Fortinet black logo

External Systems Configuration Guide

MDS for Check Point Provider-1

Configuring MDS for Check Point Provider-1 Firewalls

The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with FortiSIEM. If you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to FortiSIEM, you must first configure and discover MDS, then use the AO Client SIC created for your FortiSIEM OPSEC application to configure the access credentials for MLM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get the MDS Server SIC for FortiSIEM Access Credentials

You will use the MDS Server SIC to create access credentials in FortiSIEM for communicating with your server.

  1. Log in to your Check Point SmartDomain Manager.
  2. Select Multi-Domain Server Contents.
  3. Select MDS, and then right-click to select Configure Multi-Domain Server... .
  4. In the General tab, under Secure Internet Communication, note the value for DN.
Add FortiSIEM as a Managed Node
  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard.
  3. Select the Firewall tab.
  4. Click the Network Objects icon.
  5. Select Nodes, and then right-click to select Node > Host... .
  6. Select General Properties.
  7. Enter a Name for your FortiSIEM host, like FortiSIEMVA.
  8. Enter the IP Address of your FortiSIEM virtual appliance.
  9. Click OK.
Create an OPSEC Application for FortiSIEM
  1. In the Firewall tab, click the Servers and OPSEC icon.
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General tab.
  4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA.
  5. For Host, select the FortiSIEM host.
  6. Under Client Entities, select LEA and CPMI.
    For Check Point FireWall-1, also select SNMP.
  7. Click Communication.
  8. Enter a one-time password.
    This is the password you will use in setting up access credentials for your firewall in FortiSIEM.
  9. Click Initialize.
  10. Close and re-open the application.
  11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_FortiSIEMVA,0=MDS..i6g4zq.
    This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
  1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
    Also select snmp if you are configuring a Check Point FireWall-1 firewall.
  6. Right-click ACTION and select Accept.
  7. Right-click TRACK and select Log.
  8. Go to Policy > Install.
  9. Click OK.
  10. Go to OPSEC Applications and select your FortiSIEM application.
  11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM.
Copy Secure Internal Communication (SIC) certificates
Copy Client SIC
  1. Go to Manage > Server and OPSEC Applications.
  2. Select OPSEC Application and then right-click to select accelops.
  3. Click Edit.
  4. Enter the SIC DN of your application.
Copy Server SIC
  1. In the Firewall tab, go to Manage.
  2. Click the Network Object icon, and then right-click to select Check Point Gateway.
  3. Click Edit.
  4. Enter the SIC DN.
  5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials

Settings for Check Point Provider-1 Firewall SSLCA Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall MDS. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM.

SettingValue
NameMDS
Device TypeCheckpoint Provider-1 MDS
Access ProtocolCheckPoint SSLCA
MDS IPThe IPS address of your server
Checkpoint LEA PortThe port used by LEA on your server
AO Client SICThe DN number of your FortiSIEM OPSEC application
MDS Server SICThe DN number of your server
PasswordThe password associated with the administrative user
CPMI PortThe port used by CPMI on your server
Activation KeyThe password you used in creating your OPSEC application
  1. Generate a certificate for MDS communication in FortiSIEM.
    1. Configure Checkpoint Provider-1 MDS credential as shown below.
      Activation key was the one-time password you input in Create an OPSEC Application for FortiSIEM
      AO Client SIC was generated in Create an OPSEC Application for FortiSIEM
      MDS Server SIC was generated in Get the MDS Server SIC for FortiSIEM Access Credentials
    2. Click Generate Certificate. It should be successful. Note that the button will be labeled Regenerate Certificate if you have already generated the certificate once.

Configuring MDS for Check Point Provider-1 Firewalls

The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with FortiSIEM. If you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to FortiSIEM, you must first configure and discover MDS, then use the AO Client SIC created for your FortiSIEM OPSEC application to configure the access credentials for MLM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get the MDS Server SIC for FortiSIEM Access Credentials

You will use the MDS Server SIC to create access credentials in FortiSIEM for communicating with your server.

  1. Log in to your Check Point SmartDomain Manager.
  2. Select Multi-Domain Server Contents.
  3. Select MDS, and then right-click to select Configure Multi-Domain Server... .
  4. In the General tab, under Secure Internet Communication, note the value for DN.
Add FortiSIEM as a Managed Node
  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard.
  3. Select the Firewall tab.
  4. Click the Network Objects icon.
  5. Select Nodes, and then right-click to select Node > Host... .
  6. Select General Properties.
  7. Enter a Name for your FortiSIEM host, like FortiSIEMVA.
  8. Enter the IP Address of your FortiSIEM virtual appliance.
  9. Click OK.
Create an OPSEC Application for FortiSIEM
  1. In the Firewall tab, click the Servers and OPSEC icon.
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General tab.
  4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA.
  5. For Host, select the FortiSIEM host.
  6. Under Client Entities, select LEA and CPMI.
    For Check Point FireWall-1, also select SNMP.
  7. Click Communication.
  8. Enter a one-time password.
    This is the password you will use in setting up access credentials for your firewall in FortiSIEM.
  9. Click Initialize.
  10. Close and re-open the application.
  11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_FortiSIEMVA,0=MDS..i6g4zq.
    This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
  1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
    Also select snmp if you are configuring a Check Point FireWall-1 firewall.
  6. Right-click ACTION and select Accept.
  7. Right-click TRACK and select Log.
  8. Go to Policy > Install.
  9. Click OK.
  10. Go to OPSEC Applications and select your FortiSIEM application.
  11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM.
Copy Secure Internal Communication (SIC) certificates
Copy Client SIC
  1. Go to Manage > Server and OPSEC Applications.
  2. Select OPSEC Application and then right-click to select accelops.
  3. Click Edit.
  4. Enter the SIC DN of your application.
Copy Server SIC
  1. In the Firewall tab, go to Manage.
  2. Click the Network Object icon, and then right-click to select Check Point Gateway.
  3. Click Edit.
  4. Enter the SIC DN.
  5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials

Settings for Check Point Provider-1 Firewall SSLCA Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall MDS. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM.

SettingValue
NameMDS
Device TypeCheckpoint Provider-1 MDS
Access ProtocolCheckPoint SSLCA
MDS IPThe IPS address of your server
Checkpoint LEA PortThe port used by LEA on your server
AO Client SICThe DN number of your FortiSIEM OPSEC application
MDS Server SICThe DN number of your server
PasswordThe password associated with the administrative user
CPMI PortThe port used by CPMI on your server
Activation KeyThe password you used in creating your OPSEC application
  1. Generate a certificate for MDS communication in FortiSIEM.
    1. Configure Checkpoint Provider-1 MDS credential as shown below.
      Activation key was the one-time password you input in Create an OPSEC Application for FortiSIEM
      AO Client SIC was generated in Create an OPSEC Application for FortiSIEM
      MDS Server SIC was generated in Get the MDS Server SIC for FortiSIEM Access Credentials
    2. Click Generate Certificate. It should be successful. Note that the button will be labeled Regenerate Certificate if you have already generated the certificate once.