Integrating Check Point by using TLS Syslog

Before you can add a log source in JSA, you need to generate certificates on the JSA Console and then copy the certificates on your Check Point device.

Using SSH, log in to your JSA Console.
Generate the root CA key by typing the following command:

openssl genrsa -out RootCA.key 2048
Generate the root CA pem by typing the following command:

openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out RootCA.pem

Note:
When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use CheckpointRootCA as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. However, if you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.
To generate the client key, type the following command:

openssl genrsa -out log_exporter.key 2048

Note:
Do not share the client key with anyone.
To generate the client certificate sign request, type the following command:

openssl req -new -key log_exporter.key -out log_exporter.csr

Note:
When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use the Check Point IP address as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. When you type a value for the A challenge password field, do not use special characters for the password. If you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.
To sign the certificate by using the CA files, type the following command:

openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial - out log_exporter.crt -days 2048 -sha256
To convert the certificate to p12 format, type the following command:

openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12

Note:
When you type a value for the Export password field, do not use special characters for the password.
Generate the server key by typing the following command:

openssl genrsa -out syslogServer.key 2048

Note:
Do not share the server key with anyone.
Generate the server certificate sign request by typing the following command:

openssl req -new -key syslogServer.key -out syslogServer.csr

Note:
When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use the JSA IP address as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. When you type a value for the A challenge password field, do not use special characters for the password. If you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.
To sign the certificate by using the CA files, type the following command:

openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial - out syslogServer.crt -days 2048 -sha256
To convert the server certificate and key to a p12 file, type the following command:

openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslogServer.p12

Note:
When you type a value for the Enter Export Password field, do not use special characters for the password.
Using SSH, log in to your Check Point device.
To access expert mode, type the following command:

Expert
Create a certs directory inside your deployment directory:

mkdir -p $EXPORTERDIR/targets/<deployment_name>/certs

Where <deployment_name> is the hostname of your JSA Console.
Copy the RootCA.pem and log_exporter.p12 that you created in Steps 3 and 7 to the directory that you created on your Check Point device in Step 13 by typing the following command:

scp root@jsa_ip:RootCA.pem log_exporter.p12 $EXPORTERDIR/targets/<deployment_name>/certs/
Type the following commands:

chmod +r RootCA.pem

chmod +r log_exporter.p12

cp_log_export add name <deployment_name> target-server <QRadar_host_IP> protocol tcp target-port <port_from_log_source_config> format leef encrypted true ca-cert $EXPORTERDIR/ targets/<deployment_name>/certs/RootCA.pem client-cert $EXPORTERDIR/targets/ <deployment_name>/certs/log_exporter.p12 client-secret <password_for_p12>

Add a log source in JSA by using the TLS Syslog protocol. For more information, see TLS syslog log source parameters for Check Point.

TLS syslog log source parameters for Check Point

If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the TLS syslog protocol.

When using the TLS Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect TLS Syslog events from Check Point:

Table 1: TLS Syslog Log Source Parameters for the Check Point DSM
Parameter	Value
Log Source type	Check Point
Protocol Configuration	TLS Syslog
Log Source Identifier	Type the IP address of your Check Point server as an identifier for events from your Check Point devices.
TLS Listen Port	6514
Authentication Mode	TLS and Client Authentication
Client Certificate Path	<full_path_to_file>/log_exporter.crt
Certificate Type	PKCS12 Certificate Chain and Password
PKCS12 Certificate Path	<full_path_to_the_file>/syslogServer.p12
PKCS12 Password	The password for the PKCS12 Certificate.
Certificate Alias	This field must be empty.
Max Payload Length	4096
Maximum Connections	50