Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Integration with a Nokia Firewall by Using OPSEC

 

JSA can accept Check Point FireWall-1 events from Nokia Firewalls using the Check Point FireWall-1 DSM configured using the OPSEC/LEA protocol.

Before you configure JSA to integrate with a Nokia Firewall device, you must:

  1. Configure Nokia Firewall using OPSEC, see Configuring a Nokia Firewall for OPSEC.

  2. Configure a log source in JSA for your Nokia Firewall using the OPSEC LEA protocol, see Configuring an OPSEC Log Source .

Configuring a Nokia Firewall for OPSEC

You can configure Nokia Firewall by using OPSEC.

  1. To create a host object for your JSA, open up the Check Point SmartDashboard GUI, and select Manage >Network Objects >New >Node >Host.
  2. Type the Name, IP address, and an optional comment for your JSA.
  3. Click OK.
  4. Select Close.
  5. To create the OPSEC connection, select Manage >Servers and OPSEC Applications >New >OPSEC Application Properties.
  6. Type the Name and an optional comment.

    The name that you type must be different from the name in Step 2.

  7. From the Host drop-down menu, select the JSA host object that you created.
  8. From Application Properties, select User Defined as the Vendor Type.
  9. From Client Entries, select LEA.
  10. Select OK and then select Close.
  11. To install the policy on your firewall, select Policy >Install >OK.

    For more information on policies, see your vendor documentation. You can now configure a log source for your Nokia Firewall in JSA.

Configuring an OPSEC Log Source

You must create an OPSEC log source to collect events, because OPSEC/LEA log sources are not automatically discovered in JSA.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Check Point FireWall-1.
  9. Using the Protocol Configuration list, select OPSEC/LEA.
  10. Configure the following values:

    Table 1: OPSEC/LEA Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type an IP address, host name, or name to identify the event source. IP addresses or host names are better because they enable JSA to match a log file to a unique event source.

    Server IP

    Type the IP address of the server.

    Server Port

    Type the port that is used for OPSEC communication. The valid range is 0 - 65,536 and the default is 18184.

    Use Server IP for Log Source

    Select this check box if you want to use the LEA server's IP address instead of the managed device's IP address for a log source. By default, the check box is selected.

    Statistics Report Interval

    Type the interval, in seconds, during which syslog events are recorded in the qradar.log file.

    The valid range is 4 - 2,147,483,648 and the default is 600.

    Authentication Type

    From the list, select the authentication type that you want to use for this LEA configuration. The options are sslca (default), sslca_clear, or clear. This value must match the authentication method that is used by the server. The following parameters appear if sslca or sslca_clear is selected as the authentication type:

    • OPSEC Application Object SIC Attribute (SIC Name) Type the Secure Internal Communications (SIC) name of the OPSEC Application Object. The SIC name is the distinguished name (DN) of the application, for example: CN=LEA, o=fwconsole..7psasx.The name can be up to 255 characters in length and is case-sensitive.

    • Log Source SIC Attribute (Entity SIC Name) Type the SIC name of the server, for example: cn=cp_mgmt,o=fwconsole..7psasx. The name can be up to 255 characters in length and is case-sensitive.

    • Specify Certificate Select this check box if you want to define a certificate for this LEA configuration. JSA attempts to retrieve the certificate by using these parameters when the certificate is required.

    If you select the Specify Certificate check box, the Certificate Filename parameter is displayed:

    • Certificate Filename This option appears only if Specify Certificate is selected. Type the file name of the certificate that you want to use for this configuration. The certificate file must be located in the /opt/qradar/conf/trusted_certificates/lea directory.

    If you clear the Specify Certificate check box, the following parameters appear:

    • Certificate Authority IP Type the IP address of the SmartCenter server from which you want to pull your certificate.

    • Pull Certificate Password Type the password that you want to use when a certificate is requested. The password can be up to 255 characters in length.

    • OPSEC Application Type the name of the application you want to use when a certificate is requested. This value can be up to 255 characters in length.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The configuration is complete. As events are received, they are displayed in the Log Activity tab in JSA.