Configuring Integration with Checkpoint Firewall-1 The Configuration Compliance Manager CheckPoint scan module connects to a CheckPoint Management

Server using the OPSEC CPMI API. The CheckPoint Firewall retriever works only on the OPSEC server and not on the individual firewalls. There are several configuration steps that must be taken on the CheckPoint Management Server itself and in Configuration Compliance Manager to use the CheckPoint scan module. Note that the Checkpoint Firewall-1 selection is available only if the Firewalls module has been licensed. Configuring the CheckPoint Management Server The CheckPoint Management Server must be configured to allow connections from the Configuration Compliance Manager Scan Engine to certain services. These services are: CPMI (tcp/18190) FW1 (tcp/256) FW1_key (tcp/265) FW1_ica_pull (tcp/18210) The CheckPoint Management Server must also be configured to allow the Configuration Compliance Manager Scan Engine to connect with SIC (Secure Internal Communication). This process involves adding an entry for the Configuration Compliance Manager Engine as an OPSEC application, setting up a one-time activation key, then having the Scan Engine connect to the CheckPoint Management Server to get an OPSEC certificate. This is done (from the CheckPoint SmartDashboard in Windows), by going to the Manage menu and selecting "Servers and OPSEC Applications...", then creating a New "OPSEC Application" entry: For Name, enter a name for the OPSEC application. You will need to enter this exact same name into the Configuration Compliance Manager Console. For Host, add an entry for the Configuration Compliance Manager Scan Engine. You'll need to enter the IP address of the engine. Vendor should be "User defined". In the "Client Entities" box, select CPMI and nothing else. Then click the Communication button to set up SIC. In the Communication dialog, enter an Activation Key. This is a one-time password used to establish trust between the Configuration Compliance Manager Scan Engine and the CheckPoint Management Server. You will need to enter this key in the Configuration Compliance Manager Console. Once the key is entered, click the Initialize button, then Close. Configuring Configuration Compliance Manager Once the CheckPoint Management Server is configured to allow the Configuration Compliance Manager Scan Engine, Configuration Compliance Manager must be configured to connect to it.

Before starting this process, ensure that you have the Scan Engine set up, and a Network Profile configured that contains the IP address of the CheckPoint Management Server. During the configuration process, the Configuration Compliance Manager Console will instruct the appropriate engine to connect to the CheckPoint Management Server to retrieve the SIC certificate. This can only happen if there is a Network Profile set up and the Scan Engine is connected. All scans using the Scan Engine should be stopped before configuring the CheckPoint authentication, but it is not necessary. Configuration Compliance Manager will warn if scans are running on the engine, but it will allow you to continue. To configure Configuration Compliance Manager, in the Console go to the Settings menu and select "System...". Go to the "CheckPoint Firewall-1 Settings" panel, in the "Third-Party Integration" section. Click "Add..." to get to the configuration dialog. For IP Address, enter the IP address of the CheckPoint Management Server. OPSEC Application Name is the same name entered as part of the configuation process on the CheckPoint Management Server. Activation Key is the activation key from the configuration process on the CheckPoint Management Server. Username and Password are the authentication credentials required to connect to the CheckPoint Management Server. Either use the administrator account, or some other account if the access controls are configured to allow other users. When the OK button is clicked, the Console will instruct the Configuration Compliance Manager Scan Engine to retrieve the OPSEC certificate from the CheckPoint Management Server. If this is succcessful, an entry will be added to the list in the configuration panel in Configuration Compliance Manager. If an error occurs, the information will not be saved. Here are some common errors: Opsec error. rc=-1 err=-93 The referred entity does not exist in the Certificate Authority - The name has been entered wrong or trust has already been established. Reset the SIC on the CheckPoint and try again. Opsec error. rc=-1 err=-94 There was a problem when trying to establish an SSL connection, probably peer was not authenticated - The Activation Key is incorrect. Opsec error. rc=-1 err=-96 Connection error - Can't connect to the CheckPoint Management Server. Make sure the firewall is configured to allow the Scan Engine to connect to it on the needed ports. Once the certificate is retrieved, it cannot be retrieved again without resetting SIC in CheckPoint. If you try to Edit an entry, you will be able to change the Username and Password used to authenticate to the CheckPoint Management Server, but you cannot change any other entries. If you want to renew the certificate or trust relationship, you have to delete the entry and create a new one.

Scanning Once the trust relationship is established between the Configuration Compliance Manager Scan Engine and the CheckPoint Management Server, when a scan is performed against the CheckPoint it should gather the data. No extra configuration is needed in the Advanced Scan or Compliance Task configuration dialogs.