Firewall Analyzer supports LEA support for R54 and above and log import from most versions. Log Exporter support for Check Point firewall versions R77.30, R80.10 and R80.20
Note: |
64 Bit: Configure Log Exporter in Check Point device to forward the syslogs to Firewall Analyzer. Click here to configure. |
The ways in obtain syslogs from Check Point firewall:
The difference between the three ways are:
If you configure LEA connection, the logs will be collected automatically and processed by the Firewall Analyzer. Whereas, if you want import the logs, manual intervention is required. You need to export the syslogs in Check Point Management Station or from Check Point Smart Tracker UI and then manually import the syslog file in Firewall Analyzer.
The following instructions will help you set up an authenticated or unauthenticated connection between Firewall Analyzer and the Check Point Management Server. For additional information please refer the Check Point documentation or contact Check Point technical support.
To determine the version number of the Check Point that you are running, use the following command:
$FWDIR/bin/fw ver
where $FWDIR is the directory where Check Point is installed.
You need to do the following in Smart Dashboard of Check Point Firewall.
Changes in Smart Dashboard :
For managing the LEA servers the configurations that needs to be done for the different check point firewalls are explained below:
Follow the steps below to configure an unauthenticated connection from the Check Point Firewall:
Carryout the configuration in the Check Point Firewall Management Station.
fwopsec.conf
file to include the following line:lea_server port 18184
lea_server auth_port 0
fwstop ; fwstart
cpstop ; cpstart
port 18184
(assuming default LEA connection port) from the Firewall Analyzer machine to the Check Point Management Server and vice versa.Adding to LEA Server Lists on Firewall Analyzer
Once this unauthenticated LEA connection has been set up, follow the instructions for Adding an LEA Server to the Firewall Analyzer.
If you are unable to view the Check Point Firewall reports refer the Trouble Shooting Tip.
Follow the steps below to configure an authenticated connection from the Check Point Firewall:
Carryout the configuration in the Check Point Firewall Management Station.
fwopsec.conf
file to include the following line:
lea_server port 0
lea_server auth_port 18184
fwstop ; fwstart
cpstop ; cpstart
port 18184
(assuming default LEA connection port) from the Firewall Analyzer machine to the Check Point Management Server and vice versa.The following steps will help you configure an sslca authenticated connection to the Check Point firewall, carryout the configuration in the Check Point firewall Management Station:
Configuring the attributes of Check Point Firewall Server in Firewall Analyzer
OPSEC Application | |
Object Name | Ex. myleaclient |
Activation Key | Ex. def456 |
SIC Name | Ex. CN=myleaclient,O=cherry-win1..9mob46 |
LEA Server | |
Authentication Type | Ex. sslca |
SIC Name | Ex. cn=cp_mgmt,o=cherry-win1..9mob46 |
The attributes to be configured are described in the table below:
Attributes | Description |
---|---|
OPSEC Application - Object Name | This is the applications NAME that is defined when creating the application object in the Policy Editor under the OPSEC Applications Properties Name field. |
OPSEC Application - Activation Key | This is the one time password (Activation Key) that was defined when clicking 'Communications' in the OPSEC Applications Properties window. |
OPSEC Application - SIC Name | The SIC name of the OPSEC Application LEA client (the LEA Server on Firewall Analyzer), in the case of authenticated connections. |
LEA Server - Authentication Type | The authentication mechanism to be used. The default value is sslca . Supported values in this field are: sslca, sslca_clear, sslca_comp, sslca_rc4, sslca_rc4_comp, asym_sslca, asym_sslca_comp, asym_sslca_rc4, asym_sslca_rc4_comp, ssl, ssl_opsec, ssl_clear, ssl_clear_opsec, fwn1 and auth_opsec |
LEA Server - SIC Name | The SIC name of the Check Point Management Server. |
Firewall Analyzer supports Log Exporter for R77.30, R80.10, R80.20 and later versions.
Log Exporter is already integrated in version R80.20. There is no need to install dedicated package.
Note: |
|
Install this release on a R80.10 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
Note: |
|
Install this release on a R77.30 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
Note: |
Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above. |
**This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.
Version |
Date | CPUSE Online Identifier | CPUSE offline package |
R80.10 | 20 January 2019 | Check_Point_R80.10_Log_Exporter_T43_sk122323_FULL.tgz | (TGZ) |
R77.30 | 06 November 2018 | Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz | (TGZ) |
Install the hotfix using CPUSE, see sk92449.
After applying the hot fix, the firewall will restart automatically, you have to restart the Check Point firewall, once again.
cp_log_export add name <name> target-server <Firewall Analyzer IP address> target-port 1514 protocol udp format cef
cp_log_export restart name <name>
Before proceeding with the importing of Check Point logs, you need to do the following changes in the Smart View Tracker of the Check Point Firewall to obtain the complete log information:
Changes in Smart View Tracker :
For Non-LEA connections, there are two ways to create and export plain text Check Point log file, which can be imported in Firewall Analyzer.
For LEA connections you can skip the below mentioned methods and follow the LEA configuration instructions.
Method 1:
In the command prompt of Check Point Firewall Management Station execute the following command
fw logexport -d ; -i fw.log -o exportresult.log -n
Note: |
For Check Point NG use the below command:
where, -d refers to delimiter, -i refers to input log file, -o refers to output ASCII file, and -n implies don't perform DNS resolution of the IP addresses in the Log File (this option significantly improves processing speed). |
For detailed information please refer the Check Point documentation or contact Check Point technical support.
The above command creates an ascii file named exportresult.log. Copy or transfer this file to Firewall Analyzer machine. Now you can Import this log file in to Firewall Analyzer.
Method 2 :
There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Check Point physical device.
If orig_name attribute is present in the syslog data, then Firewall Analyzer considers that the log source is virtual firewall (vdom). Otherwise the application considers that the log source is physical device. The recognition of logs from the virtual firewall is automatic and no manual configuration is required.
If you are unable to view the Check Point Firewall reports carry out the following procedure:
No. Configuring Checkpoint smart dashboard is enough. Firewall Analyzer will automatically detect clusters based on syslog field (orig_name) value.
You should edit any of the OPSEC object values (may set the same password again) in the Check Point Management server. Then 'Save' to establish the Trust of that OPSEC object. Install Policies again in the Management sever. Now you can do the edit in Firewall Analyzer web client.