This topic describes the Check Point event source configuration parameters
To access the Check Point Collection Configuration Parameters:
- In the Security Analytics menu, select Administration > Services.
- In the Services grid, select a Log Collector service.
- Click under Actions and select View > Config.
- In the Log Collector Event Sources tab, select Check Point/Config from the drop-down menu.
The Check Point/Config view in the Event Sources tab has two panels: Event Categories and Sources.
Event Categories Panel
In the Event Categories panel, you can add or delete the appropriate event source types.
Available Event Sources Types Dialog
The Available Event Source Types dialog displays the list of supported event source types.
The Check Point Sources panel displays a list of existing Check Point firewall event sources. Use this section to add or delete event sources and associated communication parameters.
The following table provides descriptions of the toolbar options.
Add or Edit Source Dialog
The Add Source dialog and the Edit Source dialog the contain the same information.
|Name*||Name of the event source.|
|Server Address*||IP Address of the Check Point server.|
|Server Name*||Name of the Check Point server.|
|Certificate Name||Certificate name for secure connections to use when the transport mode is https. If set, the certificate must exist in the certificate trust store that you created using the Settings tab.|
Select a certificate from the drop-down list. The file naming convention for Check Point event source certificates is checkpoint_name-of-event-source.
|Client Distinguished||Enter the Client Distinguished Name from the Check Point server.|
|Client Entity Name||Enter the Client Entity Name from the Check Point server.|
|Server Distinguished||Enter the Server Distinguished Name from the Check Point server.|
|Pull Certificate||Select the checkbox to pull a certificate for first time. Pulling a certificate makes it available from the trust store.|
|Certificate Server Address||IP Address of the server on which the certificate resides.|
|Password||Only active when you select the Pull Certificate checkbox for first time. Password required to pull the certificate. The password is the activation key created when adding an OPSEC application to Check Point on the Check Point server.|
|Enabled||Select the check box to enable the event source configuration to start collection. The check box is selected by default.|
Note: You use less system resources when you configure a Check Point event source connection to stay open for a specific time and specific event volume (transient connection). Security Analytics defaults to the following connection parameters that establish a transient connection:
|Port||Port on the Check Point server that Log Collector connects to. Default value is 18184.|
|Collect Log Type|| |
Type of logs that you want to collect: Valid values are:
If you want to collect both audit and security events, you must create a duplicate event source. For example, first you would create an event source with Audit selected pulling a certificate into the trust store for this event source. Next you would create another event source with the same values except that you would select Security for the Collect Log Type and you would select the same certificate in Certificate Name that you pulled when you set up the first set of parameters for this event source and you would make sure that Pull Certificate was not selected.
|Collect Logs From|| |
When you set up a Check Point event source, Security Analytics collects events from the current log file. Valid values are:
If you choose Start of Log for this parameter value, you may collect a very large amount of data depending on how long the current log file has been collecting events. And, this option is effective only for the first collection session.
|Polling Interval|| |
Interval (amount of time in seconds) between each poll. The default value is 180.
For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.
|Max Duration Poll||The maximum duration of polling cycle (how long the cycle lasts) in seconds.|
|Max Events Poll||The maximum number of events per polling cycle (how many events collected per polling cycle).|
|Max Idle Time Poll||Maximum idle time, in seconds, of a polling cycle. 0 indicates no limit.> 300 is the default value.|
Enables or disables the Check Point server as a forwarder. By default it is disabled.
|Log Type (Name Value Pair)||Logs from the event source in Name Value format. By default it is disabled.|
Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.
Enables and disables debug logging for the event source.
Valid values are:
This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).
|Cancel||Closes the dialog without adding the Check Point Firewall host.|
|OK||Adds the current parameter values as a new Check Point host.|
Pull Certificate Dialog
The following table provides descriptions of the Pull Certificate dialog parameters.
|Name||Displays the name of the event source|
|Server Address||Displays the IP Address of the Check Point server.|
|Client Entity Name||Displays the Client Entity Name that you acquire when you configure the Check Point event source for Security Analytics.|
|Password||Activation key created when adding an OPSEC application to Check Point. You need to reenter this password to pull the certificate from the Check Point server.|
|Update||(Only displays in edit mode - click on Password field) Applies edits that you make to the host parameters.|
|Cancel||(Only displays in edit mode - click on Password field) Closes edit mode with applying changes.|
|Cancel||Closes the dialog without pulling a certificate.|
|OK||Pulls the certificate.|