Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Check Point Multi-Domain Management (Provider-1)

You can configure JSA to integrate with a Check Point Multi-Domain Management (Provider-1) device.

All events from Check Point Multi-Domain Management (Provider-1) are parsed by using the Check Point DSM. You can integrate Check Point Multi-Domain Management (Provider-1) using one of the following methods:

Note:

Depending on your Operating System, the procedures for using the Check Point Multi-Domain Management (Provider-1) device can vary. The following procedures are based on the Check Point SecurePlatform operating system.

Integrating Syslog for Check Point Multi-Domain Management (Provider-1)

This method ensures that the Check Point Multi-Domain Management (Provider-1) DSM for JSA accepts Check Point Multi-Domain Management (Provider-1) events by using syslog.

JSA records all relevant Check Point Multi-Domain Management (Provider-1) events.

Configure syslog on your Check Point Multi-Domain Management (Provider-1) device:

  1. Type the following command to access the console as an expert user:

    expert

    A password prompt is displayed.

  2. Type your expert console password. Press the Enter key.

  3. Type the following command:

    csh

  4. Select the wanted customer logs:

    mdsenv <customer name>

  5. Input the following command:

    # nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> 2>&1 &

    Where:

    • <facility> is a syslog facility, for example, local3.

    • <priority> is a syslog priority, for example, info.

    You are now ready to configure the log source in JSA.

    The configuration is complete. The log source is added to JSA as the Check Point Multi-Domain Management Provider-1 syslog events are automatically discovered. Events that are forwarded to JSA are displayed on the Log Activity tab.

Syslog Log Source Parameters for Check Point Multi-Domain Management (Provider-1)

If JSA does not automatically detect the log source, add a Check Point Multi-Domain Management (Provider-1) log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Check Point Multi-Domain Management (Provider-1):

Table 1: Syslog Log Source Parameters for the Check Point Multi-Domain Management (Provider-1) DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for your Check Point Multi-Domain Management (Provider-1) appliance.

Configuring OPSEC for Check Point Multi-Domain Management (Provider-1)

This method ensures that the JSA Check Point FireWall-1 DSM accepts Check Point Multi-Domain Management (Provider-1) events by using OPSEC.

In the Check Point Multi-Domain Management (Provider-1) Management Domain GUI (MDG), create a host object that represents the JSA. The leapipe is the connection between the Check Point Multi-Domain Management (Provider-1) and JSA.

To reconfigure the Check Point Multi-Domain Management (Provider-1) SmartCenter (MDG):

  1. To create a host object, open the Check Point SmartDashboard user interface and select Manage >Network Objects >New >Node >Host.

  2. Type the Name, IP address, and write comments if needed.

  3. Click OK.

  4. Select Close.

  5. To create the OPSEC connection, select Manage >Servers and OPSEC Applications >New >OPSEC Application Properties.

  6. Type a Name, and write comments if needed.

    The Name that you enter must be different than the name used in Step 2.

  7. From the Host drop-down menu, select the JSA host object that you created.

  8. From Application Properties, select User Defined as the Vendor type.

  9. From Client Entries, select LEA.

  10. Select OK and then Close.

  11. To install the Policy on your firewall, select Policy >Install >OK.

OPSEC/LEA Log Source Pparameters for Check Point Multi-Domain Management (Provider-1)

If JSA does not automatically detect the log source, add a Check Point Multi-Domain Management (Provider-1) log source on the JSA Console by using the OPSEC/LEA protocol

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect OPSEC/LEA events from Check Point Multi-Domain Management (Provider-1):

Table 2: Syslog log source parameters for the OPSEC/LEA events from Check Point Multi-Domain Management (Provider-1): DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

OPSEC/LEA

Log Source Identifier

Type the IP address for the log source.

This value must match the value that you typed in the Server IP parameter.

Check Point Multi-Domain Management (Provider-1) Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Check Point Multi-Domain Management (Provider-1) sample messages when you use the LEEF protocol

Sample 1: The following sample event message shows an informational event that was generated by the clock daemon.

Sample 2: The following sample event message shows an application control event that contains specific details about the application; such as the category, name, description, ID, and properties of the application. This sample also contains rules that determine who can access the application and the matched category that is matched by the rule base.