be edited. If the CLM IP address changes, you must edit the original Check Point CLM log source that contains the OPSEC/LEA protocol configuration and update the server IP address and log source identifier.

After you update the log source for the new Check Point CLM IP address, then any new events reported from the automatically discovered Check Point log sources are updated.

Note

Do not delete and re-create your Check Point CLM or automatically discovered log sources in JSA. Deleting a log source does not delete event data, but can make finding previously recorded events more difficult.

Updating Your Check Point OPSEC Log Source

You can update your Check Point OPSEC log source.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Select the original Check Point CLM log source that contains the OPSEC/LEA protocol configuration and click Edit.
  6. In the Log Source Identifier field, type a new identifying name of your Check Point CLM.
  7. In the Server IP field, type the new IP address of your Check Point CLM.
  8. Click Save.

    The IP address update for your Check Point CLM in JSA is complete.

Changing the Default Port for OPSEC LEA Communication

Change the default port (18184) on which OPSEC LEA communicates.

  1. At the command-line prompt of your Check Point SmartCenter Server, type the following command to stop the firewall services:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:
    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

    The default contents of this file are as follows:

  3. Change the default lea_server auth_port from 18184 to another port number.
  4. Remove the hash (#) mark from that line.
  5. Save and close the file.
  6. Type the following command to start the firewall services:

    cpstart

Configuring OPSEC LEA for Unencrypted Communications

You can configure the OPSEC LEA protocol for unencrypted communications:

  1. At the command-line prompt of your Check Point SmartCenter Server, stop the firewall services by typing the following command:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:
    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

  3. Change the default lea_server auth_port from 18184 to 0.
  4. Change the default lea_server port from 0 to 18184.
  5. Remove the hash (#) marks from both lines.
  6. Save and close the file.
  7. Type the following command to start the firewall services:

    cpstart

Configuring JSA to Receive Events from a Check Point Device

Configure JSA to receive events from a Check Point device.

  1. Login to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. From the Log Source Type list, select Check Point.
  7. Using the Protocol Configuration list, select OPSEC/LEA.
  8. Configure the following parameters:

    Table 3: OPSEC/LEA Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address for the log source. This value must match the value that is configured in the Server IP parameter.

    The log source identifier must be unique for the log source type.

    Server IP

    Type the IP address of the server.

    Server Port

    Type the port number that is used for OPSEC communication. The valid range is 0 - 65,536 and the default port used by JSA is 18184.

    Use Server IP for Log Source

    Select the Use Server IP for Log Source check box if you want to use the LEA server IP address instead of the managed device IP address for a log source. By default, the check box is selected.

    Statistics Report Interval

    Type the interval, in seconds, during which the number of syslog events are recorded in the JSA .log file. The valid range is 4 - 2,147,483,648 and the default is 600.

    Authentication Type

    From the list, select the Authentication Type that you want to use for this LEA configuration. The options are <sslca> (default), <sslca_clear>, or <clear>. This value must match the authentication method that is used by the server. The following parameters appear if <sslca> or <sslca_clear> is selected as the authentication type:

    • OPSEC Application Object SIC Attribute (SIC Name) Type the Secure Internal Communications (SIC) name of the OPSEC Application Object. The SIC name is the distinguished name (DN) of the application, for example: CN=LEA, o=fwconsole..7psasx. The name can be up to 255 characters in length and is case-sensitive.

    • Log Source SIC Attribute (Entity SIC Name) Type the SIC name of the server, for example: cn=cp_mgmt,o=fwconsole..7psasx. The name can be up to 255 characters in length and is case-sensitive.

    • Specify Certificate Select this check box if you want to define a certificate for this LEA configuration. JSA attempts to retrieve the certificate by using these parameters when the certificate is needed.

    If you select the Specify Certificate check box, the Certificate Filename parameter is displayed:

    • Certificate Filename This option appears only if Specify Certificate is selected. Type the file name of the certificate that you want to use for this configuration. The certificate file must be located in the /opt/qradar/conf/trusted_certificates/lea directory.

    If you clear the Specify Certificate check box, the following parameters appear:

    • Certificate Authority IP Type the IP address of the SmartCenter server from which you want to pull your certificate.

    • Pull Certificate Password Type the password that you want to use when you request a certificate. The password can be up to 255 characters in length.

    • OPSEC Application Type the name of the application you want to use when you request a certificate. This value can be up to 255 characters in length.

    Note: Access to port 18210 is required for certificate pulls.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.

Integrate Check Point by Using Syslog

This section describes how to ensure that the JSA Check Point DSMs accept Check Point events with syslog.

Before you configure JSA to integrate with a Check Point device, you must take the following steps:

Note

If Check Point SmartCenter is installed on Microsoft Windows, you must integrate Check Point with JSA by using OPSEC.

  1. Type the following command to access the Check Point console as an expert user:

    expert

    A password prompt appears.

  2. Type your expert console password. Press the Enter key.

  3. Open the following file:

    /etc/rc.d/rc3.d/S99local

  4. Add the following lines:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> /dev/null 2>&1 &

    Where:

    • <facility> is a syslog facility, for example, local3.

    • <priority> is a syslog priority, for example, info.

    For example:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &

  5. Save and close the file.

  6. Open the syslog.conf file.

  7. Add the following line:

    <facility>.<priority> <TAB><TAB>@<host>

    Where:

    • <facility> is the syslog facility, for example, local3. This value must match the value that you typed in Step 4.

    • <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.

    <TAB> indicates you must press the Tab key.

    <host> indicates the JSA Console or managed host.

  8. Save and close the file.

  9. Enter the following command to restart syslog:

    • In Linux: service syslog restart

    • In Solaris: /etc/init.d/syslog start

  10. Enter the following command:

    nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &

    Where:

    • <facility> is a Syslog facility, for example, local3. This value must match the value that you typed in Step 4.

    • <priority> is a Syslog priority, for example, info. This value must match the value that you typed in Step 4.

The configuration is complete. The log source is added to JSA as Check Point syslog events are automatically discovered. Events that are forwarded to JSA are displayed on the Log Activity tab.

Configuring a Log Source

JSA automatically discovers and creates a log source for syslog events from Check Point. The following configuration steps are optional.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Check Point.
  9. Using the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Table 4: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    Enter the IP address or host name for the log source as an identifier for events from your Check Point appliance.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

Integration Of Check Point Firewall Events from External Syslog Forwarders

Check Point Firewall events can be forwarded from external sources, such as Splunk Forwarders, or other third-party syslog forwarders that send events to JSA.

When Check Point Firewall events are provided from external sources in syslog format, the events identify with the IP address in the syslog header. This identification causes events to identify incorrectly when they are processed with the standard syslog protocol. The syslog redirect protocol provides administrators a method to substitute an IP address from the event payload into the syslog header to correctly identify the event source.

To substitute an IP address, administrators must identify a common field from their Check Point Firewall event payload that contains the proper IP address. For example, events from Splunk Forwarders use orig= in the event payload to identify the original IP address for the Check Point firewall. The protocol substitutes in the proper IP address to ensure that the device is properly identified in the log source. As Check Point Firewall events are forwarded, JSA automatically discovers and create new log sources for each unique IP address.

Substitutions are that are performed with regular expressions and can support either TCP or UDP syslog events. The protocol automatically configures iptables for the initial log source and port configuration. If an administrator decides to change the port assignment a Deploy Full Configuration is required to update the iptables configuration and use the new port assignment.

Configuring a Log Source for Check Point Forwarded Events

To collect raw events that are forwarded from an external source, you must configure a log source before events are forwarded to JSA.

  1. Login to JSA.
  2. Click the Admin tab.
  3. In the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for your log source.
  8. From the Log Source Type list, select Check Point.
  9. From the Protocol Configuration list, select Syslog Redirect.
  10. Configure the following values:

    Table 5: Syslog Redirect Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for the Check Point Firewall events.

    The log source identifier must be unique value.

    Log Source Identifier RegEx

    Type the regular expression (Regex) needed to identify the Check Point Firewall IP address from the event payload.

    Example: Administrators can use the following regular expression to parse Check Point Firewall events that are provided by Splunk Forwarders

    orig=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

    Perform DNS Lookup On Regex Match

    Select the Perform DNS Lookup On Regex Match check box to enable DNS functionality, which is based on the Log Source Identifier parameter value.

    By default, the check box is not selected.

    Listen Port

    Type the port number that is used by JSA to accept incoming syslog redirect events.

    The default listen port is 517.

    The port number that you configure must match the port that you configured on the appliance that forwards the syslog events. Administrators cannot specify port 514 in this field.

    Protocol

    From the list, select either UDP or TCP .

    The syslog redirect protocol supports any number of UDP syslog connections, but restricts TCP connections to 2500. If the syslog stream has more than 2500 log sources, you must enter a second Check Point log source and listen port number.

    Enabled

    Select this check box to enable the log source. By default, the check box is selected.

    Credibility

    From the list, select the Credibility of the log source. The range is 0 - 10.

    The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

    Target Event Collector

    From the list, select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Select the Coalescing Events check box to enable the log source to coalesce (bundle) events.

    By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

    Incoming Event Payload

    From the Incoming Event Payload list, select the incoming payload encoder for parsing and storing the logs.

    Store Event Payload

    Select the Store Event Payload check box to enable the log source to store event payload information.

    By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.