Configuring Check Point Firewalls
Firewall Analyzer supports LEA support
for R54 and above and log import from most versions.
Determining the Check Point Version Number
To determine the version number of the Check Point that you are running,
use the following command:
$FWDIR/bin/fw ver
where $FWDIR is the directory where Check Point is installed.
|
Note: Check Point LEA is not supported on Firewall Analyzer 64 bit installation. |
Pre-Requisites
You need to do the following in Smart Dashboard of Check Point Firewall.
Changes in Smart Dashboard :
- Open the "Smart Dashboard" where all the rules will be displayed.
Set the "Track" value as "Account" instead of "log" for all the rules that are allowing the traffic through the Firewall. This can be done
by right clicking on "Track" value for each rule and select "Account".
When this is set to "Account" the Check Point firewall will log the information
regarding bytes.
- After setting the "Track" value as "Account"for
all the rules, please install all the policies.
Virtual Firewall (Virtual Domain) logs
There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Check Point physical device.
If orig_name attribute is present in the syslog data, then Firewall Analyzer considers that the log source is virtual firewall (vdom). Otherwise the application considers that the log source is physical device. The recognition of logs from the virtual firewall is automatic and no manual configuration is required.
There are two ways of obtaining logs from Check Point firewall:
The difference between the two ways are:
If you configure LEA connection, the logs will be collected automatically and processed by the Firewall Analyzer. Whereas, if you want import the logs, manual intervention is required. You need to export the syslogs in Check Point Management Station or from Check Point Smart Tracker UI and then manually import the syslog file in Firewall Analyzer.
Configuring LEA Connection
The following instructions will help you set up an authenticated or unauthenticated
connection between Firewall Analyzer and the Check Point Management Server.
For additional information please refer the Check Point documentation
or contact Check Point technical support.
For managing the LEA
servers the configurations that needs to be done for the different
check point firewalls are explained below:
Setting up an Unauthenticated LEA Connection
Follow the steps below to configure an unauthenticated connection from
the Check Point Firewall:
Carryout the configuration in the Check Point Firewall Management Station.
- In the FWDIR\conf directory on the computer where the Check
Point Management Server is installed, edit the
fwopsec.conf
file to include the following line:
lea_server port 18184
lea_server auth_port 0
- Restart the firewall service
[4.1] fwstop ; fwstart
[NG] cpstop ; cpstart
- Add a rule to the policy to allow the port defined above
port
18184 (assuming default LEA connection port) from the Firewall
Analyzer machine to the Check Point Management Server and vice versa.
- Install the policy
Adding to LEA Server Lists on Firewall Analyzer
Once this unauthenticated LEA connection has been set up, follow the
instructions for Adding
an LEA Server to the Firewall Analyzer.
If you are unable to view the Check Point Firewall reports refer the Trouble Shooting Tip.
Setting up an Authenticated LEA Connection
Follow the steps below to configure an authenticated connection from
the Check Point Firewall:
Carryout the configuration in the Check Point Firewall Management Station.
- In the FWDIR\conf directory on the computer where the Check
Point Management Server is installed, edit the
fwopsec.conf file to include the following line:
lea_server port 0
lea_server auth_port 18184
- Restart the firewall service
[4.1] fwstop ; fwstart
[NG] cpstop ; cpstart
- Add a rule to the policy to allow the port defined above
port
18184 (assuming default LEA connection port) from the Firewall
Analyzer machine to the Check Point Management Server and vice versa.
- Install the policy
The following steps will help you configure an sslca
authenticated connection to the Check Point firewall, carryout the configuration in the Check Point firewall Management Station:
- Create a new OPSEC Application Object with the following details:
- Name (e.g., myleaclient)
- Vendor: user defined
- Server Entities: none
- Client Entities: LEA
- Initialize Secure Internal Communication (SIC) for
this OPSEC Application Object and enter the activation key (e.g. def456).
Note down this activation key, as you will need it later.
- Write down the DN of this OPSEC Application Object. This is the Client
Distinguished Name, which you need later on.
- Open the object of the Check Point Management Server and write down
the DN of that object. This is the Server Distinguished Name.
- Add a rule to the policy to allow the port defined above, as well
as port 18210/tcp (FW1_ica_pull) in order to allow pulling of PKCS#12
certificate from the Firewall Analyzer to the Check Point Management
Server. The port 18210/tcp can be shut down after the communication
between Firewall Analyzer and the Check Point Management Server has
been established successfully.
- Install the policy.
Configuring the attributes of Check Point Firewall Server in Firewall Analyzer
OPSEC Application |
Object Name |
Ex. myleaclient |
Activation Key |
Ex. def456 |
SIC Name |
Ex. CN=myleaclient,O=cherry-win1..9mob46 |
LEA Server |
Authentication Type |
Ex. sslca |
SIC Name |
Ex. cn=cp_mgmt,o=cherry-win1..9mob46 |
The attributes to be configured are described
in the table below:
Attributes |
Description |
OPSEC Application - Object Name |
This is the applications NAME that is defined when creating the application object in the Policy Editor under the OPSEC Applications Properties Name field. |
OPSEC Application - Activation Key |
This is the one time password (Activation Key) that was defined when clicking 'Communications' in the OPSEC Applications Properties window. |
OPSEC Application - SIC Name |
The SIC name of the OPSEC Application LEA client (the LEA
Server on Firewall Analyzer), in the case of authenticated connections. |
LEA Server - Authentication Type |
The authentication mechanism to be used. The default value is sslca .
Supported values in this field are: sslca, sslca_clear, sslca_comp,
sslca_rc4, sslca_rc4_comp, asym_sslca, asym_sslca_comp, asym_sslca_rc4,
asym_sslca_rc4_comp, ssl, ssl_opsec, ssl_clear, ssl_clear_opsec, fwn1 and auth_opsec |
LEA Server - SIC Name |
The SIC name of the Check Point Management Server. |
Importing Check Point Log Files
Before proceeding with the importing of Check Point logs, you need to
do the following changes in the Smart View Tracker of the Check Point
Firewall to obtain the complete log information:
Changes in Smart View Tracker :
- Open the "Smart View Tracker" and click on "View" > "Query Properties".
- Please select the following attributes if they where not selected
previously:
- Elapsed
- Bytes
- Client InBound Bytes
- Client OutBound Bytes
- Server InBound Bytes
- Server OutBound Bytes
- Status
- URL
For Non-LEA connections, there are two ways to create plain text check
point log file and export the log file, which then can be imported in
Firewall Analyzer. For LEA connections you can skip the below mentioned
methods and follow the LEA configuration instructions.
Method 1 :
In the command prompt of Check Point Firewall Management Station execute
the following command
fw logexport -d ; -i fw.log -o exportresult.log -n
|
For Check Point NG use the below command:
fwm logexport -d ; -i fw.log -o exportresult.log -n
where, -d refers to delimiter, -i refers to input
log file, -o refers to output ASCII file, and -n
implies don't perform DNS resolution of the IP addresses in the Log
File (this option significantly improves processing speed).
|
For detailed information please refer the Check Point documentation or
contact Check Point technical support.
The above command creates an ascii file named exportresult.log.
Copy or transfer this file to Firewall Analyzer machine. Then in Firewall
Analyzer you can Import this log file.
Method 2 :
- In the Check Point Smart Tracker UI (UI where you are seeing all logs
in Check Point Management Station), select All Records option in the
left tree.
- Click "File" > "Export".
- Give a proper file name, like exportresult.log. Copy or transfer this
file to Firewall Analyzer machine. Then in Firewall Analyzer you can
Import this log file.
Trouble Shooting Tip
If you are unable to view the Check Point Firewall reports carry out the following procedure:
- Click the Edit/Delete icon of the firewall for which you are unable to view reports. Click Save.
- Click the Enable Debugging Mode checkbox to enable the Check Point firewall in debugging mode.
- Once saved, create a support information file through Support tab, and send to fwanalyzer-support@manageengine.com
|