Check Point Collection: Step 2. Configure Check Point in SA

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells you how to configure Check Point event sources for the Log Collector.

After completing this procedure, you will have...

  • Configured a Check Point event source.
  • Modified a Check Point event source.
  • Pulled a Certificate for a Check Point event source.

Return to Procedures

Procedures

Configure a Check Point Event Source

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select Check Point/Config from the drop-down menu.
  5. In the Event Categories panel toolbar, click Icon-Add.png.
    The Available Event Source Types dialog is displayed.
  6. Select an event source type (for example, checkpoint) and click OK.
    CPAvailEST.PNG
    The newly added event source type is displayed in the Event Categories panel.
  7. Select the new type in the Event Categories panel and click Icon-Add.png in the Sources toolbar.
    The Add Source dialog is displayed.
  8. Define parameter values (See Check Point Collection: Configuration Parametersfor definitions of each parameter).

Note: You use less system resources when you set up a connection that only stays open for the time and event volume you specified or a transient connection. By default, the parameters are set up for a transient connection, as follows:
Max Events Poll = 0
Polling Interval = 0
Max Duration Poll = 0
Polling Interval = -1
Specify the number of events and the length of time you want the connection to stay open in the Max Events, Polling Interval, Max Duration Poll, and Polling Interval parameters. For very active Check Point event sources, it is a good practice to set up a connection that stays open until you stop collection (persistent connection). This ensures that Check Point collection maintains the pace of the events generated by these active event sources. The persistent connection avoids restart and connection delays and prevents Check Point collection from lagging behind event generation. To establish a persistent connection for a Check Point event source, set the following parameters to the following values:
5000Polling Interval = 180 (3 minutes)
Max Duration Poll = 120 (2 minutes)
Max Events Poll = 0


CPAddSource.PNG

  1. Select Pull Certificate to pull a certificate for the first time. This makes the certificate available from the trust store.
  2. Click OK.

The new event source is displayed in the Sources panel.

Pull Certificate

Complete the following procedure if you:

  • did not pull a certificate when you configured a Check Point event source, or
  • need to re-pull a certificate.

To pull a certificate:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select Check Point/Config from the drop-down menu.
  5. Select an event source type in the Event Categories panel.
    The sources for this type are displayed in the Sources panel.
  6. Select a source, or multiple sources, and click PullCertificateIcon.PNG.
    The settings of the Check Point server(s)  from which you can pull certificates are displayed.
  7. Click the text box under Password.
    All the fields become editable.
    CPPullCert2.PNG
  8. Enter a password, click Update, and click OK.

Note: You must specify a password. If you need to modify the other Check Point server certificate parameters (Audit, Server Address, and Client Entity Name) you have that option. 

Security Analytics pulls the certificate.

Modify a Check Point Event Source

To modify an event source:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select Check Point/Config from the drop-down menu.
    The Event Categories panel is displayed with the event sources that are configured, if any.
  5. Select an event source type in the Event Categories panel.
    The event sources for this type are displayed in the Sources panel.
  6. Select a source and click icon-edit.png in the toolbar.
    The Edit Source dialog is displayed.
  7. Modify the parameters that require changes and click Save.
    CPEditSource.PNG
    Security Analytics applies the parameter changes to the selected event source.

Parameters

Check Point Collection: Configuration Parameters

You are here
Table of Contents > Check Point Collection Configuration Guide > Procedures > Step 2. Configure Check Point Event Sources in Security Analytics

Attachments

    Outcomes