Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Check Point FireWall-1

FortiSIEM Support added: 4.7.2

FortiSIEM last modification: 6.3.1

Vendor version tested: Not Provided

 

Vendor: Check Point

Product Information: https://www.checkpoint.com/products/

 

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP

Host name, Firewall model and version, Network interfaces

Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

Availability and Performance Monitoring

LEA

All traffic and system logs

Security and Compliance

Syslog

 

Traffic and logs sent via the CheckPoint Log Exporter tool via CEF format.

Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "firewall-1" to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device.  

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide

Syslog CEF Format

The Syslog CEF format is a more straightforward integration method than LEA, and collects similar information. To configure CheckPoint for syslog event forwarding, use the CheckPoint Log Exporter tool that details on how to configure the CheckPoint Firewall at the following URL:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323.

Configure the tool to send Syslog in CEF format to FortiSIEM.

Example CEF Format Log

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept deviceDirection=0 rt=1528095651000 spt=49005 dpt=53 cs2Label=Rule Name cs2=Implicit Cleanup layer_name=LRSK Security layer_name=LRSK Application layer_uuid=ab166dee-e955-4b8f-a5e7-6234fbaeefde layer_uuid=5549ebc0-70a4-43d1-8ec6-ca53f2306a62 match_id=34 match_id=33554431 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=78f0ba26-4d36-4352-96dd-0303a2a31cbb ifname=eth2 logid=0 loguid={0x5b14e3a3,0x0,0xfbffff0a,0xc0000008} origin=1.1.1.1 originsicname=CN\=gate2,O\=pgkeeper.citadele.lrs.lt.wj6ide sequencenum=99 version=5 dst=1.1.1.1 inzone=Internal outzone=Internal product=VPN-1 & FireWall-1 proto=17 service_id=domain-udp src=1.1.1.1
LEA

Sending events from Checkpoint to FortiSIEM in Syslog CEF format can be a more straightforward integration method than using LEA Integration method.

Following the steps here for LEA configuration.

 

Add FortiSIEM as a Managed Node
  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard.
  3. Select the Firewall tab.
  4. Click the Network Objects icon.
  5. Select Nodes, and then right-click to select Node > Host... .
  6. Select General Properties.
  7. Enter a Name for your FortiSIEM host, like FortiSIEMVA.
  8. Enter the IP Address of your FortiSIEM virtual appliance.
  9. Click OK.
Create an OPSEC Application for FortiSIEM
  1. In the Firewall tab, click the Servers and OPSEC icon.
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General tab.
  4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA.
  5. For Host, select the FortiSIEM host.
  6. Under Client Entities, select LEA and CPMI.
    For Check Point FireWall-1, also select SNMP.  
  7. Click Communication.
  8. Enter a one-time password.
    This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 
  9. Click Initialize.
  10. Close and re-open the application.
  11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_FortiSIEMVA,0=MDS..i6g4zq.
    This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
  1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application.
  2. In the Rules menu, select Top
  3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
    Also select snmp if you are configuring a Check Point FireWall-1 firewall.  
  6. Right-click ACTION and select Accept.
  7. Right-click TRACK and select Log.
  8. Go to Policy > Install.
  9. Click OK.
  10. Go to OPSEC Applications and select your FortiSIEM application.
  11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Checkpoint Firewall-1
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Check Point FireWall-1

FortiSIEM Support added: 4.7.2

FortiSIEM last modification: 6.3.1

Vendor version tested: Not Provided

 

Vendor: Check Point

Product Information: https://www.checkpoint.com/products/

 

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP

Host name, Firewall model and version, Network interfaces

Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

Availability and Performance Monitoring

LEA

All traffic and system logs

Security and Compliance

Syslog

 

Traffic and logs sent via the CheckPoint Log Exporter tool via CEF format.

Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "firewall-1" to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device.  

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide

Syslog CEF Format

The Syslog CEF format is a more straightforward integration method than LEA, and collects similar information. To configure CheckPoint for syslog event forwarding, use the CheckPoint Log Exporter tool that details on how to configure the CheckPoint Firewall at the following URL:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323.

Configure the tool to send Syslog in CEF format to FortiSIEM.

Example CEF Format Log

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept deviceDirection=0 rt=1528095651000 spt=49005 dpt=53 cs2Label=Rule Name cs2=Implicit Cleanup layer_name=LRSK Security layer_name=LRSK Application layer_uuid=ab166dee-e955-4b8f-a5e7-6234fbaeefde layer_uuid=5549ebc0-70a4-43d1-8ec6-ca53f2306a62 match_id=34 match_id=33554431 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=78f0ba26-4d36-4352-96dd-0303a2a31cbb ifname=eth2 logid=0 loguid={0x5b14e3a3,0x0,0xfbffff0a,0xc0000008} origin=1.1.1.1 originsicname=CN\=gate2,O\=pgkeeper.citadele.lrs.lt.wj6ide sequencenum=99 version=5 dst=1.1.1.1 inzone=Internal outzone=Internal product=VPN-1 & FireWall-1 proto=17 service_id=domain-udp src=1.1.1.1
LEA

Sending events from Checkpoint to FortiSIEM in Syslog CEF format can be a more straightforward integration method than using LEA Integration method.

Following the steps here for LEA configuration.

 

Add FortiSIEM as a Managed Node
  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard.
  3. Select the Firewall tab.
  4. Click the Network Objects icon.
  5. Select Nodes, and then right-click to select Node > Host... .
  6. Select General Properties.
  7. Enter a Name for your FortiSIEM host, like FortiSIEMVA.
  8. Enter the IP Address of your FortiSIEM virtual appliance.
  9. Click OK.
Create an OPSEC Application for FortiSIEM
  1. In the Firewall tab, click the Servers and OPSEC icon.
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General tab.
  4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA.
  5. For Host, select the FortiSIEM host.
  6. Under Client Entities, select LEA and CPMI.
    For Check Point FireWall-1, also select SNMP.  
  7. Click Communication.
  8. Enter a one-time password.
    This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 
  9. Click Initialize.
  10. Close and re-open the application.
  11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_FortiSIEMVA,0=MDS..i6g4zq.
    This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
  1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application.
  2. In the Rules menu, select Top
  3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
    Also select snmp if you are configuring a Check Point FireWall-1 firewall.  
  6. Right-click ACTION and select Accept.
  7. Right-click TRACK and select Log.
  8. Go to Policy > Install.
  9. Click OK.
  10. Go to OPSEC Applications and select your FortiSIEM application.
  11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Checkpoint Firewall-1
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration