Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Monitoring Firewall Rule Event Counts Of Check Point Devices

 

In JSA Risk Manager, you can monitor the firewall rule event counts of your Check Point devices by integrating with the Check Point SMS. You can view these rule interactions in JSA Risk Manager, and use rule reports to manage the rule policy effectiveness of your network.

In the following image, JSA receives and processes rule event logs from Check Point firewall devices through the SMS.

Figure 1: Check Point Rule Counting
Check Point Rule Counting

Scenario - Implementing Check Point firewall rule monitoring in JSA

You are a network systems administrator with responsibility for Network security in an organization that uses Check Point to implement its Network security policies. The network includes several Check Point firewalls that are managed from a Check Point Security Management Server (SMS).

You want to view reports on rule usage daily, so that you have more visibility on your rule implementation.

You need to configure a connection between your Check Point SMS and JSA, so that JSA receives rule event logs from Check Point firewall devices. JSA processes this rule event log information and displays rule event information for all devices that are managed by Check Point firewalls. From the JSA rules table, you can analyze the usage and effectiveness of the firewall rules by monitoring event counts, and fine-tune your rules for optimal performance.

Use the rule information to do the following tasks:

  • View most and least used rules.

  • Assess the practicality of rules that are triggered infrequently.

  • View rules that might be blocking network access unnecessarily.

  • View rules that are triggered excessively, and place a load on your network bandwidth.

  • View detailed events.

  • Schedule reports.

Before you begin, download the most recent adapter bundle from FixCentral, and install it on your JSA managed host.

Complete the following steps to set up rule counting:

  1. Configure OPSEC applications in the Check Point SmartDashboard.

  2. Create a log source in JSA.

  3. Configure Configuration Source Management (CSM) in JSA Risk Manager. Discover and backup devices in Configuration Source Management.

  4. Complete the configurations to view rule counting.

Configuring OPSEC Applications in the SmartDashboard

Create and configure 2 OPSEC applications in your Check Point SmartDashboard. This facilitates the transfer of log files between Check Point and JSA.

Create 2 OPSEC (Open Platform for Security) applications, one with a client entity property of CPMI (Check Point Management Interface) for JSA Risk Manager, and the other with a client entity property of LEA (Log Export API) for the JSA Risk Manager log source.

  1. From the Manage menu on the toolbar, click Servers and OPSEC Applications.
  2. Click New >OPSEC Application.
  3. In the Name field, type a name for the application.
  4. From the Host list, select a host, or click New to add a host.
  5. Under Client Entities, select the CPMI check box.

    This option is required for JSA Risk Manager Configuration Source Management (CSM).

  6. Click Communication.
  7. In the One-time password field, type a password and then confirm it.

    The password is used several times during setup, and you need to reuse it so that JSA can use a security certificate from Check Point.

  8. Click Initalize.

    The Trust state changes to: Initialized but trust not established.

  9. Click Close.
  10. To populate the DN field in the Secure Internal Communication section, click OK.
  11. To view the populated DN field, select your OPSEC Application, and click Edit

    The DN field is now populated. This information is used for the Application Object SIC Attribute (SIC Name) and the SIC Attribute (SIC Name) when you set up the log source and Configuration Source Management in JSA

  12. Create the second OPSEC application to use with the log source.

    Follow steps 1-11 for creating the first OPSEC Application, with two exceptions:

    • For the Name field in step 3, use a different name from the first OPSEC application.

    • For Client Entities in step 5, select the LEA check box.

    Make sure that the Trust state displays Initialized but trust not established.

    Tip

    Use the same one-time password for this OPSEC application to avoid any confusion with passwords.

  13. In SmartDashboard, close all windows until you get back to the main SmartDashboard window.
  14. From the Policy menu on the toolbar, click Install.
  15. Click Install on all selected gateways, if it fails do not install on gateways of the same version.

The next step is to configure the log sourceConfigure the log source in JSA to get a certificate from Check Point and to receive log information. in JSA.

Configuring the Log Source

Configure the log source in JSA to get a certificate from Check Point and to receive log information.

  1. Log on to JSA.
  2. On the navigation menu, click Admin.
  3. Click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.
  5. Click Add.
  6. Configure the following values:

    Table 1: Check Point Log Source Parameters

    Parameter

    Description

    Log Source Name

    The identifier for the log source.

    Log Source Description

    The description is optional.

    Log Source Type

    Select Check Point FireWall-1.

    Protocol Configuration

    Select OPSEC/LEA.

    Log Source Identifier

    IP address of your SMS

    Server IP

    Type the IP address of your SMS

    Server Port

    Use port 18184.

    Use Server IP for Log Source

    Do not select this check box.

    Statistics Report Interval

    Default of 600.

    Authentication Type

    From the list, select sslca.

    OPSEC Application Object SIC Attribute (SIC Name)

    From the Check Point SmartDashboard, click Manage >Servers and OPSEC Applications and select the OPSEC application that has the client entity property of LEA.

    Click Edit, and copy the entry from the DN field, and paste into the OPSEC Application Object SIC Attribute (SIC Name) field.

    Log Source SIC Attribute (Entity SIC Name)

    Use the entry that you pasted into the OPSEC Application Object SIC Attribute (SIC Name) field, remove the text from the CN= property value, and make the following edits:

    For the CN= property value, use cp_mgmt_.

    See the following examples of an OPSEC Application DN and OPSEC Application Host, which is used to create the Entity SIC Name:

    OPSEC Application DN: CN=cpsmsxxx,O=svxxx-CPSMS..bsaobx

    OPSEC Application Host: Srvxxx-SMS

    Use text from the OPSEC Application DN and the OPSEC Application Host to form the Entity SIC Name:

    CN=cp_mgmt_Srvxxx-SMS,O=svxxx-CPSMS..bsaobx

    The Entity SIC Name in this configuration is based on a Gateway to Management Server setup. If your SMS address is not used as a gateway, use the Management Server configuration for the Entity SIC Name, which is represented by the following text:

    CN=cp_mgmt,O=<take_O_value_from_DN_field>

    Specify Certificate

    Don't select this check box.

    Certificate Authority IP

    Type the IP address of the SMS.

    Pull Certificate Password

    The password that you specified for the OPSEC Applications Properties in the One-time password field of the Communication window.

    OPSEC Application

    The name that you specified in the Name field from the OPSEC Applications Properties.

    Enabled

    Select this check box to enable the log source. By default, the check box is selected.

    Credibility

    The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases when multiple sources report the same event. The default is 5.

    Target Event Collector

    From the list, select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Enables the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings properties in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

    Store Event Payload

    Enables the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings properties in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

  7. Click Save.
  8. On the Admin tab, click Deploy Changes.

    If you find that changes are implemented automatically, it's still good practice to click Deploy Changes.

    Check that trust is established for the OPSEC application that has the client entity property of LEA, by viewing the Trust State in the Communication window of OPSEC Application Properties.

    The configuration of the log source is complete.

    For more information about configuring log sources, see the Configuring DSMs Guide.

Establishing Secure Communication Between Check Point and JSA

Configure Configuration Source Management in JSA to connect to the Check Point SMS. Add the OPSEC Application details from the SmartDashboard, and request a security certificate from Check Point.

Configure the OPSEC application details in Configuration Source Management and set up the certificate exchange. After the configuration is complete, use Configuration Source Management to discover the new entry.

  1. Log in to JSA as an administrator.
  2. On the navigation menu, click Admin.
  3. Click Apps or scroll down to find the Configuration Source Management icon.
  4. Click the Configuration Source Management icon.
  5. On the navigation menu, click Credentials.
  6. From the Network Groups pane, click the (+) symbol.
  7. Type a name for the network group.
  8. In the Add address (IP, CIDR, Wildcard, or Range) field, type the IP address of your SMS.
  9. Click (+) to add the IP address.
  10. Type your SMS SmartDashboard user name and password.

    To configure the OPSEC fields, use the information from the OPSEC Application Properties window of the SmartDashboard, where you selected the CPMI check box for the client entity.

  11. From the DN field, copy and paste this information into the OPSEC Entity SIC Name field.
  12. Edit the entry that you pasted into the OPSEC Entity SIC Name by replacing the CN= property value with: cp_mgmt_<hostname>

    where <hostname> is the Host name that is used for the OPSEC application Host field.

    See the following examples of an OPSEC Application DN and OPSEC Application Host, which is used to create the Entity SIC Name:

    • OPSEC Application DN: CN=cpsmsxxx,O=svxxx-CPSMS..bsaobx

    • OPSEC Application Host: Srvxxx-SMS

    Use text from the OPSEC Application DN and the OPSEC Application Host to form the Entity SIC Name:

    The Entity SIC Name is CN=cp_mgmt_Srvxxx-SMS,O=svxxx-CPSMS..bsaobx

    The Entity SIC Name in this configuration is based on a Gateway to Management Server setup. If your SMS IP address in not used as a gateway, use the Management Server configuration from the table:

    Table 2: Entity SIC Name Formats

    Type

    Name

    Management Server

    CN=cp_mgmt,O=<take_O_value_from_DN_field>

    Gateway to Management Server

    CN=cp_mgmt_<gateway_hostname>,O=<take_O_value from_DN_field>

  13. From the DN field, copy the entry, and paste this information into the OPSEC Application Object SIC Name field.
  14. Click Get Certificate.
  15. Enter the SMS IP address in the Certificate Authority IP field.
  16. Enter the one-time password in the Pull Certificate Password field.

    The one-time password is from the Communication window in the OPSEC Application Properties of the SmartDashboard, where you selected the CPMI check box for the client entity.

  17. Click OK

    If successful, the OPSEC SSL Certificate field is populated and grayed out.

    Verify that the Trust State property in the Communication window of the OPSEC Application Properties changes to Trust established.

    The credentials are set up, and now you can run a discovery.

  18. On the navigation menu, click Discover From Check Point SMS.
  19. In the CPSMS IP Address field, type the IP address of the SMS.

Initializing Rule Counting for Check Point

Complete the final configurations in JSA and Check Point to tie the configurations together so that you can use rule counting in JSA.

When trust is established and the policies are updated, you can view rule counting in JSA. JSA Risk Manager needs approximately 1 hour to process counts.

  1. In JSA, click Risks >Configuration Monitor
  2. Double-click a Check Point device to view the rule counting.
    • Verify that the log source is auto mapping by looking in the Log Sources column.

    • Look for the Event Count column of the rules table.