You are on page 1of 10

Symantec Managed Security Services

Logging Configuration Instructions


Check Point LEA V2 (On-box)
Logging Configuration Instructions for Check Point LEA V2 (On-box)
2

Symantec Managed Security Services


Logging Configuration Instructions
Check Point LEA V2 (On-box)
This document includes the following topics:
About this guide
Supported versions of Check Point LEA
Understanding Check Point LEA Architecture
Configuring Check Point LEA
Configuration parameters
Sample event log of Check Point LEA

About this guide


This guide describes how the Check Point LEA is to be configured to send event logs to Symantec Managed
Security Services (MSS).

Note: Symantec MSS provides two options for Check Point LEA log collection:
On-box, meaning send logs to the collector that is installed with the Log Collection Platform
(LCP)
Off-box, meaning send logs to a collector that is installed separately from the LCP
If you plan to connect Check Point LEA to the on-box log collector, continue with the procedures
in this guide. If instead you plan to connect to an off-box collector, be sure that you first install
the off-box agent and collector (see the Symantec MSS Installation Guide for Off-Box Agent for
LCP 2.5 for instructions), then use the instructions in Symantec Quick Start Guide for Check
Point LEA.

Supported versions of Check Point LEA


Managed Security Services monitors the Check Point LEA versions that are listed in the Supported Products List
document only. For the latest supported versions, visit Symantec Managed Security Services portal, and view the
Symantec_MSS_Supported_Products_List.xlsx document.

Understanding Check Point LEA Architecture


It is important that you understand the various architectures described in this document.
Local Local refers to when Check Point Firewall (FW), Check Point Manager (CMA), and Check Point Log
Manager (CLM) all reside on the same server.
Distributed Distributed refers to when FW, CMA, and CLM all reside on different servers.
If Check Point Provider-1 is in use, the following two options are also possible:
Multi-Domain Security In an MDS setup, the FW and MDS (multiple CMAs and a CLM on the same server)
Management (MDS) are on separate boxes.
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
3

Multi-Domain Log In an MLM setup, the FW, MDS (multiple CMAs, but no CLM), and MLM (multiple
Module (MLM) CLMs only) are on separate boxes.

Note: If you have a CMA listening on TCP/18210 and a CLM listening on TCP/18184, ensure that
these ports are open to allow communication from the LCP.

Configuring Check Point LEA


First, create a network object for the LCP, then create a new OPSEC application on the CMA.

To create a network object for the Symantec MSS Log Collection Platform
1. On the CMA, click the Network Objects icon.
2. In the Network Objects tree, click Nodes, and then right-click Node > Host.

3. In the Host Node window, on the General Properties tab, type the LCPs host name in the Name field, or its
IP address in either the IPv4 Address or IPv6 Address field.

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
4

4. If you opt to enter the host name, click Get Address, and then click OK. If this action fails to resolve the
host name, you can enter the IP address in the New Node Host, fix the DNS resolution, or add an entry to
the /etc/hosts file. The /etc/hosts file must contain the IP address of the LCP.
5. Click the floppy icon.
6. Click File > Save.
7. Press Ctrl-S.

To create a new OPSEC application on the Check Point Manager (CMA)


1. Log on to Check Point SmartDashboard as an Administrator.
2. On the left bottom pane, click the Servers and OPSEC icon.
3. In the OPSEC Applications tree, right-click OPSEC Applications and select New OPSEC Application.

4. In the OPSEC Application Properties dialog box, in the General tab, do the following:
a. In the Name field, specify a name for the OPSEC application (preferred name). This value is used for
LCP configuration.
b. In the Host field, select the IP address of the LCP.

Note: Several OPSEC applications can reside on a single host; therefore, be sure to
choose the Symantec MSS LCP host for which you created a network object in the
previous procedure.

c. Under Client Entities, select LEA.

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
5

d. In the Secure Internal Communication area, click Communication.


e. In the Communication dialog box, type and confirm a one-time password. This password is the
activation key that the LCP uses to establish Secure Internal Communication (SIC) and confirm the
activation key.

f. Make a note of this password.

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
6

g. Click Initialize to initialize SIC.


h. Make a note of the application SIC DN string that is generated after you initialize SIC. For example,
CN=symantec_mss_lea,O=cma1..hipfr8 by clicking the newly created OPSEC application
again.
i. Click Close. When you close the dialog box, the Trust State changes from Uninitialized to Initialized,
but trust is not yet established.
5. Install the policy to the appliance by selecting Policy > Install.

6. Select installation targets Network Security and Threat Prevention, then click OK.

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
7

7. After successful policy installation, select Policy > Install Database and, when the dialog box appears,
click OK.

8. Provide the following details to Symantec MSS:


Name of OPSEC LEA (from Step 4.a.)
One-time password for OPSEC LEA (from Step 4.e.)
Application SIC (DN string for OPSEC LEA) (from Step 4.h.)
Management SIC (DN string for CMA/CLM): Please refer to the vendor documentation, or click the
link below to view a relevant knowledge base article:
http://www.symantec.com/business/support/index?page=content&id=TECH180284
Check Point Log Manager: If the firewall logs are stored in the CMA, then provide the CMA IP
address. If the firewall logs are stored on a separate CLM, then provide the CLM IP address
Log Server DN string: If the firewall logs to the CMA, then provide the CMA DN string
LEA Port: The default port is 18184. If other OPSEC LEA communication already exists, and if the
default fwopsec.conf file was edited previously, then a port might need to be added/changed to
18185 in the fwopsec.conf. Once this port is added/changed, the CMA/CLM service must be
restarted using the command cpstop&&cpstart

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
8

9. When trust is established, open the OPSEC Application, access its OPSEC Application Properties dialog
box, and click the LEA Permissions tab.

10. Click Show all log fields and click OK.

Note: Be sure to enable logging for all Firewall rules. Also, create an explicit deny rule below all of the
other rules and enable logging for it. For information on how to create and enable Firewall rules,
refer to the Check Point product documentation. Any rule that does not have logging enabled
will not be subject to security monitoring.

Configuration parameters
Table 1 Configuration parameters
Property Description
Protocol Protocol
The default value is OPSEC.
LEA OpSec Application Name of the OPSEC Application that is created in the Check Point SmartDashboard
Name Console.
LEA OpSec Application The password that was specified when you created the OPSEC Application.
Password
LEA Server IP Address If firewall logs are stored in the CMA, enter the CMA IP address. If the firewall logs are
stored in a separate CLM, enter the CLM IP address.
LEA Server Auth Port Authentication port on the Check Point LEA server on which the LEA application is
running.
The default value is 18184.
For Check Point Provider-1 installations with MDS/CMA/Log server all on one
computer, set this field to 18184 as the LEA server auth port.
For Distributed Provider-1 installations with MDS/CMA on one computer and the
MLM/CLM on a separate computer (where clear text communication is the only
option), set this field to 0 (zero) as the LEA server auth port.
LEA Server Auth Type Authentication type that the LCP uses is sslca.

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
9

Property Description
LEA Server Port Communications port for the LEA server.
For Check Point Provider-1 installations with MDS/CMA/Log server all on one
computer, set this field to 0 (zero) as the LEA server port.
For Distributed Provider-1 installations with MDS/CMA on one computer and the
MLM/CLM on a separate computer (where clear text communication is the only
option), set this field to 18184 as the LEA server port.
The default value is 0.
Cert Server IP Address IP address of the CMA.
LEA Server OpSec Entity Qualified name of the OPSEC management server, CMA, or CLM.
SIC Name Copy the name from the OPSEC Application on the Check Point SmartDashboard
Console.
For Check Point Provider-1 installations with MDS/CMA/LOG server all on one
computer, set this field to the SIC name of the CMA.
For Distributed Provider-1 installations with MDS/CMA on one computer and the
MLM/CLM on a separate computer (where clear text communication is the only
option), you must set this field to BLANK.
The default value is CN=cp_mgmt,O=(sic_name_of_lea_server).
OpSec SIC Name Secure Internal Communication (SIC) name of the OPSEC Application.
Copy the name from the OPSEC Application on the Check Point SmartDashboard
Console.
The default value is CN-(application_name),O=(sic_name_of_lea_server).

Sample event log of Check Point LEA


Following is a sample event log for Anti-Malware:
, service map: <eventmap version="2"><field name="file
name">C:\Users\Administrator\AppData\Local\Temp\2\Temp1_eicar_com[1].zip\eicar.com</fi
eld><field name="vendor_severity">1</field><field
name="event_type">Infection</field><field name="product_family">Endpoint</field><field
name="logging_device_name">0.0.0.0</field><field
name="host_type">Desktop</field><field name="action_details">Deleted</field><field
name="sig_ver">201403050629</field><field name="description"> </field><field
name="action">prevent</field><field name="point_product_name">Anti-
Malware</field><field name="Protection Type">protection</field><field
name="client_name">Check Point Endpoint Security Client</field><field
name="infection_category">Virus</field><field name="__policy_id_tag">product=Anti-
Malware[db_tag={4253ce2a-9673-4513-b7be-6fd5ee2a34bf};mgmt=Enpdoint
Management;date=1394003243;policy_name=Default Anti-Malware settings for the entire
organization;policy_number=2]</field><field name="installed_products">Firewall;
Compliance; Application Control; Anti-Malware</field><field
name="engine_ver">8.3.0.13</field><field name="has_accounting">0</field><field
name="i/f_dir">inbound</field><field name="user_sid"> </field><field
name="os_version">6.1-7601-SP1.0-SMP</field><field
name="source_host_name">198.19.9.21</field><field
name="src_machine_name">cpep_client1</field><field name="os_name">Windows Server 2008
R2 Standard Server Edition</field><field name="event_dt">1394012228000</field><field
name="connectivity_state">Connected</field><field name="Protection Name">EICAR-Test-
File</field><field name="client_version">8.2.833</field></eventmap>

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
10

Following is a sample event log for Threat Emulation:


, service map: <eventmap version="2"><field
name="session_id">&lt;000000cc,00370042,a0f71e60,1326fcc9&gt;</field><field
name="web_client_type">Other: Wget/1.10.2 (Red Hat modified)</field><field
name="scope">172.23.14.178</field><field name="source_port">59306</field><field
name="source_interface_name">Mgmt</field><field
name="proxy_src_ip">172.23.14.178</field><field
name="file_sha1">8941c1522b55d3a09f967e697d3fccc05a0073a4</field><field
name="file_name">053d19adbf26f6c1fe04a216005a64423f3cfa39ec708e45d570fe1db26a70b7.pdf<
/field><field name="logging_device_name">172.23.14.178</field><field
name="packet_capture_unique_id">{000000CC-0037-0042-A0F7-1E601326FCC9}7e6fe36e-889e-
4c25-8704-56378f0830df {000000CC-0037-0042-A0F7-1E601326FCC9}e50e99f3-5963-4573-af9e-
e3f4750b55e2 {000000CC-0037-0042-A0F7-1E601326FCC9}00000000-0000-0000-0000-
000000000000</field><field
name="origin_sic_name">cn=cp_mgmt,o=gulli203..678p4a</field><field
name="verdict">Malicious</field><field name="action">prevent</field><field
name="point_product_name">Threat Emulation</field><field name="Protection
Type">HTTPEmulation</field><field
name="file_md5">06e222328e07325d4bc9ea370e3503a3</field><field name="Confidence
Level">5</field><field name="log_id">4000</field><field
name="analyzed_on">gulli203</field><field name="__policy_id_tag">product=VPN-1 &amp;
FireWall-1[db_tag={00000023-0083-0042-8D43-
38D270E5EF58};mgmt=gulli203;date=1376836858;policy_name=Standard]</field><field
name="malware_rule_id">{00000057-0022-0043-A8AB-45313C2C8EFF}</field><field
name="file_size">14789</field><field
name="destination_host_name">172.23.14.20</field><field name="resource">***
Confidential ***</field><field name="severity">4</field><field
name="has_accounting">0</field><field name="i/f_dir">inbound</field><field
name="detected_on">Windows 7 32-bit unpatched Windows XP 32-bit SP3</field><field
name="file_type">pdf</field><field name="source_host_name">172.23.14.178</field><field
name="malware_action">Malicious Filesystem Activity Malicious Network Activity
Malicious Registry Activity Unexpected Process Creation Unexpected Process
Termination</field><field name="TE_verdict_determined_by">Win7 32: emulator. WinXP 32:
emulator. </field><field name="nw_protocol">tcp</field><field
name="event_dt">1377101705000</field><field name="service">80</field><field
name="Protection Name">Exploited pdf document</field></eventmap>

Following is a sample event log for Firewall:


, service map: <eventmap version="2"><field name="packet amount">10</field><field
name="__policy_id_tag">product=VPN-1 &amp; FireWall-1[db_tag={00000004-0064-004F-B088-
182B5683C938};mgmt=gw-35f253;date=1366950256;policy_name=Standard]</field><field
name="origin_sic_name">cn=cp_mgmt,o=gw-35f253..mhzpfa</field><field
name="event_dt">1367547021000</field><field name="action">drop</field><field
name="point_product_name">VPN-1 &amp; FireWall-1</field><field name="packets">
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;
&lt;192.168.2.91,137,192.168.1.0,137,17;Mgmt&gt;</field><field name="drop
reason">Address spoofing</field><field name="source_interface_name">Mgmt</field><field
name="i/f_dir">inbound</field><field name="has_accounting">0</field><field
name="logging_device_name">10.102.102.47</field></eventmap>

SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.