References - Check Point Collection Configuration Parameters

Document created by RSA Information Design and Development on Jul 23, 2016Last modified by RSA Information Design and Development on Sep 14, 2016
Version 4Show Document
  • View in full screen mode
 

This topic describes the Check Point event source configuration parameters

To access the Check Point Collection Configuration Parameters:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select Check Point/Config from the drop-down menu.

CPSourceTab.png

The Check Point/Config view in the Event Sources tab has two panels: Event Categories and Sources.

Event Categories Panel

In the Event Categories panel, you can add or delete the appropriate event source types.

                         
FeatureDescription
Icon-Add.png Displays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters.
Icon_Delete_sm.png Deletes the selected event source types from the Event Categories panel.
Checkbox.png Selects event source types.
NameDisplays the name of the event source types that you have added.

Available Event Sources Types Dialog

The Available Event Source Types dialog displays the list of supported event source types.

                         
FeatureDescription
Checkbox.png Selects the event source type that you want to add.
TypeDisplay the event source types that are available to add.
CancelCloses the dialog without adding an event source type.
OKAdds the selected event source type to the Event Categories panel.

Sources Panel

The Check Point Sources panel displays a list of existing Check Point firewall event sources. Use this section to add or delete event sources and associated communication parameters.

Toolbar

The following table provides descriptions of the toolbar options.

                                   
FeatureDescription
Icon-Add.png Displays the Add Source dialog in which you define the parameters for a Check Point Firewall host.
Icon_Delete_sm.png Deletes the host that you selected.
icon-edit.png

Opens the Edit Source dialog, in which you edit the parameters for the selected Check Point event source.

Select multiple event sources and click icon-edit.png to open the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

ImportSourceIcon.PNG

Opens the Bulk Add Option dialog in which you can import Check Point hosts in bulk from a comma-separated values (CSV) file.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

ExportSourceIcon.PNG

Creates a .csv file that contains the parameters for the selected Check Point hosts.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

PullCertificateIcon.PNG Open the Pull Certificate dialog. Use this dialog to pull a certificate from the Check Point server for this host.

Add or Edit Source Dialog

The Add Source dialog and the Edit Source dialog the contain the same information.

                                                                                                     
ParameterDescription
Basic
Name*Name of the event source.
Server Address*IP Address of the Check Point server.
Server Name*Name of the Check Point server.
Certificate NameCertificate name for secure connections to use when the transport mode is https. If set, the certificate must exist in the certificate trust store that you created using the Settings tab.

Select a certificate from the drop-down list. The file naming convention for Check Point event source certificates is checkpoint_name-of-event-source.
Client DistinguishedEnter the Client Distinguished Name from the Check Point server.
Client Entity NameEnter the Client Entity Name from the Check Point server.
Server DistinguishedEnter the Server Distinguished Name from the Check Point server.
Pull CertificateSelect the checkbox  to pull a certificate for first time.  Pulling a certificate makes it available from the trust store.
Certificate Server AddressIP Address of the server on which the certificate resides.
PasswordOnly active when you select the Pull Certificate checkbox for first time. Password required to pull the certificate. The password is the activation key created when adding an OPSEC application to Check Point on the Check Point server.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.

Advanced

Note: You use less system resources when you configure a Check Point event source connection to stay open for a specific time and specific event volume (transient connection).  Security Analytics defaults to the following connection parameters that establish a transient connection:

Polling Interval = 180 (3 minutes)
Max Duration Poll = 120 (2 minutes)
Max Events Poll = 5000 (5000 events per polling interval)
Max Idle Time Poll = 0

For very active Check Point event sources, it is a good practice to set up a connection that stays open until you stop collection (persistent connection). This ensures that Check Point collection maintains the pace of the events generated by these active event sources. The persistent connection avoids restart and connection delays and prevents Check Point collection from lagging behind event generation. To establish a persistent connection for a Check Point event source, set the following parameters to the following values:

Polling Interval = -1
Max Duration Poll = 0
Max Events Poll = 0
Max Idle Time Poll = 0

PortPort on the Check Point server that Log Collector connects to. Default value is 18184.
Collect Log Type

Type of logs that you want to collect:  Valid values are:

  • Audit - collects audit events.
  • Security - collects security events.

If you want to collect both audit and security events, you must create a duplicate event source. For example, first you would create an event source with Audit selected pulling a certificate into the trust store for this event source. Next you would create another event source with the same values except that you would select Security for the Collect Log Type and you would select the same certificate in Certificate Name that you pulled when you set up the first set of parameters for this event source and you would make sure that Pull Certificate was not selected.

Collect Logs From

When you set up a Check Point event source, Security Analytics collects events from the current log file. Valid values are:

  • Now - Start collecting logs now (at this point in time in the current log file). 
  • Beginning of Time - Collect logs from the beginning of the current log file.

If you choose "Beginning of Time" for this parameter value, you may collect a very large amount of data depending on how long the current log file has been collecting events.

Polling Interval

Interval (amount of time in seconds) between each poll. The default value is 180.

For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.

Max Duration PollThe maximum duration of polling cycle (how long the cycle lasts) in seconds.
Max Events PollThe maximum number of events per polling cycle (how many events collected per polling cycle).
Max Idle Time PollMaximum idle time, in seconds, of a polling cycle. 0 indicates no limit.> 300 is the default value.
Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables and disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.

If you change this value, the change takes effect immediately (no restart required).

CancelCloses the dialog without adding the Check Point Firewall host.
OKAdds the current parameter values as a new Check Point host.

Pull Certificate Dialog

The following table provides descriptions of the Pull Certificate dialog parameters.

                                         
ParameterDescription
NameDisplays the name of the event source
Server AddressDisplays the IP Address of the Check Point server.
Client Entity NameDisplays the Client Entity Name that you acquire when you configure the Check Point event source for Security Analytics.
PasswordActivation key created when adding an OPSEC application to Check Point. You need to reenter this password to pull the certificate from the Check Point server.
Update(Only displays in edit mode - click on Password field) Applies edits that you make to the host parameters.
Cancel(Only displays in edit mode - click on Password field) Closes edit mode with applying changes.
CancelCloses the dialog without pulling a certificate.
OKPulls the certificate.

Tasks

Step 2. Configure Check Point Event Sources in Security Analytics

You are here: Check Point Collection Configuration Guide > References - Check Point Collection Configuration Parameters

Attachments

    Outcomes