Log Collection: Check Point Parameters

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

The Check Point Collection protocol collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs.

Workflow

This workflow illustrates the basic tasks needed to start collecting events through Log Collection.

Log Collection workflow shows the basic tasks for collecting events.

What do you want to do?

                  
RoleI want to...Documentation
AdministratorConfigure Check Point parameters.Configure Check Point Event Sources in NetWitness Suite

Related Topics

Check Point Collection Configuration Parameters

Basic Parameters

                                                       
ParameterDescription
Name*Name of the event source.
Address*IP Address of the Check Point server.
Server Name*Name of the Check Point server.
Certificate Name

Certificate name for secure connections to use when the transport mode is https. If set, the certificate must exist in the certificate trust store that you created using the Settings tab.

Select a certificate from the drop-down list. The file naming convention for Check Point event source certificates is checkpoint_name-of-event-source.

Client Distinguished

Enter the Client Distinguished Name from the Check Point server.

Client Entity Name

Enter the Client Entity Name from the Check Point server.

Server Distinguished

Enter the Server Distinguished Name from the Check Point server.

Enabled

Select the check box to enable the event source configuration to start collection. The check box is selected by default.

Pull Certificate

Select the checkbox  to pull a certificate for first time.  Pulling a certificate makes it available from the trust store.

Certificate Server Address

IP Address of the server on which the certificate resides. Defaults to the event source address.

Password

Only active when you select the Pull Certificate checkbox for first time. Password required to pull the certificate. The password is the activation key created when adding an OPSEC application to Check Point on the Check Point server.

Determine Advanced Parameter Values for Check Point Collection

You use less system resources when you configure a Check Point event source connection to stay open for a specific time and specific event volume (transient connection). RSA NetWitness Suite defaults to the following connection parameters that establish a transient connection:

  • Polling Interval = 180 (3 minutes)
  • Max Duration Poll = 120 (2 minutes)
  • Max Events Poll = 5000 (5000 events per polling interval)
  • Max Idle Time Poll = 0

For very active Check Point event sources, it is a good practice to set up a connection that stays open until you stop collection (persistent connection). This ensures that Check Point collection maintains the pace of the events generated by these active event sources. The persistent connection avoids restart and connection delays and prevents Check Point collection from lagging behind event generation.

To establish a persistent connection for a Check Point event source, set the following parameters to the following values:

  • Polling Interval = -1
  • Max Duration Poll = 0
  • Max Events Poll = 0
  • Max Idle Time Poll = 0
                                                   
ParameterDescription
PortPort on the Check Point server that Log Collector connects to. Default value is 18184.
Collect Log Type

Type of logs that you want to collect:  Valid values are:

  • Audit - collects audit events.
  • Security - collects security events.

If you want to collect both audit and security events, you must create a duplicate event source. For example, first you would create an event source with Audit selected pulling a certificate into the trust store for this event source. Next you would create another event source with the same values except that you would select Security for the Collect Log Type and you would select the same certificate in Certificate Name that you pulled when you set up the first set of parameters for this event source and you would make sure that Pull Certificate was not selected.

Collect Logs From

When you set up a Check Point event source, Security Analytics collects events from the current log file. Valid values are:

  • Now - Start collecting logs now (at this point in time in the current log file). 
  • Start of Log - Collect logs from the beginning of the current log file.

If you choose "Start of Log" for this parameter value, you may collect a very large amount of data depending on how long the current log file has been collecting events. Note that this option is effective only for the first collection session.

Polling Interval

Interval (amount of time in seconds) between each poll. The default value is 180.

For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.

Max Duration PollThe maximum duration of polling cycle (how long the cycle lasts) in seconds.
Max Events PollThe maximum number of events per polling cycle (how many events collected per polling cycle).
Max Idle Time PollMaximum idle time, in seconds, of a polling cycle. 0 indicates no limit.> 300 is the default value.
ForwarderEnables or disables the Check Point server as a forwarder. By default it is disabled.

Log Type (Name Value Pair)

Logs from the event source in Name Value format. By default it is disabled.

Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables and disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.

If you change this value, the change takes effect immediately (no restart required).

Previous Topic:Azure Parameters
Next Topic:File Parameters
You are here
Table of Contents > Reference > Check Point Parameters

Attachments

    Outcomes