Configuring Check Point Firewalls

     Firewall Analyzer supports LEA support for R54 and above and log import from most versions. Log Exporter support for Check Point firewall versions R77.30, R80.10 and R80.20

    Note:

    64 Bit: Configure Log Exporter in Check Point device to forward the syslogs to Firewall Analyzer. Click here to configure.
    32 Bit: Configure LEA or Log Exporter in Check Point device to forward the syslogs to Firewall Analyzer. Click here to configure.

    The ways in obtain syslogs from Check Point firewall:

     The difference between the three ways are:

    If you configure LEA connection, the logs will be collected automatically and processed by the Firewall Analyzer. Whereas, if you want import the logs, manual intervention is required. You need to export the syslogs in Check Point Management Station or from Check Point Smart Tracker UI and then manually import the syslog file in Firewall Analyzer.

    Configuring LEA Connection

    The following instructions will help you set up an authenticated or unauthenticated connection between Firewall Analyzer and the Check Point Management Server. For additional information please refer the Check Point documentation or contact Check Point technical support.

    Determining the Check Point Version Number

    To determine the version number of the Check Point that you are running, use the following command:

    $FWDIR/bin/fw ver

     where $FWDIR is the directory where Check Point is installed.

    Pre-Requisites

    You need to do the following in Smart Dashboard of Check Point Firewall.

    Changes in Smart Dashboard :

    1. Open the "Smart Dashboard" where all the rules will be displayed. Set the "Track" value as "Account" instead of "log" for all the rules that are allowing the traffic through the Firewall. This can be done by right clicking on "Track" value for each rule and select "Account". When this is set to "Account" the Check Point firewall will log the information regarding bytes.
    2. After setting the "Track" value as "Account"for all the rules, please install all the policies.

     For managing the LEA servers the configurations that needs to be done for the different check point firewalls are explained below:

    Setting up an Unauthenticated LEA Connection

    Follow the steps below to configure an unauthenticated connection from the Check Point Firewall:

    Carryout the configuration in the Check Point Firewall Management Station.

    1. In the  $FWDIR/conf directory on the computer where the Check Point Management Server is installed, edit the fwopsec.conf file to include the following line:

      lea_server port 18184

      lea_server auth_port 0
    2. Restart the firewall service

      [4.1] fwstop ; fwstart

      [NG] cpstop ; cpstart
    3. Add a rule to the policy to allow the port defined above port 18184 (assuming default LEA connection port) from the Firewall Analyzer machine to the Check Point Management Server and vice versa.
    4. Install the policy

    Adding to LEA Server Lists on Firewall Analyzer

    Once this unauthenticated LEA connection has been set up, follow the instructions for Adding an LEA Server to the Firewall Analyzer.

    If you are unable to view the Check Point Firewall reports refer the Trouble Shooting Tip.

    Setting up an Authenticated LEA Connection

    Follow the steps below to configure an authenticated connection from the Check Point Firewall:

    Carryout the configuration in the Check Point Firewall Management Station.

    1. In the $FWDIR/conf directory on the computer where the Check Point Management Server is installed, edit the fwopsec.conf file to include the following line:

    lea_server port 0

    lea_server auth_port 18184

    1. Restart the firewall service

      [4.1] fwstop ; fwstart

      [NG] cpstop ; cpstart
       
    2. Add a rule to the policy to allow the port defined above port 18184 (assuming default LEA connection port) from the Firewall Analyzer machine to the Check Point Management Server and vice versa.
    3. Install the policy

    The following steps will help you configure an sslca authenticated connection to the Check Point firewall, carryout the configuration in the Check Point firewall Management Station:

    1. Create a new OPSEC Application Object with the following details:
      1. Name (e.g., myleaclient)
      2. Vendor: user defined
      3. Server Entities: none
      4. Client Entities: LEA
    2. Initialize Secure Internal Communication (SIC) for this OPSEC Application Object and enter the activation key (e.g. def456). Note down this activation key, as you will need it later.
    3. Write down the DN of this OPSEC Application Object. This is the Client Distinguished Name, which you need later on.
    4. Open the object of the Check Point Management Server and write down the DN of that object. This is the Server Distinguished Name.
    5. Add a rule to the policy to allow the port defined above, as well as port 18210/tcp (FW1_ica_pull) in order to allow pulling of PKCS#12 certificate from the Firewall Analyzer to the Check Point Management Server. The port 18210/tcp can be shut down after the communication between Firewall Analyzer and the Check Point Management Server has been established successfully.
    6. Install the policy.

    Configuring the attributes of Check Point Firewall Server in Firewall Analyzer

    OPSEC Application
    Object Name Ex. myleaclient
    Activation Key Ex. def456
    SIC Name Ex. CN=myleaclient,O=cherry-win1..9mob46
    LEA Server
    Authentication Type Ex. sslca
    SIC Name Ex. cn=cp_mgmt,o=cherry-win1..9mob46 

     The attributes to be configured are described in the table below:

    Attributes Description
    OPSEC Application - Object Name This is the applications NAME that is defined when creating the application object in the Policy Editor under the OPSEC Applications Properties Name field.
    OPSEC Application - Activation Key This is the one time password (Activation Key) that was defined when clicking 'Communications' in the OPSEC Applications Properties window.
    OPSEC Application - SIC Name The SIC name of the OPSEC Application LEA client (the LEA Server on Firewall Analyzer), in the case of authenticated connections.
    LEA Server - Authentication Type The authentication mechanism to be used. The default value is sslca. Supported values in this field are: sslca, sslca_clear, sslca_comp, sslca_rc4, sslca_rc4_comp, asym_sslca, asym_sslca_comp, asym_sslca_rc4, asym_sslca_rc4_comp, ssl, ssl_opsec, ssl_clear, ssl_clear_opsec, fwn1 and auth_opsec
    LEA Server - SIC Name The SIC name of the Check Point Management Server.

     

    Log Exporter - Check Point Log Export

    Firewall Analyzer supports Log Exporter for R77.30, R80.10, R80.20 and later versions.

    Installation

    R80.20

    Log Exporter is already integrated in version R80.20. There is no need to install dedicated package.

    Note:​
    1. In order to preserve the Log Exporter configuration before upgrading to R80.20, please follow sk127653 - How to backup and restore Log Exporter configuration on upgrade to R80.20
    2. In order to support exporting logs in CEF format, please install R80.20 Jumbo Hotfix Take 5 and above.

     

    R80.10

    Install this release on a R80.10 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.

    Note:​
    1. Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 56 and above.
    2. This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.
    3. Take care to install the latest Log Exporter take available for download below, in order to avoid a conflict with the Jumbo HF.

     

    R77.30

    Install this release on a R77.30 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.

    Note:​

    Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above.

    **This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.

    Version
    		 Date CPUSE Online Identifier CPUSE offline package
    R80.10 20 January 2019 Check_Point_R80.10_Log_Exporter_T43_sk122323_FULL.tgz (TGZ)
    R77.30 06 November 2018 Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz (TGZ)

    Install the hotfix using CPUSE, see sk92449.

    Configure Log Exporter to forward Syslogs using CLI

    After applying the hot fix, the firewall will restart automatically, you have to restart the Check Point firewall, once again.

    1. Telnet/SSH the Check Point firewall and enter the below command.

    cp_log_export add name <name> target-server <Firewall Analyzer IP address> target-port 1514 protocol udp format cef

    1. The new log exporter does not start automatically. To start it run:
    cp_log_export restart name <name>

     

    Importing Check Point Log Files

    Before proceeding with the importing of Check Point logs, you need to do the following changes in the Smart View Tracker of the Check Point Firewall to obtain the complete log information:

    Changes in Smart View Tracker :

    1. Open the Smart View Tracker and click on View > Query Properties.
    2. Please select the following attributes if they where not selected previously:
    • Elapsed
    • Bytes
    • Client InBound Bytes
    • Client OutBound Bytes
    • Server InBound Bytes
    • Server OutBound Bytes
    • Status
    • URL

    How to create and export plain text Check Point log file, which can be imported in Firewall Analyzer?

    For Non-LEA connections, there are two ways to create and export plain text Check Point log file, which can be imported in Firewall Analyzer.
    For LEA connections you can skip the below mentioned methods and follow the LEA configuration instructions.

    Method 1:

    In the command prompt of Check Point Firewall Management Station execute the following command

    fw logexport -d ; -i fw.log -o exportresult.log -n

    Note:​

    For Check Point NG use the below command: 

    fwm logexport -d ; -i fw.log -o exportresult.log -n

    where, -d refers to delimiter, -i refers to input log file, -o refers to output ASCII file, and -n implies don't perform DNS resolution of the IP addresses in the Log File (this option significantly improves processing speed).

    For detailed information please refer the Check Point documentation or contact Check Point technical support.

    The above command creates an ascii file named exportresult.log. Copy or transfer this file to Firewall Analyzer machine. Now you can Import this log file in to Firewall Analyzer.

    Method 2 :

    1. In the Check Point Smart Tracker UI (UI where you are seeing all logs in Check Point Management Station), select All Records option in the left tree.
    2. Click File > Export.
    3. Give a proper file name, e.g., exportresult.log. Copy or transfer this file to Firewall Analyzer machine. Now you can Import this log file in to Firewall Analyzer.

     

    Virtual Firewall (Virtual Domain) logs

    There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Check Point physical device.

    If orig_name attribute is present in the syslog data, then Firewall Analyzer considers that the log source is virtual firewall (vdom). Otherwise the application considers that the log source is physical device. The recognition of logs from the virtual firewall is automatic and no manual configuration is required.

     

    Trouble Shooting Tip

     If you are unable to view the Check Point Firewall reports carry out the following procedure:

    • Click the Edit/Delete icon of the firewall for which you are unable to view reports. Click Save.
    • Click the Enable Debugging Mode checkbox to enable the Check Point firewall in debugging mode.
    • Once saved, create a support information file through Support tab, and send to fwanalyzer-support@manageengine.com

    Should I do any changes in each Check Point cluster to forward syslogs?

    No. Configuring Checkpoint smart dashboard is enough. Firewall Analyzer will automatically detect clusters based on syslog field (orig_name) value.

    All the traffic reports are showing bytes value as zero?

    1. Open the "Smart Dashboard" where all the rules will be displayed. Set the "Track" value as "Account" instead of "log" for all the rules that are allowing the traffic through the firewall. This can be done by right clicking on "Track" value for each rule and select "Account". When this is set to "Account", the Check Point firewall will log the information regarding bytes.
    2. After setting the "Track" value as "Account" for all the rules, install all the policies.

    Reconfigured the Check Point certificate details, it was successful but not pulling syslogs from the firewall. Why?

    You should edit any of the OPSEC object values (may set the same password again) in the Check Point Management server. Then 'Save' to establish the Trust of that OPSEC object. Install Policies again in the Management sever. Now you can do the edit in Firewall Analyzer web client.

    User name and URL fields show "***Confidential***" in reports. why?

    1. Open Smart Dashboard. Edit Firewall Analyzer  OPSEC object. Click on LEA Permissions.
    2. In the Permission to read logs, choose Show all log fields. By default, this is set to Hide all confidential log fields.
    3. Install policy.
    4. Reset Firewall Analyzer  OPSEC object.
    5. Go to CheckPiont server settings page in Firewall Analyzer, edit the checkpoint server and provide all inputs and save.
    6. If the issue persist, reboot Check Point management server.