Fortinet black logo

External Systems Configuration Guide

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to FortiSIEM, you must first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and FortiSIEM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get CMA Server SIC for Setting Up FortiSIEM Access Credentials
  1. Log in to your Check Point SmartDomain Manager.
  2. Click the General tab.
  3. Select Domain Contents.
  4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
  5. Select the Desktop tab.
  6. Select the Network Objects icon.
  7. Double-click on the Domain Management Server to view the General Properties dialog.
  8. Click Test SIC Status... .
    Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for FortiSIEM to access your CMA server.
Add FortiSIEM as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard.
  3. Select the Firewall tab.
  4. Click the Network Objects icon.
  5. Select Nodes, and then right-click to select Node > Host... .
  6. Select General Properties.
  7. Enter a Name for your FortiSIEM host, like FortiSIEMVA.
  8. Enter the IP Address of your FortiSIEM virtual appliance.
  9. Click OK.
Create an OPSEC Application for FortiSIEM
  1. In the Firewall tab, click the Servers and OPSEC icon.
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General tab.
  4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA.
  5. For Host, select the FortiSIEM host.
  6. Under Client Entities, select LEA and CPMI.
    For Check Point FireWall-1, also select SNMP.
  7. Click Communication.
  8. Enter a one-time password.
    This is the password you will use in setting up access credentials for your firewall in FortiSIEM.
  9. Click Initialize.
  10. Close and re-open the application.
  11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_FortiSIEMVA,0=MDS..i6g4zq.
    This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
  1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
    Also select snmp if you are configuring a Check Point FireWall-1 firewall.
  6. Right-click ACTION and select Accept.
  7. Right-click TRACK and select Log.
  8. Go to Policy > Install.
  9. Click OK.
  10. Go to OPSEC Applications and select your FortiSIEM application.
  11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM.

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials

Settings for Check Point Provider-1 Firewall CLA SSLCA Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM.

SettingValue
NameCMA
Device TypeCheckpoint Provider-1 CMA
Access ProtocolCheckPoint SSLCA
CMA IPThe IPS address of your server
Checkpoint LEA PortThe port used by LEA on your server
AO Client SICThe DN number of your FortiSIEM OPSEC application
CMA Server SICThe DN number of your server
CPMI PortThe port used by CPMI on your server
Activation KeyThe password you used in creating your OPSEC application

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to FortiSIEM, you must first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and FortiSIEM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get CMA Server SIC for Setting Up FortiSIEM Access Credentials
  1. Log in to your Check Point SmartDomain Manager.
  2. Click the General tab.
  3. Select Domain Contents.
  4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
  5. Select the Desktop tab.
  6. Select the Network Objects icon.
  7. Double-click on the Domain Management Server to view the General Properties dialog.
  8. Click Test SIC Status... .
    Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for FortiSIEM to access your CMA server.
Add FortiSIEM as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard.
  3. Select the Firewall tab.
  4. Click the Network Objects icon.
  5. Select Nodes, and then right-click to select Node > Host... .
  6. Select General Properties.
  7. Enter a Name for your FortiSIEM host, like FortiSIEMVA.
  8. Enter the IP Address of your FortiSIEM virtual appliance.
  9. Click OK.
Create an OPSEC Application for FortiSIEM
  1. In the Firewall tab, click the Servers and OPSEC icon.
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General tab.
  4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA.
  5. For Host, select the FortiSIEM host.
  6. Under Client Entities, select LEA and CPMI.
    For Check Point FireWall-1, also select SNMP.
  7. Click Communication.
  8. Enter a one-time password.
    This is the password you will use in setting up access credentials for your firewall in FortiSIEM.
  9. Click Initialize.
  10. Close and re-open the application.
  11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_FortiSIEMVA,0=MDS..i6g4zq.
    This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
  1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
    Also select snmp if you are configuring a Check Point FireWall-1 firewall.
  6. Right-click ACTION and select Accept.
  7. Right-click TRACK and select Log.
  8. Go to Policy > Install.
  9. Click OK.
  10. Go to OPSEC Applications and select your FortiSIEM application.
  11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM.

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials

Settings for Check Point Provider-1 Firewall CLA SSLCA Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM.

SettingValue
NameCMA
Device TypeCheckpoint Provider-1 CMA
Access ProtocolCheckPoint SSLCA
CMA IPThe IPS address of your server
Checkpoint LEA PortThe port used by LEA on your server
AO Client SICThe DN number of your FortiSIEM OPSEC application
CMA Server SICThe DN number of your server
CPMI PortThe port used by CPMI on your server
Activation KeyThe password you used in creating your OPSEC application