Symantec Event Collector 4.3 for Check Point® FireWall-1 Quick …web.mst.edu/~kfl/SSIM/Very Old/SEC_for_CheckPoint_43.pdf · 2009-05-27 · Maintenance agreement resources If you

Symantec™ Event Collector4.3 for Check Point®FireWall-1 Quick Reference

Symantec™ Event Collector for Check Point® FireWall-1Quick Reference

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Legal NoticeCopyright © 2008 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in theU.S. and other countries. Other namesmaybe trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS ANDWARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014

http://www.symantec.com

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week

■ Advanced features, including Account Management Services

For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:

www.symantec.com/techsupp/

Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system



■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and maintenance contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals



Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.

SymantecEarlyWarningSolutions

These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.

Educational Services

To access more information about Enterprise services, please visit our Web siteat the following URL:

www.symantec.com

Select your country or language from the site index.

mailto:[email protected]



www.symantec.com

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Symantec Event Collector for CheckPoint FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

About this quick reference .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Compatibility requirements for Check Point FireWall-1 Event

Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System requirements for the Check Point FireWall-1 Event Collector

computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About the installation sequence for Check Point FireWall-1 Event

Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Upgrading the on-appliance collector from 4.2 to 4.3 on Information

Manager 4.5 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Installing the compat-libstdc++package onRedHat Enterprise Linux

3.0 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configuring Check Point FireWall-1 to work with the collector ... . . . . . . . . . . 14Running LiveUpdate for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 2 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Product ID for Check Point FireWall-1 Event Collector ... . . . . . . . . . . . . . . . . . . . . . 27Event example ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Schema packages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Event mapping for Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 3 Event filtering and aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Event filtering and aggregation for Check Point FireWall-1 EventCollector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Contents

Contents8

IntroducingSymantecEventCollector for Check PointFireWall-1

This chapter includes the following topics:

■ About this quick reference

■ Compatibility requirements for Check Point FireWall-1 Event Collector

■ System requirements for the CheckPoint FireWall-1 Event Collector computer

■ About the installation sequence for Check Point FireWall-1 Event Collector

■ Upgrading the on-appliance collector from 4.2 to 4.3 on InformationManager4.5

■ Installing the compat-libstdc++ package on Red Hat Enterprise Linux 3.0

■ Configuring Check Point FireWall-1 to work with the collector

■ Running LiveUpdate for collectors

About this quick referenceThis quick reference includes information that is specific to Symantec™ EventCollector for Check Point® FireWall-1. General knowledge about installing andconfiguring collectors is assumed, as well as basic knowledge of Check PointFireWall-1.

For detailed information on how to install and configure event collectors, pleasesee the Symantec Event Collectors Integration Guide.

1Chapter

For information on Check Point FireWall-1, see your product documentation.

Compatibility requirements forCheckPoint FireWall-1Event Collector

The collector is compatible with the following Check Point products:

■ CheckPoint FireWall-1NGApplication IntelligenceR55andNGX6.x, including6.0, 6.2, and 6.5, that runs on one of the following operating systems:

■ Microsoft Windows 2000 Advanced Server with Service Pack 4 or later

■ Red Hat Enterprise Linux AS 3.0

■ Check Point Provider-1 NG andNGX 6.x, including 6.0, 6.2, and 6.5 on RedHatEnterprise 3, Sun Solaris, and Check Point SecurePlatform with the followingconfigurations:

■ Check Point Provider-1 with MDS/CMA/log server all on one computer

■ Check Point Provider-1 with separate MLM/CLM computers

The collector can collect from the Check Point Audit log, as well as the securitylog.

The collector is also compatible with Check Point R55 and 6.x, including 6.0, 6.2,and 6.5, that runs on the Nokia IP series appliances.

Please go to the Nokia Web site for detailed information:

http://europe.nokia.com/A4153091

The collector runs on the following operating systems:

■ Microsoft Windows 2000 with Service Pack 4 or later

■ Microsoft Windows Advanced Server 2000 with Service Pack 4 or later

■ MicrosoftWindowsServer 2003Enterprise Editionwith Service Pack 1 or later

■ MicrosoftWindows Server 2003 Standard Edition with Service Pack 1 or later

■ Windows XP with Service Pack 2 or later

■ Red Hat Enterprise Linux AS 3.0If you use Red Hat Enterprise Linux AS 3.0, you must install thecompat-libstdc++ package.See “Installing the compat-libstdc++ package on Red Hat Enterprise Linux3.0” on page 14.

■ Red Hat Enterprise Linux AS 4.0

Introducing Symantec Event Collector for Check Point FireWall-1Compatibility requirements for Check Point FireWall-1 Event Collector

10

http://europe.nokia.com/A4153091

Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions ofWindows Server 2000/2003.

Note: If the CheckPoint LEAServer is installed on a platformother thanWindowsor Linux, a remote configuration setup is required.

System requirements for the Check Point FireWall-1Event Collector computer

Minimum system requirements for a remote collector installation are as follows:

■ Intel Pentium-compatible 133-MHzprocessor (up to and includingXeon-class)

■ 512 MB minimum, 1 GB of memory recommended for the Symantec EventAgent

■ 35 MB of hard disk space for collector program files

■ 95MB of hard disk space to accommodate the Symantec Event Agent, the JRE,and the collector

■ TCP/IP connection to a network from a static IP address

About the installation sequence for Check PointFireWall-1 Event Collector

The collector is preinstalled on the Information Manager 4.6 appliance. You canalso install this collector on a remote computer or on an Information Manager4.5 appliance.

The collector installation sequence is as follows:

■ Complete the preinstallation requirements.For these procedures, see the Symantec Event Collectors Integration Guide.

■ Configure Check Point FireWall-1 to work with the collector.If you use RedHat Enterprise Linut 3.0, youmust install the compat-libstdc++package.See “Installing the compat-libstdc++ package on Red Hat Enterprise Linux3.0” on page 14.

■ Close the Symantec Security Information Manager Client console.

■ Register the collector for all off-appliance collector installations.

11Introducing Symantec Event Collector for Check Point FireWall-1System requirements for the Check Point FireWall-1 Event Collector computer

If you use InformationManager 4.6, the collector is pre-registered. You do nothave to register it.For this procedure see the Symantec Event Collectors Integration Guide

■ Install the Symantec Event Agent on the collector computer.You must install the agent for all remote installations.Symantec Event Agent 4.5.0 build 12 or later is required.

■ Run LiveUpdate on earlier collectors.If you install a 4.3 collector on a computer that has an earlier collector on it,you must first run LiveUpdate on all components of the earlier version of thecollector. You must update the earlier collector before you install the 4.3collector.See “Running LiveUpdate for collectors” on page 22.

■ Install the collector component.The collector is preinstalled on the InformationManager 4.6 appliance. If youwant to use the collector on a remote computer, you must install it on theremote computer.You can upgrade the collector on the Information Manager 4.5 appliance.However, you must first apply Information Manager 4.5.1 with MaintenanceRelease 1 (or later) upgrade package on the appliance.See “Upgrading the on-appliance collector from 4.2 to 4.3 on InformationManager 4.5” on page 12.You can install the collector on the Information Manager 4.5 appliance.However, you must first apply Information Manager 4.5.1 with MaintenanceRelease 1 (or later) upgrade package on the appliance.For procedures on how to install the collector on a remote computer or on anappliance, see the Symantec Event Collectors Integration Guide.

■ Configure the sensor.

■ Run LiveUpdate.See “Running LiveUpdate for collectors” on page 22.

For all procedures that are not covered in the quick reference, see the SymantecEvent Collectors Integration Guide.

Upgrading the on-appliance collector from 4.2 to 4.3on Information Manager 4.5

Check Point FireWall-1 Event Collector 4.3 comes preinstalled on the InformationManager 4.6 appliance.

Introducing Symantec Event Collector for Check Point FireWall-1Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager 4.5

12

Check Point FireWall-1 Event Collector 4.2 comes preinstalled on the InformationManager 4.5 appliance. You can upgrade your collector from 4.2 to 4.3 on theInformation Manager 4.5 appliance.

Youmust install InformationManager 4.5.1withMaintenanceRelease 1 (or later)before you upgrade Check Point FireWall-1 Event Collector 4.2 to 4.3 on theInformation Manager appliance.

To upgrade the on-appliance Check Point FireWall-1 Event Collector from 4.2 to4.3

1 Contact Symantec to get the upgrade package.

2 Unzip the upgrade package onto your Information Manager 4.5 clientcomputer.

3 Start the Symantec Security InformationManager client and then log inwithadministrator credentials.

4 Export the existing sensor settings and all custom filters and aggregators to.xml files.

For more information, see the Symantec Event Collectors Integration Guide.

5 Close the Symantec Security Information Manager client.

6 FromaWebbrowser, navigate to theSymantecSecurity InformationManagerAdministrator Web page and log in with administrator credentials.

7 From the list on the left, click SystemUpdates.

8 From Options, click Install and browse to the location where you unzippedthe upgrade package.

9 Select the update-checkpointcollector.jar file and click Upload and Install.

10 In the Confirm Installation page, click Continue.

11 When done, click Cancel.

12 Close the Symantec Security InformationManager AdministratorWeb page.

13 Start the Symantec Security Information Manager client and logon withadministrator credentials.

14 Import the sensor settings and custom filters and aggregators from the .xmlfiles that you created in step 4.

For more information, see the Symantec Event Collectors Integration Guide.

13Introducing Symantec Event Collector for Check Point FireWall-1Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager 4.5

Installing the compat-libstdc++ package on Red HatEnterprise Linux 3.0

If you use Red Hat Enterprise Linux 3.0, you must install the compat-libstdc++package.

The compat-libstdc++ package is located in a Red Hat install package rpm filenamed as follows:

compat-libstdc++-version_number.architecture.rpm

To install the compat-libstdc++ package

◆ At a Linux command prompt, type the following command:

up2date compat-libstdc++

Configuring Check Point FireWall-1 to work with thecollector

If you have Check Point FireWall-1 only, you can configure it for a local, remote,or distributed collector installation, as follows:

■ A local collector resides on the LEA server.See “To configure Check Point FireWall-1 for a local collector installation”on page 15.

■ A remote collector does not reside on the LEA server.See “To configure Check Point FireWall-1 for a remote collector installation”on page 16.

■ In a distributed collector installation, the Check Point FireWall-1 gateway,CheckPointManagementServer, andCheckPoint LogServer resideon separatecomputers, and the collector may reside either on the log server computer, oranother computer altogether.See “To configure Check Point FireWall-1 in a distributed environment”on page 17.

If youhave Check Point Provider-1, youhave the following configuration options:

■ With aMulti-DomainServer (MDS),multiple CustomerManagementAdd-Ons(CMAs), and Log server on one computer. The CMA receives the logs.See “To configure Check Point Provider-1 with MDS/CMA/Log server all onone computer ” on page 19.

■ With a Multi-Domain Log Module (MLM) server and multiple Customer LogModules (CLM). The CLM's server receives the logs.

Introducing Symantec Event Collector for Check Point FireWall-1Installing the compat-libstdc++ package on Red Hat Enterprise Linux 3.0

14

See “To configureCheckPoint Provider-1with separateMLM/CLMcomputers”on page 21.

If you have theNokia IP series, you can configure the Check Point FireWall-1 thatresides on the Nokia IP appliance for a remote collector installation. If you haveCheck Point FireWall-1 running on SecurePlatform, you can configure the CheckPoint FireWall-1 for a remote collector installation. The remote collector doesnot reside on the LEA server.

See “To configure Check Point FireWall-1 for a remote collector installation”on page 16.

For information onhow to create and enable firewall rules, see the documentationthat came with Check Point.

To configure Check Point FireWall-1 for a local collector installation

1 On the LEA server, use a text editor to open the appropriate configuration:

■ OnWindows, using WordPad to preserve UNIX file format, open thefollowing files:C:\WINNT\fw1\R55\conf\fwopsec.confC:\WINNT\fw1\R55\conf\cpmad_opsec.confTheR55\ directory location only applies to theNGversion of Check Point.The NGX version uses R60\.

■ On Linux, open the following files:/var/opt/CPfw1-55/conf/fwopsec.conf/var/opt/CPfw1-55/conf/cpmad_opsec.conf

2 Clear the cpmad_opsec.conf file, and then add the following lines:

lea_server ip 127.0.0.1

lea_server auth_port 0

lea_server port 18184

lea_server auth_type local

3 Clear the fwopsec.conf file, and then add the following lines:





The contents of the cpmad_opsec file and the fwopsec.conf file should beidentical.

4 Save and close each file.

15Introducing Symantec Event Collector for Check Point FireWall-1Configuring Check Point FireWall-1 to work with the collector

5 Use the tools that are provided by Check Point FireWall-1 Event Collector toadd a rule that prevents remote access to port 18184.

6 To force the changes to cpmad_opsec.conf and fwopsec.conf to take effect,do one of the following steps:

■ If the Check Point log server is running on Linux, run the followingcommand:cprestart

■ If the Check Point log server is running on Windows, run the followingcommand:cprestart.exe

To configure Check Point FireWall-1 for a remote collector installation

1 On the Management server, using the Check Point FireWall-1SmartDashboard, create anewOPSECapplicationby completing the followingsteps in the order given:

■ Create a name for the OPSEC application.This value is used during the configuration of the collector.

■ For the Host value, specify the IP address of the collector computer.

■ For the Client Entities type, choose LEA.

■ In the communications dialog box, type a password for theActivationKey.This password is used to generate an SSL certificate that is used duringthe collector configuration.

■ After you have entered the password, click Initialize.

■ Record the settings that you have made. Include the name of the OPSECapplication, the password, and the string that Check Point FireWall-1Event Collector places in theDN field during configuration. These settingsare also used to configure the sensor.

■ Close the dialog box.When you close the dialog box, the Trust State should be changed fromUninitialized to Initialized but trust not established.

2 On the LEA server, use a text editor to open the appropriate configuration,as follows:

■ OnWindows, using WordPad to preserve UNIX file format, open thefollowing files:C:\WINNT\fw1\R55\conf\fwopsec.confC:\WINNT\fw1\R55\conf\cpmad_opsec.conf

■ On Linux, open the following files:

Introducing Symantec Event Collector for Check Point FireWall-1Configuring Check Point FireWall-1 to work with the collector

16

/var/opt/CPfw1-55/conf/fwopsec.conf/var/opt/CPfw1-55/conf/cpmad_opsec.conf

3 Clear the cpmad_opsec.conf file, then add the following lines:

lea_server ip IP_address_of_LEA_server


lea_server port 0

lea_server auth_type sslca


lea_server ip IP_address_of_LEA_server


lea_server port 0







To configure Check Point FireWall-1 in a distributed environment

1 On the Management server, using the Check Point FireWall-1SmartDashboard, create anewOPSECapplicationby completing the followingsteps in the order given:

■ Create a name for the OPSEC application.This value is used during the configuration of the collector.

■ For the Host value, specify the IP address of the collector computer.

■ For the Client Entities type, choose LEA.

■ In the communications dialog box, enter a password for the ActivationKey. This password is used to generate an SSL certificate that is usedduring the collector configuration.


■ After you have entered the password, click Initialize.

■ Record the settings that you have made. Include the name of the OPSECapplication, the password, and the string that Check Point FireWall-1Event Collector places in theDN field during configuration. These settingsare also used to configure the sensor.

■ Close the dialog box.When you close the dialog box, the Trust State should be changed fromUninitialized to Initialized but trust not established.

■ Install the policy database on the Check Point Log Server using theSmartDashboard.

2 Make sure that no firewall rule blocks communication between the collectorcomputer and the log server computer on port 18184.

3 Make sure that all other computers are prevented from accessing port 18184on the log server computer.

4 On the Log Server, use a text editor to open the appropriate configurationfile, as follows:

■ OnWindows using WordPad to preserve UNIX file format, open thefollowing files:C:\WINNT\fw1\R55\conf\fwopsec.confC:\WINNT\fw1\R55\conf\cpmad_opsec.conf

■ On Linux, open the following files:/var/opt/CPfw1-55/conf/cpmad_opsec.conf/var/opt/CPfw1-55/conf/fwopsec.conf


lea_server ip IP_address_of_Log_Server





lea_server ip IP_address_of_Log_Server






18





To configure Check Point Provider-1withMDS/CMA/Log server all on one computer

1 On a Check Point Provider-1 NGX installation, a single Global OPSECapplication can be created using the Global SmartDashboard console andinstalled on all CMAs using a Global policy. On previous versions of CheckPoint Provider-1, individual OPSEC applications must be created for eachCMA using the standard SmartDashboard.

Use either the Global SmartDashboard or the standard SmartDashboard tocreate a new host node to represent the computer where the Check Pointcollector resides by doing the following steps in the order given:

■ Right-click NetworkObjects >Nodes, and then click NewNode >Host.

■ In the New Host Node window, on the General Properties tab, type thehost name of the computer where the Check Point collector resides.

■ Click GetAddress, and then click OK.If Get Address fails to resolve the host name, you must fix the DNSresolution or add an entry to the /etc/hosts file. The /etc/hosts file mustcontain the IP address where the Check Point collector resides.

■ Save the changes by doing one of the following actions:

■ Click the floppy icon.

■ Click File > Save.

■ Press Ctrl-S.

2 Create a new OPSEC Application to represent the computer where the CheckPoint collector resides by completing the following actions in the order given:

■ Right-click Servers andOPSECApplications >OPSECApplications >NewOPSECApplication.

■ In the New OPSEC Application window, type the name of the OPSECapplication, and then make a note of the OPSEC application name. The


OPSEC Application name must be different than the name that youspecified for the host node in step 1.

■ From the Host drop-downmenu, select the Host Node that was created instep 1.

■ In Client Entities, confirm that the check box for LEA is checked.

■ In Secure Internal Communication, click Communication, and then typean activation key (password).The Check Point collector sensor uses this key to establish SIC (SecureInternal Communication) and confirm the activation key.

■ Make a note of the password.

■ Click Initialize.When you close the dialog box, the Trust State should change fromUninitialized to Initialized but trust not established.

■ Make a note of the SIC DN string that gets generated after you initializedSIC.For example, CN=ssim451mr1,O=cma1..hipfr8.

■ Click Close.

3 Make the Firewall Gateway aware of the OPSEC Application that connects tothe Log Server (by LEA), by completing the following actions in the ordergiven:

■ In the SmartDashboard, click Policy > Install.

■ If a warning appears, click OK.

■ Click Firewall Gateway Installation Target, and then click OK.If the policy installation fails, a problem between the Firewall Gatewayand the MDS/CMAmay exist. The problem must be resolved before youcontinue.

4 In the SmartDashboard, double-click NetworkObjects > Check Point >Name_of_the_CMA.

5 In General Properties, make a note of the SIC DN.

For example, CN=cp_mgmt,o=cma1..hipfr8.

6 On the MDS/CMA/Log server, for each CMA, open the appropriateconfiguration file using a text editor as follows:

■ For Check Point Provider-1 NGX, open the following file:/var/opt/CPmds-R60/customs/CMA_name/CPsuite-R60/fw1/conf/cpmad_opsec.conf


20

■ For Check Point Provider-1 R55, open the following file:/var/opt/CPmds-R55/customs/CMA_name/CPsuite-R55/fw1/conf/cpmad_opsec.conf




lea_server port 0


8 Save and close the file.

9 From the UNIX prompt, run the following command so the changes that youmade to cpmad_opsec.conf take effect:

cprestart

To configure Check Point Provider-1 with separate MLM/CLM computers

1 On a Check Point Provider-1 NGX installation, a single Global OPSECapplication can be created using the Global SmartDashboard console andinstalled on all CMAs using a Global policy. On previous versions of CheckPoint Provider-1, individual OPSEC applications must be created for eachCMA using the standard SmartDashboard.

Using either the Global SmartDashboard or the standard SmartDashboard,create a new OPSEC application by completing the following steps in theorder given:

■ Keep a record of the settings that youused. Include the nameof theOPSECapplication, the password, and the string that Check Point FireWall-1Event Collector places in theDN field during configuration. These settingsare also used to configure the sensor.

■ Install the policy database on the CLM from the CMA's SmartDashboard.

2 On the MLM server, for each CLM from which the collector collects eventdata, open the appropriate configuration using a text editor as follows:

■ For Check Point Provider-1 NGX, open the following files:/var/opt/CPmds-R60/customers/CLM_Name/CPsuite-R60/fw1/conf/cpmad_opsec.conf/var/opt/CPmds-R60/customers/CLM_Name/CPsuite-R60/fw1/conf/fwopsec.conf

■ For Check Point Provider-1 R55, open the following files:/var/opt/CPmds-R55/customers/CMA_Name/CPsuite-R55/fw1/conf/cpmad_opsec.conf


/var/opt/CPmds-R55/customers/CMA_Name/CPsuite-R55/fw1/conf/fwopsec.conf






4 Edit the fwopsec.conf file, by adding the following lines:




5 Save and close the file.

6 From theUNIXprompt, run the following command so the changes thatweremade to cpmad_opsec.conf take effect:

cprestart

Running LiveUpdate for collectorsYou can run LiveUpdate to receive collector updates such as support for newevents and query updates.

If you install a collector on Information Manager 4.5, you must complete thefollowing procedures in the order presented:

■ RunLiveUpdate for collectors added to the InformationManager 4.5 appliance.See “To run LiveUpdate for collectors added to the Information Manager 4.5appliance” on page 23.

■ Verify that LiveUpdate ran successfully on Information Manager 4.5.See “To verify that LiveUpdate ran successfully on InformationManager 4.5”on page 24.

If you install a collector on InformationManager 4.6, or if you use a collector thatis preinstalled on Information Manager 4.6, you must complete the followingprocedures in the order presented:

■ Use the Administrator Web page to run LiveUpdate.

■ Use the Administrator Web page to verify that LiveUpdate ran successfully.

See “To run LiveUpdate from the Administrator Web page” on page 23.

Introducing Symantec Event Collector for Check Point FireWall-1Running LiveUpdate for collectors

22

If you installed the collector on a separate computer, you must complete thefollowing tasks in the order presented:

■ Run LiveUpdate for a collector installed on a separate computer.See “To run LiveUpdate for a collector installed on a separate computer”on page 24.

■ Verify that LiveUpdate ran successfully for a collector installed on a separatecomputer.See “To verify that LiveUpdate ran successfully for a collector installed on aseparate computer” on page 25.

For information about running LiveUpdate on internal LiveUpdate servers, seethe Symantec LiveUpdate Administrator User's Guide.

To run LiveUpdate from the Administrator Web page

1 From aWeb browser, navigate to the Information Manager AdministratorWeb page, and then log in with administrator credentials.

2 From the list on the left, click LiveUpdate.

3 In the list of products, to select the items to update, in the correspondingcheck box, check Update.

At the bottom of the page, you can also click CheckAll.

4 At the bottom of the page, click Update.

If LiveUpdate runs successfully, the status column in the Summary pagedisplays Success.

5 To troubleshoot a problem with LiveUpdate, under Session Log, click ViewLog File.

To run LiveUpdate for collectors added to the Information Manager 4.5 appliance

1 Connect to the Information Manager 4.5 appliance, and log in as root.

2 Navigate to the collectors directory.

The default directory is /opt/Symantec/sesa/Agent/collectors/checkpoint

3 At the command prompt, type the following command:

sh ./runliveupdate.sh

4 To stop the Symantec Event Agent, type the following command:

service sesagentd stop

5 To change the ownership of the updated collector files, type the followingcommand:

chown -R sesuser.ses *

23Introducing Symantec Event Collector for Check Point FireWall-1Running LiveUpdate for collectors

6 Navigate to the Symantec Event Agent directory.

The default directory is /opt/Symantec/sesa/Agent/

7 To restart the Symantec Event Agent, type the following command:

service sesagentd start

To verify that LiveUpdate ran successfully on Information Manager 4.5

1 Connect to the Information Manager 4.5 appliance, and log in as root.

2 Navigate to the collectors subdirectory of theSymantecEventAgent directory.

The default directory is as follows:

/opt/Symantec/sesa/Agent/collectors/checkpoint

3 Verify that a file named LiveUpdate-Collector.txt exists.

This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.

4 Navigate to the LiveUpdate directory.

The default directory is as follows:

/opt/Symantec/LiveUpdate

5 To view the last 100 lines of the liveupdt.log file, type the following command:

tail -100 liveupdt.log | more

The first part of the log is in text format; the second part of the log repeatsthe information in XML format.

If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.

For example, Status = Failed (return code - 2001).

To run LiveUpdate for a collector installed on a separate computer

1 On the collector computer, navigate to the collector directory as follows:

■ OnWindows, the default directory is as follows:C:\Program Files\Symantec\Event Agent\collectors\checkpoint

■ On UNIX, the default directory is as follows:/opt/Symantec/sesa/Agent/collectors/checkpoint

2 At a command prompt, do one of following tasks:

■ OnWindows, type the following command:runliveupdate.bat


24

■ On UNIX, as the root user, type the following command:runliveupdate.sh

To verify that LiveUpdate ran successfully for a collector installed on a separatecomputer

1 On the collector computer, navigate to the collector directory as follows:

■ OnWindows, the default directory is as follows:C:\Program Files\Symantec\sesa\Event Agent\collectors\checkpoint

■ On UNIX, the default directory is as follows:/opt/Symantec/sesa/Agent/collectors/checkpoint

2 Verify that a file named LiveUpdate-Collector.txt exists.

This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.

3 Navigate to the LiveUpdate directory as follows:

■ OnWindows, the default LiveUpdate directory is as follows:C:\Documents and Settings\All Users\Application Data\Symantec\JavaLiveUpdate

■ On UNIX, the default LiveUpdate directory is as follows:/opt/Symantec/LiveUpdate

4 To view the liveupdt.log file, do one of the following tasks:

■ OnWindows, use a text editor such as Notepad to view the liveupdt.logfile.

■ On UNIX, to view the last 100 lines of the liveupdt.log file, type thefollowing command:tail -100 liveupdt.log | more

The first part of the log is in text format; the second part of the log repeatsthe information in XML format.

If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.

For example, Status = Failed (return code - 2001).

25Introducing Symantec Event Collector for Check Point FireWall-1Running LiveUpdate for collectors


26

Implementation notes


■ Product ID for Check Point FireWall-1 Event Collector

■ Event example

■ Schema packages

■ Event mapping for Information Manager

Product ID for Check Point FireWall-1 Event CollectorThe product ID of the collector is 3120.

Event exampleThe following is a log example:

time 1140164877000 orig 10.2.9.26 i/f_dir inbound alert

alert has_accounting 0 product VPN-1 & FireWall-1 __policy_id_tag

product=VPN-1 & FireWall-1[db_tag={50CD2D74-9F60-11DA-B0DD-

0A03005B3C3C};mgmt=CMA_2;date=1140144698;policy_name=Standard]

Total logs 24 Suppressed logs 23 proto icmp dst 10.2.9.26 src

10.4.17.1 message_info Ping Of Death

The following is the event structure:

time (event_date) orig (machine) i/f_dir (network_direction)

product (product name) Total logs (event_count) proto

(network_protocol) dst (destination_ip) src (source_ip)

message_info (event_description)

The following is an audit log example:

2Chapter

time 1192700778000 action accept orig 10.1.254.72 i/f_dir outbound

i/f_name has_accounting 0 product SmartDashboard Operation Log

In Machine checkpoint Subject Administrator Login Audit Status

Failure Additional Info Administrator failed to log in: Wrong

Password Operation Number 8

Schema packagesThe collector uses the following schema packages:

■ symc_base_class

■ symc_host_intrusion

■ symc_intrusion_class

■ symc_network_class

■ symc_firewall_network_class

■ symc_fw_conn_stats_class

Event mapping for Information ManagerTable 2-1 shows shows events mapping for common fields.

Table 2-1 Event mapping for common fields

CommentCheck Point field nameInformation Manager field name

Assigned: Security (30007606)N/ACategory ID

origCollection Device Host

timeEvent Date

origLogging Device IP

origLogging Device Name

Assigned: 34N/AVendor Device ID

Table 2-2 shows event mapping for variable fields.

Implementation notesSchema packages

28

Table 2-2 Event mapping for variable fields


message_info or product,whichever exists

Description

dst, gateway, or orig,whichever exists

Destination Host Name

symc_firewall_network,symc_network_intrusion, symc_fw_conn_stats,or symc_base

See Table 2-3

N/AEvent Class Name

logsEvent Count

512001, 512002, 512003, 512004, 512005,912001, 1042000, or 2022000

See Table 2-3

N/AEvent Type ID

Assigned numeric value

See Table 2-4

i/f_dirFirewall Direction ID

Assigned 517229, 517200, or 517247

See Table 2-3

N/AFirewall Event Details

i/f_nameFirewall Source Interface Name

icmp-codeICMP Code

icmp-typeICMP Type ID

Assigned 1027202, 1027203, 1027204, or1027205 in certain events

See Table 2-5

N/AIntrusion Outcome ID

dst , gateway, or orig,whichever exists

IP Destination Address

serviceIP Destination Port

src, gateway, or orig,whichever exists

IP Source Address

s_portIP Source Port

protoNetwork Protocol

29Implementation notesEvent mapping for Information Manager

Table 2-2 Event mapping for variable fields (continued)


protoNetwork Protocol ID

rule_uidOption 1

ruleRule

See Table 2-6N/ASeverity ID

src, gateway, or orig,whichever exists

Source Host Name

Assigned numeric value

See Table 2-5

N/ASymantec Device Action

resource, ObjectName, orInfo, whichever exists

Target Resource

tcp_flags or th_flagsTCP Flags

xlatedstTranslated Destination IP Address

xlatedportTranslated Destination Port

xlatesrcTranslated Source IP Address

xlatesportTranslated Source Port

Exists in FWConnection Statistics events onlyfollows fromUser ID

userUser Name

Assigned based on existing text or generaldescription of various events

See CheckPoint Vendor Signature list.csv

N/AVendor Signature

Table 2-3 shows Event Class Name, Event Type ID, and Firewall Event Detailsassignments.

Table 2-3 Event ClassName, Event Type ID, Firewall Event Details assignments

Check Point event criteriaFirewall eventdetails

Event type IDEvent class name

TCP packet out of state and Invalid TCP flagcombination events

517229 (BadTCP flags)512002(ConnectionDropped)

symc_firewall_network

Implementation notesEvent mapping for Information Manager

30

Table 2-3 Event ClassName, Event Type ID, Firewall Event Details assignments(continued)



Smart Defense Enforcement Violation events517247 (Servicedenied)

512001(ConnectionRejected)


VendorSignature=CheckPointFTPGETDenied,CheckPointHTTPGETDenied, CheckPointFTPPUTDenied, CheckPointFTPSITEDenied,CheckPointSMTPMailDenied, CheckPointEncryptFail, orCheckPointPacketDroppedAND"ftp not allowed" exists

517200 (No additionaldetails)

512001(ConnectionRejected)


Vendor Signature = CheckPointXMasPacketDropped, CheckPointFINPacketDropped,CheckPointPacketDroppedor CheckPointNullTCPPacketDropped

517200 ( No additionaldetails)

512002(ConnectionDropped)


Vendor Signature = CheckPointLoginSuccessful


512003 (UserAuthenticated)


Vendor Signature = CheckPointLoginFailedInvalidUserName, CheckPointLoginFailed, or CheckPointMultipleLoginFailure


512004 (UserAuthenticationFailed)


Vendor Signature = CheckPointLogOut,CheckPointObjectOperation, or CheckPointFileOperation


512005 (RemoteManagementConnection)


Vendor Signature = CheckPointPacketPermitted,CheckPointFTPGETDetected,CheckPointFTPPUTDetected, CheckPointSMTPMailSent, or Invalid_DNS


912001(ConnectionStatistics)

symc_fw_conn_stats

Address_Spoofing, Login_Failure, Successive_Alerts, Successive_Multiple_Connections,Blocked_Connection_Port_Scanning, Port_Scanning, Local_Interface_Spoofing,Denial_of_Service, teardrop, SYN_Attack,Ping_of_death, Large_ping, Land_attack,FTP_Bounce, Small_PMTU, CIFS_worm,URL_worm, Bad_packet, Bad_TCP_sequence,or Invalid_DNS AND "Smart Defense" exists

N/A1042000(NetworkIntrusionEvent)

symc_network_intrusion


Table 2-3 Event ClassName, Event Type ID, Firewall Event Details assignments(continued)



Vendor Signature = CheckPointCatchAllN/A2022000(Generic BaseEvent)

symc_base

Table 2-4 shows Firewall Direction ID assignments.

Table 2-4 Firewall Direction ID assignments

Checkpoint Event criteriaFirewall Direction ID

INBOUND or inbound exists517100 – Inbound

OUTBOUND or outbound exists517101 – Outbound

INTERNAL or internal exists517102 – Internal

EXTERNAL or external exists517103 – External

Table 2-5 shows IntrusionOutcome ID and SymantecDevice Action assignments.

Table 2-5 Intrusion Outcome ID and Symantec Device Action assignments

Check Point event criteriaSymantec Device ActionIntrusion Outcome ID

CPaction field = failed10272041027204 (Failed)

CPaction field = drop, blocked, or reject10272051027205 (Prevented)

Vendor Signature = CheckPointObjectOperationor CheckPointFileOperation

10272031027203 (Succeeded)

All other Events where Event Class Name =symc_network_intrusion

10272021027202 (Unknown)

Event Type ID = 512000, 512005, or 912001101 (Accepted)N/A

Event Type ID = 512001 or 5120021 (Deny)N/A

Event Type ID = 5120041027204N/A

Event Type ID = 5120031027203N/A

Table 2-6 shows Severity ID assignments.


32

Table 2-6 Severity ID assignments

Check Point event criteriaSeverity ID

Description = Ping invoked by Sensor1 (Informational)

Vendor Signature = CheckPointPacketPermitted, CheckPointFTPGETDetected,CheckPointFTPPUTDetected, CheckPointSMTPMailSent, or CheckPointLoginSuccessful

2 (Warning)

VendorSignature=CheckPointMultipleLoginFailure, Successive_Alerts,Denial_of_Service,CIFS_worm, or URL_worm

4 (Major)

All other Events3 (Minor)



34

Event filtering andaggregation


■ Event filtering and aggregation for Check Point FireWall-1 Event Collector

Event filtering and aggregation for Check PointFireWall-1 Event Collector

Firewalls generate many events that may not be required for correlating events.Depending on your environment, these events may be considered excess events.You can filter or aggregate similar events, provided that the role of SymantecSecurity Information Manager is not the retention of all events.

Possible filters and aggregators include the following examples:

■ Connection rejectedConnection rejected events indicate that the firewall is operating as it isconfigured. These events do not ordinarily pose security threats and can befiltered at the collector.This filter removes ICMP traffic that was rejected at the firewall.

Filter or aggregator properties are set as follows:

■ Network Protocol ID = 167104

■ Event Type ID = 512001

■ Connection acceptedConnection accepted events are generated by legitimate network traffic. Youcan filter or aggregate these events by IP address. If an individual event from

3Chapter

anunwantedconnection is accepted, anddefense-in-depth theories areproperlyapplied, the intrusion detection system identifies and reports the attack.This aggregation consolidates successful ICMPEchoRequest connections froma single source.

Filter or aggregator properties are set as follows:

■ ICMP Type ID = 8

■ Event Type ID = 912001

■ IP Source Address as the similar property

Event filtering and aggregationEvent filtering and aggregation for Check Point FireWall-1 Event Collector

36