000026235 - How to integrate Check Point Provider-1 or Multi Domain Server with RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026235
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.4 and above
Check Point Firewall
Check Point Provider-1
Check Point Multi Domain Server
IssueHow to integrate Check Point Provider-1 or Multi Domain Server with RSA Security Analytics.
How to read logs from Check Point Provider-1 or Multi Domain Server in RSA Security Analytics.
Resolution

Follow the instructions below for steps on integrating Check Point Provider-1 or Multi Domain Server with RSA Security Analytics.


NOTE:  In this example, we will assume tha the user has a distributed environment containing a MDM (Multi Domain Management) Server and a MLM (Multi Domain Log Server), and also a Customer Log Module (CLM) where they are sending the firewall Logs too.


 


Before starting please make sure that the general Check Point Security Suite Device Integration Instructions have been followed.


A typical customer environment might look as follows:



Customer1_Management_Server: 192.168.123.132


Firewall: cpfw2 : 192.168.123.134


Customer1_LogServer 192.168.123.135


The firewall logs are directed to the Customer1_LogServer.


The settings for the LogServer, Management Server and Opsec_application are as follows:






 


In order to configure Security Analytics to collect logs from this setup the following steps should be done:


1. Reset SIC on the OPSEC_APP Object by double clicking on the OPSEC_APP object


2. Click on communication


3. Click on Reset


4. Enter a new One Time Password


5. Click on Initialize - You will get the message Initialized but Trust Not Established


6. Go to the Check Point Event Source on the SA Server.


7. Enter the following values





 


Address - Address of the Mgmt Server in this case 192.168.123.132

server name - firewall name - cpfw2






 


certificate Name = None






 


CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd






 


client Distinguished: CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd






 

Client Entitity Name:  OPSEC_APP





 


Server Distinguished: CN=Customer1_LogServer,O=Customer1_Management_Server..43ngvd
 

Pull Certificate Ticked

Password: The password entered for the One Time Password above in step4.

 

This will retrieve the certificate from the management server.

 

8. Now change the IP Address to that of the CheckPoint Log Management Server. In this case 192.168.123.135. Make sure that the Certificate that was just retrieved is also selected. In this case the certificate name is checkpoint_Provider1Customer1CLM

 


 

9. Make Sure that in Provider-1 Smart Dashboard you go to Policy and Install Database on the Check Point devices.

10. By looking at the /var/log/messages files you should see that events are now being collected from the Log Server

 




Aug 12 15:17:25 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Session starting: sdn=CN=Customer1_LogServer,O=Customer1_Management_Server..43ngvd cdn=CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd cen=OPSEC_APP kfp=/etc/netwitness/ng/truststore/checkpoint_Provider1Customer1CLM.p12 file=1407843488 record=4375 log=security-fileid start=record count=5000 time=120
Aug 12 15:17:25 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Client Version Full Description(Opsec SDK 6.0 patch=1 build=591000010 6.0) Version(6000)
Aug 12 15:17:25 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Time to establish session(00:00:00.010221)
Aug 12 15:17:26 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Server Version Full Description(Opsec SDK NG FP3 patch=1 build=486000010 NG) Version(5000)
Aug 12 15:19:26 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Session End:Timed Execution Reached(00:02:01.025680)
Aug 12 15:19:39 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Session exit reason: The session was ended by the application
Aug 12 15:19:39 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Session completed: Total Time(00:02:13.193865) Total Events(38)
Aug 12 15:19:44 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Session starting: sdn=CN=Customer1_LogServer,O=Customer1_Management_Server..43ngvd cdn=CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd cen=OPSEC_APP kfp=/etc/netwitness/ng/truststore/checkpoint_Provider1Customer1CLM.p12 file=1407843488 record=4413 log=security-fileid start=record count=5000 time=120
Aug 12 15:19:44 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Client Version Full Description(Opsec SDK 6.0 patch=1 build=591000010 6.0) Version(6000)
Aug 12 15:19:44 LOGDECCOL1 nw[1589]: [CheckpointCollection] [info] [checkpoint.Provider1Customer1CLM] [processing] [WorkUnit] [processing] cpfw2:192.168.123.135:Time to establish session(00:00:00.006492)


 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Notes

The testing of these instructions were performed with the following:


  • Provider-1 Multi Domain Server R77
  • RSA Security Analytics 10.3 SP4
  • Check Point Firewall R75.20

If your version of Check Point does not dispaly the DN of the log Server Certificate in the GUI then it can be found by:


1) Logging into expert mode on the MDM


2) Using mdsenv to go to the correct Customer environment


3) Running:  cpca_client lscert -kind SIC


These steps are displayed below:


You are in expert mode now.


[Expert@checkpointmdm]# mdsstat
+-------------------------------------------------------------------------------------------------------------------------------+
|                                                   Processes status checking                                                   |
+-----+---------------------------------------------------------+-----------------+------------+----------+----------+----------+
| Type| Name                                                    | IP address      | FWM        | FWD      | CPD      | CPCA     |
+-----+---------------------------------------------------------+-----------------+------------+----------+----------+----------+
| MDS |                            -                            | 192.168.123.130 | up 4483    | up 4482  | up 4481  | up 5425  |
+-----+---------------------------------------------------------+-----------------+------------+----------+----------+----------+
| CMA |Customer1_Management_Server                              | 192.168.123.132 | up 6851    | up 6850  | up 6840  | up 6890  |
+-----+---------------------------------------------------------+-----------------+------------+----------+----------+----------+
| Total Domain Management Servers checked: 1     1 up   0 down                                                                  |
| Tip: Run mdsstat -h for legend                                                                                                |
+-------------------------------------------------------------------------------------------------------------------------------+
[Expert@checkpointmdm]# mdsenv Customer1_Management_Server
[Expert@checkpointmdm]#  cpca_client lscert -kind SIC
Operation succeeded. rc=0.
9 certs found.


Subject = CN=cpfw2,O=Customer1_Management_Server..43ngvd
Status = Valid   Kind = SIC   Serial = 29571   DP = 0
Not_Before: Mon Aug 11 12:30:47 2014   Not_After: Sun Aug 11 12:30:47 2019


Subject = CN=192.168.123.132,O=Customer1_Management_Server..43ngvd
Status = Valid   Kind = SIC   Serial = 35181   DP = 0
Not_Before: Mon Aug 11 11:27:04 2014   Not_After: Sun Aug 11 11:27:04 2019


Subject = CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd
Status = Revoked   Kind = SIC   Serial = 41040   DP = 0
Not_Before: Mon Aug 11 13:09:39 2014   Not_After: Sun Aug 11 13:09:39 2019


Subject = CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd
Status = Revoked   Kind = SIC   Serial = 50285   DP = 0
Not_Before: Mon Aug 11 14:24:43 2014   Not_After: Sun Aug 11 14:24:43 2019


Subject = CN=Customer1_LogServer,O=Customer1_Management_Server..43ngvd
Status = Valid   Kind = SIC   Serial = 55094   DP = 0
Not_Before: Mon Aug 11 12:38:15 2014   Not_After: Sun Aug 11 12:38:15 2019


Subject = CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd
Status = Revoked   Kind = SIC   Serial = 63550   DP = 0
Not_Before: Mon Aug 11 14:34:38 2014   Not_After: Sun Aug 11 14:34:38 2019


Subject = CN=cp_mgmt,O=Customer1_Management_Server..43ngvd
Status = Valid   Kind = SIC   Serial = 65264   DP = 0
Not_Before: Mon Aug 11 11:26:59 2014   Not_After: Sun Aug 11 11:26:59 2019


Subject = CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd
Status = Revoked   Kind = SIC   Serial = 71098   DP = 0
Not_Before: Mon Aug 11 13:56:24 2014   Not_After: Sun Aug 11 13:56:24 2019


Subject = CN=OPSEC_APP,O=Customer1_Management_Server..43ngvd
Status = Valid   Kind = SIC   Serial = 76435   DP = 0
Not_Before: Mon Aug 11 14:47:00 2014   Not_After: Sun Aug 11 14:47:00 2019


If after following these instructions you are still facing difficulties then run the following command from an SSH Session on your log collector, replacing the values as follows:
Command Line SwitchValue
--ipip address of checkpoint log server
--namename of checkpoint firewall cluster
--sdnServer Distinguished Name
--cdnClient Distinguished Name
--cenClient Entity Name

   --kfp
Path of Certificate File to use for the connection

 NwCheckpointProcess --ip 192.168.202.243 --name checkpoint --port 18184 --sdn CN=cp_mgmt,O=checkpoint..uicypp --cdn CN=LogCollector_OPSEC,O=checkpoint..uicypp --cen LogCollector_OPSEC --kfp /etc/netwitness/ng/truststore/checkpoint_CheckPointSecurity.p12 --count 5000 --time 120 --timeout 0 --odebug


This will contain important debug information on why the connection is failing. A copy of the output of this command should be provided to RSA Support to assist troubleshooting.


Sample Output of a failed connection


[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] CkpRegDir: Environment variable CPDIR is not set. 
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] GenerateGlobalEntry: Unable to get registry path
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 12
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 32
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 11
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 31
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 12
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] sslcaInitCP_Ex: using asym client without ca cert
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 12
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 12
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] sslcaInitCP_Ex: using asym client without ca cert
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 32
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 32
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] sslcaInitCP_Ex: using asym client without ca cert
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 11
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 11
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] sslcaInitCP_Ex: using asym client without ca cert
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 31
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] ckpSSLctx_New: prefs = 31
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Configuring entity SA_VLC_ABC
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...SA_VLC_ABC...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_init_entity_sic: called for the client side
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Configuring entity FW-CLUSTER
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...FW-CLUSTER...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=FW-CLUSTER-CLM1,O=FW-CLUSTER..5f4kb3, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_entity_add_sic_rule: adding INBOUND rule
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_entity_add_sic_rule: adding OUTBOUND rule
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_get_comm: creating comm for ent=9b99230 peer=9b988b8 passive=0 key=2 info=0
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] c=0x9b99230 s=0x9b988b8 comm_type=4
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Could not find info for ...opsec_client...
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_get_comm: Creating session hash (size=256)
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_get_comm: ADDING comm=0x9b985d0 to ent=0x9b99230 with key=2
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=FW-CLUSTER-CLM1,O=FW-CLUSTERSC1..5f4kb3
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_sic_connect: connecting... (ctx id=0)
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] resolver_gethostbyname: Performing gethostbyname for ABC-VLC-01
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] peers addresses are
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] 1.2.3.4
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] SESSION ID:3 is sending DG_TYPE=1
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] pushing dgtype=1 len=0 to list=0x9b985ec
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] SESSION ID:3 is sending DG_TYPE=402
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] pushing dgtype=402 len=41 to list=0x9b985ec
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] SESSION ID:3 is sending DG_TYPE=10a
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] pushing dgtype=10a len=0 to list=0x9b985ec
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] fwasync_connected: 10: getpeername: Transport endpoint is not connected
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_auth_client_connected: connection to server failed.
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] opsec_auth_client_connected:conn=(nil) opaque=0x9ba3528 err=0 comm=0x9b985d0
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] comm failed to connect 0x9b985d0
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 0)

[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] COM 0x9b985d0 got signal 131075
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] destroying comm 0x9b985d0
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Destroying comm 0x9b985d0 with 1 active sessions
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] Destroying session (9ba72c0) id 3 (ent=9b99230) reason=COMM_IS_DEAD
[ 3672 4147841280]@ABC-VLC-01[11 Feb 21:47:57] SESSION ID:3 is sending DG_TYPE=3

 
Legacy Article IDa67332

Attachments

    Outcomes