Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Check Point

 

You can configure JSA to integrate with a Check Point device by employing one of several methods.

Employ one of the following methods:

Note

Depending on your Operating System, the procedures for the Check Point device might vary. The following procedures are based on the Check Point SecurePlatform Operating system.

Integration Of Check Point by Using OPSEC

This section describes how to ensure that JSA accepts Check Point events using Open Platform for Security (OPSEC/LEA).

To integrate Check Point OPSEC/LEA with JSA, you must create two Secure Internal Communication (SIC) files and enter the information in to JSA as a Check Point log source.

Check Point Configuration Overview

To integrate Check Point with JSA, you must complete the following procedures in sequence:

  1. Add JSA as a host for Check Point.

  2. Add an OPSEC application to Check Point.

  3. Locate the Log Source Secure Internal Communications DN.

  4. In JSA, configure the OPSEC LEA protocol.

  5. Verify the OPSEC/LEA communications configuration.

Adding a Check Point Host

You can add JSA as a host in Check Point SmartCenter:

  1. Log in to the Check Point SmartDashboard user interface.
  2. Select Objects > New Host.
  3. Enter the information for your Check Point host:
    • Name: JSA

    • IP address: IP address of JSA

  4. Click OK.

You are now ready to create an OPSEC Application Object for Check Point.

Creating an OPSEC Application Object

After you add JSA as a host in Check Point SmartCenter, you can create the OPSEC Application Object:

  1. Open the Check Point SmartConsole user interface.
  2. Select Objects >More Object Types >Server >OPSEC Application >New Application.
  3. Configure your OPSEC Application:
    1. Configure the following OPSEC Application Properties parameters.

      Table 1: OPSEC Application Properties

      Parameter

      Value

      Name

      JSA-OPSEC

      Host

      JSA

      Client Entities

      LEA

    2. Click Communication.

    3. In the One-time password field, type the password that you want to use.

    4. In the Confirm one-time password field, type the password that you used for One-time password.

    5. Click Initialize.

    6. Click Close.

  4. Select Menu >Install Policy
  5. Click Publish & Install.
  6. Click Install.
  7. Select Menu >Install Database.
  8. Click Install.Note

    The SIC value is required for the OPSEC Application Object SIC attribute parameter when you configure the Check Point log source in JSA. The value can be found by viewing the OPSEC Application Object after it is created.

    The OPSEC Application Object resembles the following example:

    CN=QRadar=OPSEC,0=cpmodule..tdfaaz

If you have issues after you install the database policy, contact your system administrator to restart Check Point services on the central SmartCenter server that hosts the policy files. After services restart, the updated policies are pushed to all Check Point appliances.

Locating the Log Source SIC

After you create the OPSEC Application Object, you can locate the Log Source SIC from the Check Point SmartDashboard:

  1. Select Objects > Object Explorer.
  2. In the Categories tree, select Gateways and Servers under Networks Objects.
  3. Select your Check Point Log Host object.Note

    You must confirm whether the Check Point Log Host is a separate object in your configuration from the Check Point Management Server. In most cases, the Check Point Log Host is the same object as the Check Point Management Server.

  4. Click Edit.

    The Check Point Host General Properties window is displayed.

  5. Copy the Secure Internal Communication (SIC).Note

    Depending on your Check Point version, the Communication button does display the SIC attribute. You can locate the SIC attribute from the Check Point Management Server command-line interface. You must use the cpca_client lscert command from the command-line interface of the Management Server to display all certificates.

    Note

    The Log Source SIC Attribute resembles the following example: cn=cp_mgmt,o=cpmodule...tdfaaz. For more information, see your Check Point Command Line Interface Guide.

    You must now install the Security Policy from the Check Point SmartDashboard user interface.

  6. Select Policy >Install >OK.
  7. Select Policy >Install Database >OK

You are now ready to configure the OPSEC LEA protocol.

OPSEC/LEA Log Source Parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the OPSEC/LEA protocol.

When using the OPSEC/LEA protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect OPSEC/LEA events from Check Point:

Table 2: OPSEC/LEA Log Source Parameters for the Check Point DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

OPSEC/LEA

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Check Point devices.

Edit Your OPSEC Communications Configuration

This section describes how to modify your Check Point configuration to allow OPSEC communications on non-standard ports.

It also explains how to configure communications in a clear text, unauthenticated stream, and verify the configuration in JSA.

Change Your Check Point Custom Log Manager (CLM) IP Address

If your Check Point configuration includes a Check Point Custom Log Manager (CLM), you might eventually need to change the IP address for the CLM, which impacts any of the automatically discovered Check Point log sources from that CLM in JSA. When you manually add the log source for the CLM by using the OPSEC/LEA protocol, all Check Point firewalls that forward logs to the CLM are automatically discovered by JSA. These automatically discovered log sources cannot be edited. If the CLM IP address changes, you must edit the original Check Point CLM log source that contains the OPSEC/LEA protocol configuration and update the server IP address and log source identifier.

After you update the log source for the new Check Point CLM IP address, then any new events reported from the automatically discovered Check Point log sources are updated.

Note

Do not delete and re-create your Check Point CLM or automatically discovered log sources in JSA. Deleting a log source does not delete event data, but can make finding previously recorded events more difficult.

Changing the Default Port for OPSEC LEA Communication

Change the default port (18184) on which OPSEC LEA communicates.

  1. At the command-line prompt of your Check Point SmartCenter Server, type the following command to stop the firewall services:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:
    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

    The default contents of this file are as follows:

  3. Change the default lea_server auth_port from 18184 to another port number.
  4. Remove the hash (#) mark from that line.
  5. Save and close the file.
  6. Type the following command to start the firewall services:

    cpstart

Configuring OPSEC LEA for Unencrypted Communication

You can configure the OPSEC LEA protocol for unencrypted communications:

  1. At the command-line prompt of your Check Point SmartCenter Server, stop the firewall services by typing the following command:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:
    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

  3. Change the default lea_server auth_port from 18184 to 0.
  4. Change the default lea_server port from 0 to 18184.
  5. Remove the hash (#) marks from both lines.
  6. Save and close the file.
  7. Type the following command to start the firewall services:

    cpstart

Integrate Check Point by Using Syslog

This section describes how to ensure that the JSA Check Point DSMs accept Check Point events with syslog.

Before you configure JSA to integrate with a Check Point device, you must take the following steps:

Note

If Check Point SmartCenter is installed on Microsoft Windows, you must integrate Check Point with JSA by using OPSEC.

  1. Type the following command to access the Check Point console as an expert user:

    expert

    A password prompt appears.

  2. Type your expert console password. Press the Enter key.

  3. Open the following file:

    /etc/rc.d/rc3.d/S99local

  4. Add the following lines:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> /dev/null 2>&1 &

    Where:

    • <facility> is a syslog facility, for example, local3.

    • <priority> is a syslog priority, for example, info.

    For example:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &

  5. Save and close the file.

  6. Open the syslog.conf file.

  7. Add the following line:

    <facility>.<priority> <TAB><TAB>@<host>

    Where:

    • <facility> is the syslog facility, for example, local3. This value must match the value that you typed in Step 4.

    • <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.

    <TAB> indicates you must press the Tab key.

    <host> indicates the JSA Console or managed host.

  8. Save and close the file.

  9. Enter the following command to restart syslog:

    • In Linux: service syslog restart

    • In Solaris: /etc/init.d/syslog start

  10. Enter the following command:

    nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &

    Where:

    • <facility> is a Syslog facility, for example, local3. This value must match the value that you typed in Step 4.

    • <priority> is a Syslog priority, for example, info. This value must match the value that you typed in Step 4.

The configuration is complete. The log source is added to JSA as Check Point syslog events are automatically discovered. Events that are forwarded to JSA are displayed on the Log Activity tab.

Integration Of Check Point Firewall Events from External Syslog Forwarders

Check Point Firewall events can be forwarded from external sources, such as Splunk Forwarders, or other third-party syslog forwarders that send events to JSA.

When Check Point Firewall events are provided from external sources in syslog format, the events identify with the IP address in the syslog header. This identification causes events to identify incorrectly when they are processed with the standard syslog protocol. The syslog redirect protocol provides administrators a method to substitute an IP address from the event payload into the syslog header to correctly identify the event source.

To substitute an IP address, administrators must identify a common field from their Check Point Firewall event payload that contains the proper IP address. For example, events from Splunk Forwarders use orig= in the event payload to identify the original IP address for the Check Point firewall. The protocol substitutes in the proper IP address to ensure that the device is properly identified in the log source. As Check Point Firewall events are forwarded, JSA automatically discovers and create new log sources for each unique IP address.

Substitutions are that are performed with regular expressions and can support either TCP or UDP syslog events. The protocol automatically configures iptables for the initial log source and port configuration. If an administrator decides to change the port assignment a Deploy Full Configuration is required to update the iptables configuration and use the new port assignment.

Syslog Redirect Log Source Parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the Syslog Redirect protocol.

When using the Syslog Redirect protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog Redirect events from Check Point:

Table 3: Syslog Redirect Log Source Parameters for the Check Point DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

Syslog Redirect

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Check Point devices.

Configuring Check Point to forward LEEF Events to JSA

To forward LEEF events to JSA, use the Check Point Log Exporter and configure a new target for the logs.

Log Exporter can be installed on several versions of Check Point. Before you send events in LEEF format to JSA, ensure that you have the correct version of Check Point and Log Exporter installed in your environment.

The following table describes where LEEF events are supported.

Table 4: Check Point versions that support LEEF

Check Point version

Comments

80.20

Log Exporter is included in this version.

80.10

Install Log Exporter and then install the hotfix after.

77.30

Install Log Exporter and then install the hotfix after.

Check Point 80.20

If you want to preserve the Log Exporter configuration before you upgrade to Check Point R80.20, follow the backup and restore Log Exporter.

Check Point R80.10

Ensure that Check Point version R80.10 is installed on the following servers:

  • R80.10 Multi-Domain Log Server

  • Security Management Server

  • Log Server

  • SmartEvent Server

You can install Log Exporter on version R80.10 Jumbo Hotfix Take 56 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.

Check Point R77.30

Ensure that Check Point version R77.30 is installed on the following servers:

  • Multi-Domain server

  • Multi-Domain Log Server

  • Log Server

  • SmartEvent Server

You can install Log Exporter on version R77.30 Jumbo Hotfix Take 292 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.

  1. To access the expert mode on the Check Point Log Exporter console, type expert
  2. Click Enter and then follow the prompts.

    The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace, and the shared access signature (SAS) authentication information.

  3. On the Check Point Log Exporter console, type the following command:

    A new target directory and default files are created in the $EXPORTERDIR/targets/<deployment_name> directory.

    The following table shows sample parameters and their values.

    Table 5: Sample Target Configuration

    Parameter

    Value

    Name

    <service_name>

    Enabled

    True

    Target-server

    <QRadar_IP_address>

    Target-port

    514

    Protocol

    TCP

    Format

    LEEF

    Read-mode

    Semi-unified

    The default value for the Read-mode parameter is Semi-unified to ensure that complete data is collected.

  4. To change a configuration, type cp_log_export set.
  5. To verify a configuration in an existing deployment, type cp_log_export show.
  6. To start Log Exporter automatically, type the following command: cp_log_export restart.

    By default, Log Exporter doesn't start automatically.

Results

If JSA isn't receiving events from Check Point, try these troubleshooting tips:

  • Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFieldsMapping.xml file for attributes-mapping issues.

  • Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFormatDefinition.xml file for LEEF header-mapping issues.

  • Check the file paths. File paths might change with Check Point updates. If a configuration file can't be found, contact your Check Point administrator.

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides sample event messages when you use the Syslog protocol for the Check Point DSM.

Table 6: Check Point sample message supported by Check Point

Event name

Low level category

Sample log message

Email arrived

SMTP in progress

<13>Sep 18 15:50:24 checkpoint.checkpoint.test 18Sep2018 15:50:24 10.253.192.190 product: MTA; src: 10.65.135.73; s_port: 1795; dst: 10.10.20.230 ; service: 25; proto: ; rule: ;arrival_time: 15372 78624;attachments_num: 1;email_content: Attachments;

Access denied - wrong user name or password

Access denied

<13>Jan 25 22:44:03 checkpoint.checkpoint. test 25Jan2018 22:44:03 authcrypt 10.0.0.1 product : Linux OS; src: ; s_port: 33278; dst: ; service: ; proto: ; rule: ;Src: 10.0.0.1;default_device_messa ge: <86>sshd[20132]: Failed password for admin1 fro m 10.0.0.1 port 33278 ssh2 ;facility: security/auth orization messages;has_accounting: 0;i/f_dir: inbou nd;is_first_for_luuid: 131072;logId: -1;log_sequenc e_num: 3;log_type: log;log_version: 5;login_status : failed;product_category: OS;syslog_severity: Inf ormational;user: admin1;