Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Check Point by using OPSEC

This section describes how to ensure that JSA accepts Check Point events using Open Platform for Security (OPSEC/LEA).

To integrate Check Point OPSEC/LEA with JSA, you must create two Secure Internal Communication (SIC) files and enter the information in to JSA as a Check Point log source.

Check Point Configuration Overview

To integrate Check Point with JSA, you must complete the following procedures in sequence:

  1. Add JSA as a host for Check Point.

  2. Add an OPSEC application to Check Point.

  3. Locate the Log Source Secure Internal Communications DN.

  4. In JSA, configure the OPSEC LEA protocol.

  5. Verify the OPSEC/LEA communications configuration.

Adding a Check Point Host

You can add JSA as a host in Check Point SmartCenter:

  1. Log in to the Check Point SmartDashboard user interface.

  2. Select Objects > New Host.

  3. Enter the information for your Check Point host:

    • Name- Specify a name for the host. For example, JSA.

    • IP address- The IP address of JSA

  4. Click OK.

Creating an OPSEC Application Object.

Creating an OPSEC Application Object

After you add JSA as a host in Check Point SmartCenter, you can create the OPSEC Application Object:

  1. Open the Check Point SmartConsole user interface.

  2. Select Objects >More Object Types >Server >OPSEC Application >New Application.

  3. Configure your OPSEC Application:

    1. Configure the following OPSEC Application Properties parameters.

      Table 1: OPSEC Application Properties

      Parameter

      Value

      Name

      Specify a name for the OPSEC application. For example, JSA-OPSEC

      Host

      JSA

      Client Entities

      LEA

    2. Click Communication.

    3. In the One-time password field, type the password that you want to use.

    4. In the Confirm one-time password field, type the password that you used for One-time password.

    5. Click Initialize.

    6. Click Close.

  4. Select Menu >Install Policy

  5. Click Publish & Install.

  6. Click Install.

  7. Select Menu >Install Database.

  8. Click Install.

    Note:

    The SIC value is required for the OPSEC Application Object SIC attribute parameter when you configure the Check Point log source in JSA. The value can be found by viewing the OPSEC Application Object after it is created.

    The OPSEC Application Object resembles the following example:

    CN=QRadar=OPSEC,0=cpmodule..tdfaaz

If you have issues after you install the database policy, contact your system administrator to restart Check Point services on the central SmartCenter server that hosts the policy files. After services restart, the updated policies are pushed to all Check Point appliances.

Locating the Log Source SIC

After you create the OPSEC Application Object, you can locate the Log Source SIC from the Check Point SmartDashboard:

  1. Select Objects > Object Explorer.

  2. In the Categories tree, select Gateways and Servers under Networks Objects.

  3. Select your Check Point Log Host object.

    Note:

    You must confirm whether the Check Point Log Host is a separate object in your configuration from the Check Point Management Server. In most cases, the Check Point Log Host is the same object as the Check Point Management Server.

  4. Click Edit.

    The Check Point Host General Properties window is displayed.

  5. Copy the Secure Internal Communication (SIC).

    Note:

    Depending on your Check Point version, the Communication button does display the SIC attribute. You can locate the SIC attribute from the Check Point Management Server command-line interface. You must use the cpca_client lscert command from the command-line interface of the Management Server to display all certificates.

    Note:

    The Log Source SIC Attribute resembles the following example: cn=cp_mgmt,o=cpmodule...tdfaaz. For more information, see your Check Point Command Line Interface Guide.

    You must now install the Security Policy from the Check Point SmartDashboard user interface.

  6. Select Policy >Install >OK.

  7. Select Policy >Install Database >OK

You are now ready to configure the OPSEC LEA protocol.

OPSEC/LEA Log Source Parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the OPSEC/LEA protocol.

When using the OPSEC/LEA protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect OPSEC/LEA events from Check Point:

Table 2: OPSEC/LEA Log Source Parameters for the Check Point DSM

Parameter

Value

Log Source type

Check Point

Protocol Configuration

OPSEC/LEA

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Check Point devices.

Edit Your OPSEC Communications Configuration

This section describes how to modify your Check Point configuration to allow OPSEC communications on non-standard ports.

It also explains how to configure communications in a clear text, unauthenticated stream, and verify the configuration in JSA.

Change Your Check Point Custom Log Manager (CLM) IP Address

If your Check Point configuration includes a Check Point Custom Log Manager (CLM), you might eventually need to change the IP address for the CLM, which impacts any of the automatically discovered Check Point log sources from that CLM in JSA. When you manually add the log source for the CLM by using the OPSEC/LEA protocol, all Check Point firewalls that forward logs to the CLM are automatically discovered by JSA. These automatically discovered log sources cannot be edited. If the CLM IP address changes, you must edit the original Check Point CLM log source that contains the OPSEC/LEA protocol configuration and update the server IP address and log source identifier.

After you update the log source for the new Check Point CLM IP address, then any new events reported from the automatically discovered Check Point log sources are updated.

Note:

Do not delete and re-create your Check Point CLM or automatically discovered log sources in JSA. Deleting a log source does not delete event data, but can make finding previously recorded events more difficult.

Changing the Default Port for OPSEC LEA Communication

Change the default port (18184) on which OPSEC LEA communicates.

  1. At the command-line prompt of your Check Point SmartCenter Server, type the following command to stop the firewall services:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:

    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

    The default contents of this file are as follows:

  3. Change the default lea_server auth_port from 18184 to another port number.

  4. Remove the hash (#) mark from that line.

  5. Save and close the file.

  6. Type the following command to start the firewall services:

    cpstart

Configuring OPSEC LEA for Unencrypted Communication

You can configure the OPSEC LEA protocol for unencrypted communications:

  1. At the command-line prompt of your Check Point SmartCenter Server, stop the firewall services by typing the following command:

    cpstop

  2. Depending on your Check Point SmartCenter Server operating system, open the following file:

    • Linux - $FWDIR\conf\fwopsec.conf

    • Windows - %FWDIR%\conf\fwopsec.conf

  3. Change the default lea_server auth_port from 18184 to 0.

  4. Change the default lea_server port from 0 to 18184.

  5. Remove the hash (#) marks from both lines.

  6. Save and close the file.

  7. Type the following command to start the firewall services:

    cpstart