Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Check Point

You can configure JSA to integrate with a Check Point device by employing one of several methods.

Employ one of the following methods:

Note:

Depending on your Operating System, the procedures for the Check Point device might vary. The following procedures are based on the Check Point SecurePlatform Operating system.

Integrate Check Point by Using OPSEC

This section describes how to ensure that JSA accepts Check Point events using Open Platform for Security (OPSEC/LEA).

To integrate Check Point OPSEC/LEA with JSA, you must create two Secure Internal Communication (SIC) files and enter the information in to JSA as a Check Point log source.

Check Point Configuration Overview

To integrate Check Point with JSA, you must complete the following procedures in sequence:

  1. Add JSA as a host for Check Point.

  2. Add an OPSEC application to Check Point.

  3. Locate the Log Source Secure Internal Communications DN.

  4. In JSA, configure the OPSEC LEA protocol.

  5. Verify the OPSEC/LEA communications configuration.

Adding a Check Point Host

You can add JSA as a host in Check Point SmartCenter:

  1. Log in to the Check Point SmartDashboard user interface.

  2. Select Objects > New Host.

  3. Enter the information for your Check Point host:

    • Name- Specify a name for the host. For example, JSA.

    • IP address- The IP address of JSA

  4. Click OK.

Creating an OPSEC Application Object.

Creating an OPSEC Application Object

After you add JSA as a host in Check Point SmartCenter, you can create the OPSEC Application Object:

  1. Open the Check Point SmartConsole user interface.

  2. Select Objects >More Object Types >Server >OPSEC Application >New Application.

  3. Configure your OPSEC Application:

    1. Configure the following OPSEC Application Properties parameters.

      Table 1: OPSEC Application Properties

      Parameter

      Value

      Name

      Specify a name for the OPSEC application. For example, JSA-OPSEC

      Host

      JSA

      Client Entities

      LEA

    2. Click Communication.

    3. In the One-time password field, type the password that you want to use.

    4. In the Confirm one-time password field, type the password that you used for One-time password.

    5. Click Initialize.

    6. Click Close.

  4. Select Menu >Install Policy

  5. Click Publish & Install.

  6. Click Install.

  7. Select Menu >Install Database.

  8. Click Install.

    Note:

    The SIC value is required for the OPSEC Application Object SIC attribute parameter when you configure the Check Point log source in JSA. The value can be found by viewing the OPSEC Application Object after it is created.

    The OPSEC Application Object resembles the following example:

    CN=QRadar=OPSEC,0=cpmodule..tdfaaz

If you have issues after you install the database policy, contact your system administrator to restart Check Point services on the central SmartCenter server that hosts the policy files. After services restart, the updated policies are pushed to all Check Point appliances.

Locating the Log Source SIC

After you create the OPSEC Application Object, you can locate the Log Source SIC from the Check Point SmartDashboard:

  1. Select Objects > Object Explorer.

  2. In the Categories tree, select Gateways and Servers under Networks Objects.

  3. Select your Check Point Log Host object.

    Note:

    You must confirm whether the Check Point Log Host is a separate object in your configuration from the Check Point Management Server. In most cases, the Check Point Log Host is the same object as the Check Point Management Server.

  4. Click Edit.

    The Check Point Host General Properties window is displayed.

  5. Copy the Secure Internal Communication (SIC).

    Note:

    Depending on your Check Point version, the Communication button does display the SIC attribute. You can locate the SIC attribute from the Check Point Management Server command-line interface. You must use the cpca_client lscert command from the command-line interface of the Management Server to display all certificates.

    Note:

    The Log Source SIC Attribute resembles the following example: cn=cp_mgmt,o=cpmodule...tdfaaz. For more information, see your Check Point Command Line Interface Guide.

    You must now install the Security Policy from the Check Point SmartDashboard user interface.

  6. Select Policy >Install >OK.

  7. Select Policy >Install Database >OK

You are now ready to configure the OPSEC LEA protocol.

OPSEC/LEA Log Source Parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the OPSEC/LEA protocol.

When using the OPSEC/LEA protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect OPSEC/LEA events from Check Point:

Table 2: OPSEC/LEA Log Source Parameters for the Check Point DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

OPSEC/LEA

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Check Point devices.

Edit Your OPSEC Communications Configuration

This section describes how to modify your Check Point configuration to allow OPSEC communications on non-standard ports.

It also explains how to configure communications in a clear text, unauthenticated stream, and verify the configuration in JSA.

Change Your Check Point Custom Log Manager (CLM) IP Address

If your Check Point configuration includes a Check Point Custom Log Manager (CLM), you might eventually need to change the IP address for the CLM, which impacts any of the automatically discovered Check Point log sources from that CLM in JSA. When you manually add the log source for the CLM by using the OPSEC/LEA protocol, all Check Point firewalls that forward logs to the CLM are automatically discovered by JSA. These automatically discovered log sources cannot be edited. If the CLM IP address changes, you must edit the original Check Point CLM log source that contains the OPSEC/LEA protocol configuration and update the server IP address and log source identifier.

After you update the log source for the new Check Point CLM IP address, then any new events reported from the automatically discovered Check Point log sources are updated.

Note:

Do not delete and re-create your Check Point CLM or automatically discovered log sources in JSA. Deleting a log source does not delete event data, but can make finding previously recorded events more difficult.

Changing the Default Port for OPSEC LEA Communication

Change the default port (18184) on which OPSEC LEA communicates.

  1. At the command-line prompt of your Check Point SmartCenter Server, type the following command to stop the firewall services:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:

    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

    The default contents of this file are as follows:

  3. Change the default lea_server auth_port from 18184 to another port number.

  4. Remove the hash (#) mark from that line.

  5. Save and close the file.

  6. Type the following command to start the firewall services:

    cpstart

Configuring OPSEC LEA for Unencrypted Communication

You can configure the OPSEC LEA protocol for unencrypted communications:

  1. At the command-line prompt of your Check Point SmartCenter Server, stop the firewall services by typing the following command:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:

    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

  3. Change the default lea_server auth_port from 18184 to 0.

  4. Change the default lea_server port from 0 to 18184.

  5. Remove the hash (#) marks from both lines.

  6. Save and close the file.

  7. Type the following command to start the firewall services:

    cpstart

Integrate Check Point by Using Syslog

This section describes how to ensure that the JSA Check Point DSMs accept Check Point events by using syslog.

Before you configure JSA to integrate with a Check Point device, you must take the following steps:

Note:

If Check Point SmartCenter is installed on Microsoft Windows, you must integrate Check Point with JSA by using OPSEC.

  1. Type the following command to access the Check Point console as an expert user:

    expert

    A password prompt appears.

  2. Type your expert console password. Press the Enter key.

  3. Open the following file:

    /etc/rc.d/rc3.d/S99local

  4. Add the following lines:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> /dev/null 2>&1 &

    Where:

    • <facility> is a syslog facility, for example, local3.

    • <priority> is a syslog priority, for example, info.

    For example:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &

  5. Save and close the file.

  6. Open the syslog.conf file.

  7. Add the following line:

    <facility>.<priority> <TAB><TAB>@<host>

    Where:

    • <facility> is the syslog facility, for example, local3. This value must match the value that you typed in Step 4.

    • <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.

    <TAB> indicates you must press the Tab key.

    <host> indicates the JSA Console or managed host.

  8. Save and close the file.

  9. Enter the following command to restart syslog:

    • In Linux: service syslog restart

    • In Solaris: /etc/init.d/syslog start

  10. Enter the following command:

    nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &

    Where:

    • <facility> is a Syslog facility, for example, local3. This value must match the value that you typed in Step 4.

    • <priority> is a Syslog priority, for example, info. This value must match the value that you typed in Step 4.

The configuration is complete. The log source is added to JSA as Check Point syslog events are automatically discovered. Events that are forwarded to JSA are displayed on the Log Activity tab.

Configuring Check Point to forward LEEF Events to JSA

To forward LEEF events to JSA, use the Check Point Log Exporter and configure a new target for the logs.

Log Exporter can be installed on several versions of Check Point. Before you send events in LEEF format to JSA, ensure that you have the correct version of Check Point and Log Exporter installed in your environment.

The following table describes where LEEF events are supported.

Table 3: Check Point versions that support LEEF

Check Point version

Comments

80.20

Log Exporter is included in this version.

80.10

Install Log Exporter and then install the hotfix after.

77.30

Install Log Exporter and then install the hotfix after.

Check Point 80.20

If you want to preserve the Log Exporter configuration before you upgrade to Check Point R80.20, follow the backup and restore Log Exporter.

Check Point R80.10

Ensure that Check Point version R80.10 is installed on the following servers:

  • R80.10 Multi-Domain Log Server

  • Security Management Server

  • Log Server

  • SmartEvent Server

You can install Log Exporter on version R80.10 Jumbo Hotfix Take 56 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.

Check Point R77.30

Ensure that Check Point version R77.30 is installed on the following servers:

  • Multi-Domain server

  • Multi-Domain Log Server

  • Log Server

  • SmartEvent Server

You can install Log Exporter on version R77.30 Jumbo Hotfix Take 292 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.

  1. To access the expert mode on the Check Point Log Exporter console, type expert

  2. Click Enter and then follow the prompts.

    The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace, and the shared access signature (SAS) authentication information.

  3. On the Check Point Log Exporter console, type the following command:

    A new target directory and default files are created in the $EXPORTERDIR/targets/<deployment_name> directory.

    The following table shows sample parameters and their values.

    Table 4: Sample Target Configuration

    Parameter

    Value

    Name

    <service_name>

    Enabled

    True

    Target-server

    <QRadar_IP_address>

    Target-port

    514

    Protocol

    TCP

    Format

    LEEF

    Read-mode

    Semi-unified

    The default value for the Read-mode parameter is Semi-unified to ensure that complete data is collected.

  4. To change a configuration, type cp_log_export set.

  5. To verify a configuration in an existing deployment, type cp_log_export show.

  6. To start Log Exporter automatically, type the following command: cp_log_export restart.

    By default, Log Exporter doesn't start automatically.

Results

If JSA isn't receiving events from Check Point, try these troubleshooting tips:

  • Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFieldsMapping.xml file for attributes-mapping issues.

  • Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFormatDefinition.xml file for LEEF header-mapping issues.

  • Check the file paths. File paths might change with Check Point updates. If a configuration file can't be found, contact your Check Point administrator.

Syslog log source parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the Syslog protocol.

When using the Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from Check Point:

Table 5: Syslog Log Source Parameters for the Check Point DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Check Point devices.

Configuring JSA to receive LEEF events from Check Point

By default, Check Point LEEF events are mapped to the legacy OPSEC LEA event-mapping schema. If you want to change the way that JSA maps events, you can use the DSM Editor to disable legacy event mapping.

  1. Click the Admin tab.

  2. In the Data Sources section, click DSM Editor.

  3. From the Select Log Source Type window, select Check Point from the list, and click Select.

  4. On the Configuration tab, set Display DSM Parameters Configuration to on.

  5. From the Event Collector list, select the event collector for the log source.

  6. Set Disable legacy event mapping to on.

  7. Click Save and close out the DSM Editor.

Integrating Check Point by using TLS Syslog

Before you can add a log source in JSA, you need to generate certificates on the JSA Console and then copy the certificates on your Check Point device.

  1. Using SSH, log in to your JSA Console.

  2. Generate the root CA key by typing the following command:

    openssl genrsa -out RootCA.key 2048

  3. Generate the root CA pem by typing the following command:

    openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out RootCA.pem

    Note:

    When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use CheckpointRootCA as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. However, if you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.

  4. To generate the client key, type the following command:

    openssl genrsa -out log_exporter.key 2048

    Note:

    Do not share the client key with anyone.

  5. To generate the client certificate sign request, type the following command:

    openssl req -new -key log_exporter.key -out log_exporter.csr

    Note:

    When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use the Check Point IP address as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. When you type a value for the A challenge password field, do not use special characters for the password. If you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.

  6. To sign the certificate by using the CA files, type the following command:

    openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial - out log_exporter.crt -days 2048 -sha256

  7. To convert the certificate to p12 format, type the following command:

    openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12

    Note:

    When you type a value for the Export password field, do not use special characters for the password.

  8. Generate the server key by typing the following command:

    openssl genrsa -out syslogServer.key 2048

    Note:

    Do not share the server key with anyone.

  9. Generate the server certificate sign request by typing the following command:

    openssl req -new -key syslogServer.key -out syslogServer.csr

    Note:

    When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use the JSA IP address as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. When you type a value for the A challenge password field, do not use special characters for the password. If you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.

  10. To sign the certificate by using the CA files, type the following command:

    openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial - out syslogServer.crt -days 2048 -sha256

  11. To convert the server certificate and key to a p12 file, type the following command:

    openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslogServer.p12

    Note:

    When you type a value for the Enter Export Password field, do not use special characters for the password.

  12. Using SSH, log in to your Check Point device.

  13. To access expert mode, type the following command:

    Expert

  14. Create a certs directory inside your deployment directory:

    mkdir -p $EXPORTERDIR/targets/<deployment_name>/certs

    Where <deployment_name> is the hostname of your JSA Console.

  15. Copy the RootCA.pem and log_exporter.p12 that you created in Steps 3 and 7 to the directory that you created on your Check Point device in Step 13 by typing the following command:

    scp root@jsa_ip:RootCA.pem log_exporter.p12 $EXPORTERDIR/targets/<deployment_name>/certs/

  16. Type the following commands:

    chmod +r RootCA.pem

    chmod +r log_exporter.p12

    cp_log_export add name <deployment_name> target-server <QRadar_host_IP> protocol tcp target-port <port_from_log_source_config> format leef encrypted true ca-cert $EXPORTERDIR/ targets/<deployment_name>/certs/RootCA.pem client-cert $EXPORTERDIR/targets/ <deployment_name>/certs/log_exporter.p12 client-secret <password_for_p12>

Add a log source in JSA by using the TLS Syslog protocol. For more information, see TLS syslog log source parameters for Check Point.

TLS syslog log source parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the TLS syslog protocol.

When using the TLS Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect TLS Syslog events from Check Point:

Table 6: TLS Syslog Log Source Parameters for the Check Point DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

TLS Syslog

Log Source Identifier

Type the IP address of your Check Point server as an identifier for events from your Check Point devices.

TLS Listen Port

6514

Authentication Mode

TLS and Client Authentication

Client Certificate Path

<full_path_to_file>/log_exporter.crt

Certificate Type

PKCS12 Certificate Chain and Password

PKCS12 Certificate Path

<full_path_to_the_file>/syslog.p12

PKCS12 Password

The password for the PKCS12 Certificate.

Certificate Alias

This field must be empty.

Max Payload Length

4096

Maximum Connections

50

Integration Of Check Point Firewall Events from External Syslog Forwarders

Check Point Firewall events can be forwarded from external sources, such as Splunk Forwarders, or other third-party syslog forwarders that send events to JSA.

When Check Point Firewall events are provided from external sources in syslog format, the events identify with the IP address in the syslog header. This identification causes events to identify incorrectly when they are processed with the standard syslog protocol. The syslog redirect protocol provides administrators a method to substitute an IP address from the event payload into the syslog header to correctly identify the event source.

To substitute an IP address, administrators must identify a common field from their Check Point Firewall event payload that contains the proper IP address. For example, events from Splunk Forwarders use orig= in the event payload to identify the original IP address for the Check Point firewall. The protocol substitutes in the proper IP address to ensure that the device is properly identified in the log source. As Check Point Firewall events are forwarded, JSA automatically discovers and create new log sources for each unique IP address.

Substitutions are that are performed with regular expressions and can support either TCP or UDP syslog events. The protocol automatically configures iptables for the initial log source and port configuration. If an administrator decides to change the port assignment a Deploy Full Configuration is required to update the iptables configuration and use the new port assignment.

Syslog Redirect Log Source Parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the Syslog Redirect protocol.

When using the Syslog Redirect protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog Redirect events from Check Point:

Table 7: Syslog Redirect Log Source Parameters for the Check Point DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

Syslog Redirect

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Check Point devices.

Check Point Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides sample event messages when you use the Syslog protocol for the Check Point DSM.

Table 8: Check Point sample message supported by Check Point

Event name

Low level category

Sample log message

Email arrived

SMTP in progress

<13>Sep 18 15:50:24 checkpoint.checkpoint.test 18Sep2018 15:50:24 10.253.192.190 product: MTA; src: 10.65.135.73; s_port: 1795; dst: 10.10.20.230 ; service: 25; proto: ; rule: ;arrival_time: 15372 78624;attachments_num: 1;email_content: Attachments;

Access denied - wrong user name or password

Access denied

<13>Jan 25 22:44:03 checkpoint.checkpoint. test 25Jan2018 22:44:03 authcrypt 10.0.0.1 product : Linux OS; src: ; s_port: 33278; dst: ; service: ; proto: ; rule: ;Src: 10.0.0.1;default_device_messa ge: <86>sshd[20132]: Failed password for admin1 fro m 10.0.0.1 port 33278 ssh2 ;facility: security/auth orization messages;has_accounting: 0;i/f_dir: inbou nd;is_first_for_luuid: 131072;logId: -1;log_sequenc e_num: 3;log_type: log;log_version: 5;login_status : failed;product_category: OS;syslog_severity: Inf ormational;user: admin1;