Home

Configuring Check Point Firewalls

 Firewall Analyzer supports LEA support for R54 and above and log import from most versions. 

Determining the Check Point Version Number

To determine the version number of the Check Point that you are running, use the following command:

$FWDIR/bin/fw ver

 where $FWDIR is the directory where Check Point is installed.

Note:

 Check Point LEA is not supported on Firewall Analyzer 64 bit installation.

 

Pre-Requisites

You need to do the following in Smart Dashboard of Check Point Firewall.

Changes in Smart Dashboard :

  1. Open the "Smart Dashboard" where all the rules will be displayed. Set the "Track" value as "Account" instead of "log" for all the rules that are allowing the traffic through the Firewall. This can be done by right clicking on "Track" value for each rule and select "Account". When this is set to "Account" the Check Point firewall will log the information regarding bytes.
  2. After setting the "Track" value as "Account"for all the rules, please install all the policies.

Virtual Firewall (Virtual Domain) logs

There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Check Point physical device.

If orig_name attribute is present in the syslog data, then Firewall Analyzer considers that the log source is virtual firewall (vdom). Otherwise the application considers that the log source is physical device. The recognition of logs from the virtual firewall is automatic and no manual configuration is required.

There are two ways of obtaining logs from Check Point firewall:

The difference between the two ways are:

If you configure LEA connection, the logs will be collected automatically and processed by the Firewall Analyzer. Whereas, if you want import the logs, manual intervention is required. You need to export the syslogs in Check Point Management Station or from Check Point Smart Tracker UI and then manually import the syslog file in Firewall Analyzer.

Configuring LEA Connection

The following instructions will help you set up an authenticated or unauthenticated connection between Firewall Analyzer and the Check Point Management Server. For additional information please refer the Check Point documentation or contact Check Point technical support.

 For managing the LEA servers the configurations that needs to be done for the different check point firewalls are explained below:

Setting up an Unauthenticated LEA Connection

Follow the steps below to configure an unauthenticated connection from the Check Point Firewall:

Carryout the configuration in the Check Point Firewall Management Station.

  1. In the FWDIRconf directory on the computer where the Check Point Management Server is installed, edit the fwopsec.conf file to include the following line:

    lea_server port 18184

    lea_server auth_port 0
  2. Restart the firewall service

    [4.1] fwstop ; fwstart

    [NG] cpstop ; cpstart
  3. Add a rule to the policy to allow the port defined above port 18184 (assuming default LEA connection port) from the Firewall Analyzer machine to the Check Point Management Server and vice versa.
  4. Install the policy

Adding to LEA Server Lists on Firewall Analyzer

Once this unauthenticated LEA connection has been set up, follow the instructions for Adding an LEA Server to the Firewall Analyzer.

If you are unable to view the Check Point Firewall reports refer the Trouble Shooting Tip.

Setting up an Authenticated LEA Connection

Follow the steps below to configure an authenticated connection from the Check Point Firewall:

Carryout the configuration in the Check Point Firewall Management Station.

  1. In the FWDIRconf directory on the computer where the Check Point Management Server is installed, edit the fwopsec.conf file to include the following line:

lea_server port 0

lea_server auth_port 18184

  1. Restart the firewall service

    [4.1] fwstop ; fwstart

    [NG] cpstop ; cpstart
  2. Add a rule to the policy to allow the port defined above port 18184 (assuming default LEA connection port) from the Firewall Analyzer machine to the Check Point Management Server and vice versa.
  3. Install the policy

The following steps will help you configure an sslca authenticated connection to the Check Point firewall, carryout the configuration in the Check Point firewall Management Station:

  1. Create a new OPSEC Application Object with the following details:
    1. Name (e.g., myleaclient)
    2. Vendor: user defined
    3. Server Entities: none
    4. Client Entities: LEA
  2. Initialize Secure Internal Communication (SIC) for this OPSEC Application Object and enter the activation key (e.g. def456). Note down this activation key, as you will need it later.
  3. Write down the DN of this OPSEC Application Object. This is the Client Distinguished Name, which you need later on.
  4. Open the object of the Check Point Management Server and write down the DN of that object. This is the Server Distinguished Name.
  5. Add a rule to the policy to allow the port defined above, as well as port 18210/tcp (FW1_ica_pull) in order to allow pulling of PKCS#12 certificate from the Firewall Analyzer to the Check Point Management Server. The port 18210/tcp can be shut down after the communication between Firewall Analyzer and the Check Point Management Server has been established successfully.
  6. Install the policy.

Configuring the attributes of Check Point Firewall Server in Firewall Analyzer

OPSEC Application
Object NameEx. myleaclient
Activation KeyEx. def456
SIC NameEx. CN=myleaclient,O=cherry-win1..9mob46
LEA Server
Authentication TypeEx. sslca
SIC NameEx. cn=cp_mgmt,o=cherry-win1..9mob46 

 The attributes to be configured are described in the table below:

AttributesDescription
OPSEC Application - Object NameThis is the applications NAME that is defined when creating the application object in the Policy Editor under the OPSEC Applications Properties Name field.
OPSEC Application - Activation KeyThis is the one time password (Activation Key) that was defined when clicking 'Communications' in the OPSEC Applications Properties window.
OPSEC Application - SIC NameThe SIC name of the OPSEC Application LEA client (the LEA Server on Firewall Analyzer), in the case of authenticated connections.
LEA Server - Authentication TypeThe authentication mechanism to be used. The default value is sslca. Supported values in this field are: sslca, sslca_clear, sslca_comp, sslca_rc4, sslca_rc4_comp, asym_sslca, asym_sslca_comp, asym_sslca_rc4, asym_sslca_rc4_comp, ssl, ssl_opsec, ssl_clear, ssl_clear_opsec, fwn1 and auth_opsec
LEA Server - SIC NameThe SIC name of the Check Point Management Server.

 

Importing Check Point Log Files

Before proceeding with the importing of Check Point logs, you need to do the following changes in the Smart View Tracker of the Check Point Firewall to obtain the complete log information:

Changes in Smart View Tracker :

  1. Open the "Smart View Tracker" and click on "View" > "Query Properties".
  2. Please select the following attributes if they where not selected previously:
  • Elapsed
  • Bytes
  • Client InBound Bytes
  • Client OutBound Bytes
  • Server InBound Bytes
  • Server OutBound Bytes
  • Status
  • URL

For Non-LEA connections, there are two ways to create plain text check point log file and export the log file, which then can be imported in Firewall Analyzer. For LEA connections you can skip the below mentioned methods and follow the LEA configuration instructions.

Method 1:

In the command prompt of Check Point Firewall Management Station execute the following command
fw logexport -d ; -i fw.log -o exportresult.log -n

Note:​

For Check Point NG use the below command: 

fwm logexport -d ; -i fw.log -o exportresult.log -n

where, -d refers to delimiter, -i refers to input log file, -o refers to output ASCII file, and -n implies don't perform DNS resolution of the IP addresses in the Log File (this option significantly improves processing speed).

 For detailed information please refer the Check Point documentation or contact Check Point technical support.

The above command creates an ascii file named exportresult.log. Copy or transfer this file to Firewall Analyzer machine. Then in Firewall Analyzer you can Import this log file.

Method 2 :

  1. In the Check Point Smart Tracker UI (UI where you are seeing all logs in Check Point Management Station), select All Records option in the left tree.
  2. Click "File" > "Export".
  3. Give a proper file name, like exportresult.log. Copy or transfer this file to Firewall Analyzer machine. Then in Firewall Analyzer you can Import this log file.

Trouble Shooting Tip

 If you are unable to view the Check Point Firewall reports carry out the following procedure:

  • Click the Edit/Delete icon of the firewall for which you are unable to view reports. Click Save.
  • Click the Enable Debugging Mode checkbox to enable the Check Point firewall in debugging mode.
  • Once saved, create a support information file through Support tab, and send to fwanalyzer-support@manageengine.com

Video Zone
OpManager Customer Videos
Michael Senatore, Operations Manager, Rojan Australia Pty Ltd.
  
  •  Venkatesan Veerappan, IT Consultant
     Mohd Jaffer Tawfiq Murtaja, Information Security officer from Al Ain sports club
  •  Jonathan ManageEngine Customer
     IT Admin from "Royal flying doctor service", Australia
  •  Michael Senatore, Operations Manager, Rojan Australia Pty Ltd.
     Michael - Network & Tech, ManageEngine Customer
  •  Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
     Donald Stewart, IT Manager from Crest Industries
  •  John Rosser, MIS Manager - Yale Chase Equipment & Services
     David Tremont, Associate Directory of Infrastructure,USA
Related Products