Configuring Check Point Firewalls

Firewall Analyzer supports LEA support for R54 and above and log import from most versions.

Determining the Check Point Version Number

To determine the version number of the Check Point that you are running, use the following command:

$FWDIR/bin/fw ver

where $FWDIR is the directory where Check Point is installed.

Pre-Requisites

You need to do the following in Smart Dashboard of Check Point Firewall.

Changes in Smart Dashboard :

Open the "Smart Dashboard" where all the rules will be displayed. Set the "Track" value as "Account" instead of "log" for all the rules that are allowing the traffic through the Firewall. This can be done by right clicking on "Track" value for each rule and select "Account". When this is set to "Account" the CheckPoint firewall will log the information regarding bytes.
After setting the "Track" value as "Account"for all the rules, please install all the policies.

There are two ways of obtaining logs from Checkpoint firewall:

The difference between the two ways are:

If you configure LEA connection, the logs will be collected automatically and processed by the Firewall Analyzer.

Whereas, if you import the logs manual intervention is required.

Manually import the logs daily.
Wirte a batch file to fetch the logs using FTP.
Use the Dynamic Filename configuration feature to fetch the logs.

Configuring LEA Connection

The following instructions will help you set up an authenticated or unauthenticated connection between Firewall Analyzer and the Check Point Management Server. For additional information please refer the Check Point documentation or contact Check Point technical support.

For managing the LEA servers the configurations that needs to be done for the different check point firewalls are explained below:

Setting up an Unauthenticated LEA Connection

Follow the steps below to configure an unauthenticated connection from the Check Point Firewall:

Carryout the configuration in the Check Point Firewall Management Station.

In the FWDIR\conf directory on the computer where the Check Point Management Server is installed, edit the fwopsec.conf file to include the following line:
lea_server port 18184 lea_server auth_port 0
Restart the firewall service
[4.1] fwstop ; fwstart
[NG] cpstop ; cpstart
Add a rule to the policy to allow the port defined above port 18184 (assuming default LEA connection port) from the Firewall Analyzer machine to the Check Point Management Server and vice versa.
Install the policy

Adding to LEA Server Lists on Firewall Analyzer

Once this unauthenticated LEA connection has been set up, follow the instructions for Adding an LEA Server to the Firewall Analyzer.

If you are unable to view the CheckPoint Firewall reports refer the Trouble Shooting Tip.

Setting up an Authenticated LEA Connection

The following steps will help you configure an sslca authenticated connection to the Check Point firewall, carryout the configuration in the Check Point firewall Management Station:

Create a new Opsec Application Object with the following details:
1. Name (eg. myclient)
2. Vendor: user defined
3. Server Entities: none
4. Client Entities: LEA
Initialize Secure Internal Communication (SIC) for this Opsec Application Object and enter the activation key (e.g. def456). Note down this activation key, as you will need it later.
Write down the DN of this Opsec Application Object. This is the Client Distinguished Name, which you need later on.
Open the object of the Check Point Management Server and write down the DN of that object. This is the Server Distinguished Name.
Add a rule to the policy to allow the port defined above, as well as port 18210/tcp (FW1_ica_pull) in order to allow pulling of PKCS#12 certificate from the Firewall Analyzer to the Check Point Management Server. The port 18210/tcp can be shut down after the communication between Firewall Analyzer and the Check Point Management Server has been established successfully.
Install the policy

Changes to LEA Server on Firewall Analyzer

Once this has been set up, edit the LEA configuration file for this Check Point firewall:

Get the opsec_pull_cert tool either from opsec-tools.tar.gz from the project home page, or directly from the OPSEC SDK. This tool is needed to establish the Secure Internal Communication (SIC) between Firewall Analyzer and the Check Point Management Server.
Get the client certificate from the Check Point Management Server (e.g. 10.1.1.1). The activation key has to be the same as specified before in the firewall policy. After that copy the resulting PKCS#12 file (default: opsec.p12) to the <FirewallAnalyzer_Home>/server/default/leaconf directory.

opsec_pull_cert -h 10.1.1.1 -n myleaclient -p def456

where -h is IP Address of the CheckPoint Management server, -n is name of the LEA object added in the Smart Dashboard and -p is the activation key.

Define the IP address(eg. 10.1.1.1), port(eg. 18184), authentication type, and SIC names for authenticated LEA connections:
(The SIC names are the Client DN and Server DN that were noted down earlier)
lea_server ip 10.1.1.1 lea_server auth_port 18184 lea_server auth_type sslca opsec_sslca_file opsec.p12 (Note: Please give absolute path for opsec.p12) opsec_sic_name "CN=myleaclient,O=cpmodule..gysidy" lea_server opsec_entity_sic_name "cn=cp_mgmt,o=cpmodule..gysidy"

For example, the absolute path in Windows OS will be like "C:\AdventNet\ME\Firewall\server\default\leaconf\opsec.p12" and the absolute path in Linux OS will be like "/root/Firewall/server/default/leaconf/opsec.p12".

The above paths are only examples and you have to configure the actual absolute path in the entry and the path should be specified within quotes.

The LEA Configuration File

The LEA configuration files are present in the <FirewallAnalyzer_Home>/server/default/leaconf directory. By default, only the leaclient.conf file is present here. If you are adding a single Check Point firewall, use this file to configure LEA client parameters.

If you are configuring more than one Check Point firewall, create a separate .conf file with the same name as the host name entered when the LEA Server was added in Firewall Analyzer.

The parameters to be set in the LEA client configuration file are described in the table below:

Parameter	Description
lea_server ip <IP address>	The IP address to which the LEA Server on Firewall Analyzer should connect to.
lea_server port <port number>	The port to which the LEA Server on Firewall Analyzer should connect to, for an unauthenticated connection.
lea_server auth_port <port number>	The port to which the LEA Server on Firewall Analyzer should connect to, for an authenticated connection.
lea_server auth_type <authentication mechanism>	The authentication mechanism to be used. The default value is `sslca`. Supported values in this field are: `sslca, sslca_clear, sslca_comp, sslca_rc4, sslca_rc4_comp, asym_sslca, asym_sslca_comp, asym_sslca_rc4, asym_sslca_rc4_comp, ssl, ssl_opsec, ssl_clear, ssl_clear_opsec, fwn1` and `auth_opsec`.
opsec_sslca_file <p12-file>	The location of the PKCS#12 certificate, in the case of authenticated connections.
opsec_sic_name <SIC name of LEA-client>	The SIC name of the LEA client (the LEA Server on Firewall Analyzer), in the case of authenticated connections.
lea_server opsec_entity_sic_name <SIC name of LEA-server>	The SIC name of the Check Point Management Server.

Importing Check Point Log Files

Before proceeding with the importing of Check Point logs, you need to do the following changes in the Smart View Tracker of the Check Point Firewall to obtain the complete log information:

Changes in Smart View Tracker :

Open the "Smart View Tracker" and click on "View" > "Query Properties".
Please select the following attributes if they where not selected previously:

Elapsed
Bytes
Client InBound Bytes
Client OutBound Bytes
Server InBound Bytes
Server OutBound Bytes
Status
URL

For Non-LEA connections, there are two ways to create plain text check point log file and export the log file, which then can be imported in Firewall Analyzer. For LEA connections you can skip the below mentioned methods and follow the LEA configuration instructions.

Method 1 :

In the command prompt of Check Point Firewall Management Station execute the following command

fw logexport -d ; -i fw.log -o exportresult.log -n

For Check Point NG use the below command:

fwm logexport -d ; -i fw.log -o exportresult.log -n

where, -d refers to delimiter, -i refers to input log file, -o refers to output ASCII file, and -n implies don't perform DNS resolution of the IP addresses in the Log File (this option significantly improves processing speed).

For detailed information please refer the Check Point documentation or contact Check Point technical support.

The above command creates an ascii file named exportresult.log. Copy or transfer this file to Firewall Analyzer machine. Then in Firewall Analyzer you can Import this log file.

Method 2 :

In the Check Point Smart Tracker UI (UI where you are seeing all logs in Check Point Management Station), select All Records option in the left tree.
Click "File" > "Export".
Give a proper file name, like exportresult.log. Copy or transfer this file to Firewall Analyzer machine. Then in Firewall Analyzer you can Import this log file.

Trouble Shooting Tip

If you are unable to view the CheckPoint Firewall reports carry out the following procedure:

Delete the firewall for which you are unable to view reports.
Click Here (link) to add CheckPoint firewall in debugging mode.
Once added, create a support information file through Support tab, and send to support@fwanalyzer.com