Integration with a Nokia Firewall by Using Syslog
This method gives you the option to configure your Nokia Firewall to accept Check Point syslog events that are forwarded from your Nokia Firewall appliance.
To configure JSA to integrate with a Nokia Firewall device, take the following steps:
Configure iptables on yourJSA console or Event Collector to receive syslog events from Nokia Firewall.
Configure your Nokia Firewall to forward syslog event data.
Configure the events that are logged by the Nokia Firewall.
Optional. Configure a log source in JSA.
Configuring IPtables
Nokia Firewalls require a TCP reset (rst
) or a TCP acknowledge (ack
) from JSA on port 256 before they forward syslog events.
The Nokia Firewall TCP request is an online status request that is designed to ensure that JSA is online and able to receive syslog events. If a valid reset or acknowledge is received from JSA, then Nokia Firewall begins forwarding events to JSA on UDP port 514. By default, JSA does not respond to any online status requests from TCP port 256.
You must configure IPtables on your JSA console or any Event Collector that receives Check Point events from a Nokia Firewall to respond to an online status request.
Using SSH, log in to JSA as the root user.
Login: root
Password: <password>
Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables.pre
The IPtables configuration file is displayed.
Type the following command to instruct JSA to respond to your Nokia Firewall with a TCP reset on port 256:
-A INPUT -s <IP address> -p tcp --dport 256 -j REJECT --reject-with tcp-reset
Where <IP address> is the IP address of your Nokia Firewall. You must include a TCP reset for each Nokia Firewall IP address that sends events to your JSA console or Event Collector, for example,
-A INPUT -s 10.10.100.10/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset
-A INPUT -s 10.10.110.11/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset
-A INPUT -s 10.10.120.12/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset
Save your IPtables configuration.
Type the following command to update IPtables in JSA:
./opt/qradar/bin/iptables_update.pl
Repeat steps 1 - 5 to configure any additional JSA Event Collectors that receive syslog events from a Nokia Firewall.
You are now ready to configure your Nokia Firewall to forward events to JSA.
Configuring Syslog
To configure your Nokia Firewall to forward syslog events to JSA:
Log in to the Nokia Voyager.
Click Config.
In the System Configuration pane, click System Logging.
In the Add new remote IP address to log to field, type the IP address of your JSA console orEvent Collector.
Click Apply.
Click Save.
You are now ready to configure which events are logged by your Nokia Firewall to the logger.
Configuring the Logged Events Custom Script
To configure which events are logged by your Nokia Firewall and forwarded to JSA, you must configure a custom script for your Nokia Firewall.
Using SSH, log in to Nokia Firewall as an administrative user.
If you cannot connect to your Nokia Firewall, check that SSH is enabled. You must enable the command-line by using the Nokia Voyager web interface or connect directly by using a serial connection. For more information, see your Nokia Voyager documentation.
Type the following command to edit your Nokia Firewall rc.local file:
vi /var/etc/rc.local
Add the following command to your rc.local file:
$FWDIR/bin/fw log -ftn | /bin/logger -p local1.info &
Save the changes to your rc.local file.
The terminal is displayed.
To begin logging immediately, type the following command:
nohup $FWDIR/bin/fw log -ftn | /bin/logger -p local1.info &
You can now configure the log source in JSA.
Syslog Log Source Parameters for Nokia Firewall
If JSA does not automatically detect the log source, add a Nokia Firewall log source on the JSA Console by using the Syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from Nokia Firewall:
Parameter |
Value |
---|---|
Log Source type |
Check Point |
Protocol Configuration |
Syslog |
Log Source Identifier |
Use the IP address or host name for the log source as an identifier for events from your Nokia Firewall devices. |