Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Check Point Multi-Domain Management (Provider-1)

 

You can configure JSA to integrate with a Check Point Multi-Domain Management (Provider-1) device.

All events from Check Point Multi-Domain Management (Provider-1) are parsed by using the Check Point Multi-Domain Management (Provider-1) DSM. You can integrate Check Point Multi-Domain Management (Provider-1) using one of the following methods:

Note

Depending on your Operating System, the procedures for using the Check Point Multi-Domain Management (Provider-1) device can vary. The following procedures are based on the Check Point SecurePlatform operating system.

Integrating Syslog for Check Point Multi-Domain Management (Provider-1)

This method ensures that the Check Point Multi-Domain Management (Provider-1) DSM for JSA accepts Check Point Multi-Domain Management (Provider-1) events by using syslog.

JSA records all relevant Check Point Multi-Domain Management (Provider-1) events.

Configure syslog on your Check Point Multi-Domain Management (Provider-1) device:

  1. Type the following command to access the console as an expert user:

    expert

    A password prompt is displayed.

  2. Type your expert console password. Press the Enter key.
  3. Type the following command:

    csh

  4. Select the wanted customer logs:

    mdsenv <customer name>

  5. Input the following command:

    # nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> 2>&1 &

    Where:

    • <facility> is a syslog facility, for example, local3.

    • <priority> is a syslog priority, for example, info.

    You are now ready to configure the log source in JSA.

    The configuration is complete. The log source is added to JSA as the Check Point Multi-Domain Management Provider-1 syslog events are automatically discovered. Events that are forwarded to JSA are displayed on the Log Activity tab.

Syslog Log Source Parameters for Check Point Multi-Domain Management (Provider-1)

If JSA does not automatically detect the log source, add a Check Point Multi-Domain Management (Provider-1) log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Check Point Multi-Domain Management (Provider-1):

Table 1: Syslog Log Source Parameters for the Check Point Multi-Domain Management (Provider-1) DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for your Check Point Multi-Domain Management (Provider-1) appliance.

Configuring OPSEC for Check Point Multi-Domain Management (Provider-1)

This method ensures that the JSA Check Point FireWall-1 DSM accepts Check Point Multi-Domain Management (Provider-1) events by using OPSEC.

In the Check Point Multi-Domain Management (Provider-1) Management Domain GUI (MDG), create a host object that represents the JSA. The leapipe is the connection between the Check Point Multi-Domain Management (Provider-1) and JSA.

To reconfigure the Check Point Multi-Domain Management (Provider-1) SmartCenter (MDG):

  1. To create a host object, open the Check Point SmartDashboard user interface and select Manage >Network Objects >New >Node >Host.
  2. Type the Name, IP address, and write comments if needed.
  3. Click OK.
  4. Select Close.
  5. To create the OPSEC connection, select Manage >Servers and OPSEC Applications >New >OPSEC Application Properties.
  6. Type a Name, and write comments if needed.

    The Name that you enter must be different than the name used in Step 2.

  7. From the Host drop-down menu, select the JSA host object that you created.
  8. From Application Properties, select User Defined as the Vendor type.
  9. From Client Entries, select LEA.
  10. Select OK and then Close.
  11. To install the Policy on your firewall, select Policy >Install >OK.

OPSEC/LEA Log Source Pparameters for Check Point Multi-Domain Management (Provider-1)

If JSA does not automatically detect the log source, add a Check Point Multi-Domain Management (Provider-1) log source on the JSA Console by using the OPSEC/LEA protocol

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect OPSEC/LEA events from Check Point Multi-Domain Management (Provider-1):

Table 2: Syslog log source parameters for the OPSEC/LEA events from Check Point Multi-Domain Management (Provider-1): DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

OPSEC/LEA

Log Source Identifier

Type the IP address for the log source.

This value must match the value that you typed in the Server IP parameter.

Configuring Check Point to forward LEEF Events to JSA

To forward LEEF events to JSA, use the Check Point Log Exporter and configure a new target for the logs.

Log Exporter can be installed on several versions of Check Point. Before you send events in LEEF format to JSA, ensure that you have the correct version of Check Point and Log Exporter installed in your environment.

The following table describes where LEEF events are supported.

Table 3: Check Point versions that support LEEF

Check Point version

Comments

80.20

Log Exporter is included in this version.

80.10

Install Log Exporter and then install the hotfix after.

77.30

Install Log Exporter and then install the hotfix after.

Check Point 80.20

If you want to preserve the Log Exporter configuration before you upgrade to Check Point R80.20, follow the backup and restore Log Exporter.

Check Point R80.10

Ensure that Check Point version R80.10 is installed on the following servers:

  • R80.10 Multi-Domain Log Server

  • Security Management Server

  • Log Server

  • SmartEvent Server

You can install Log Exporter on version R80.10 Jumbo Hotfix Take 56 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.

Check Point R77.30

Ensure that Check Point version R77.30 is installed on the following servers:

  • Multi-Domain server

  • Multi-Domain Log Server

  • Log Server

  • SmartEvent Server

You can install Log Exporter on version R77.30 Jumbo Hotfix Take 292 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.

  1. To access the expert mode on the Check Point Log Exporter console, type expert
  2. Click Enter and then follow the prompts.

    The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace, and the shared access signature (SAS) authentication information.

  3. On the Check Point Log Exporter console, type the following command:

    A new target directory and default files are created in the $EXPORTERDIR/targets/<deployment_name> directory.

    The following table shows sample parameters and their values.

    Table 4: Sample Target Configuration

    Parameter

    Value

    Name

    <service_name>

    Enabled

    True

    Target-server

    <QRadar_IP_address>

    Target-port

    514

    Protocol

    TCP

    Format

    LEEF

    Read-mode

    Semi-unified

    The default value for the Read-mode parameter is Semi-unified to ensure that complete data is collected.

  4. To change a configuration, type cp_log_export set.
  5. To verify a configuration in an existing deployment, type cp_log_export show.
  6. To start Log Exporter automatically, type the following command: cp_log_export restart.

    By default, Log Exporter doesn't start automatically.

Results

If JSA isn't receiving events from Check Point, try these troubleshooting tips:

  • Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFieldsMapping.xml file for attributes-mapping issues.

  • Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFormatDefinition.xml file for LEEF header-mapping issues.

  • Check the file paths. File paths might change with Check Point updates. If a configuration file can't be found, contact your Check Point administrator.