Configure Check Point Event Sources in NetWitness

This topic tells you how to configure the Check Point collection protocol, which collects events from Check Point event sources.

This protocol collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs.

How Check Point Collection Works

The Log Collector service collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs.

Note: OPSEC LEA (Log Export API) supports extraction of logs from Check Point event sources configured with a SHA-256 or SHA-1 certificate.

Deployment Scenario

The following figure illustrates how you deploy the Check Point Collection Protocol in NetWitness.

netwitness_checkpoint_deployment.png

Configuration in NetWitness

To configure a Check Point Event Source:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services from the NetWitness menu.
  2. Select a Log Collection service.
  3. Select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.

  4. Click the Event Sources tab.

    12.1_chooseCollectionMethod_1122.png

  1. In the Event Sources tab, select Check Point/Config from the drop-down menu.

  2. In the Event Categories panel toolbar, click netwitness_ic-add.png.

    The Available Event Source Types dialog is displayed.

  3. Select a check point event source type and click OK.

    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click netwitness_ic-add.png in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Define parameter values. For details, see Check Point Parameters below.

  6. Click Test Connection.

    The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.

    Log Collector takes approximately 60 seconds to return the test results. If it exceeds the time limit, the test times out and the NetWitness displays an error message.

  7. If the test is successful, click OK.

    The new event source is displayed in the Sources panel.

Check Point Parameters

This section describes the Check Point event source configuration parameters.

Basic Parameters

Parameter Description
Name* Name of the event source.
Address* IP Address of the Check Point server.
Server Name* Name of the Check Point server.
Certificate Name

Certificate name for secure connections to use when the transport mode is https. If set, the certificate must exist in the certificate trust store that you created using the Settings tab.

Select a certificate from the drop-down list. The file naming convention for Check Point event source certificates is checkpoint_name-of-event-source.
Client Distinguished

Enter the Client Distinguished Name from the Check Point server.
Client Entity Name

Enter the Client Entity Name from the Check Point server.
Server Distinguished

Enter the Server Distinguished Name from the Check Point server.
Enabled

Select the check box to enable the event source configuration to start collection. The check box is selected by default.
Pull Certificate

Select the checkbox to pull a certificate for first time. Pulling a certificate makes it available from the trust store.
Certificate Server Address

IP Address of the server on which the certificate resides. Defaults to the event source address.
Password

Only active when you select the Pull Certificate checkbox for first time. Password required to pull the certificate. The password is the activation key created when adding an OPSEC application to Check Point on the Check Point server.

Determine Advanced Parameter Values for Check Point Collection

You use less system resources when you configure a Check Point event source connection to stay open for a specific time and specific event volume (transient connection). NetWitness defaults to the following connection parameters that establish a transient connection:

  • Polling Interval = 180 (3 minutes)
  • Max Duration Poll = 120 (2 minutes)
  • Max Events Poll = 5000 (5000 events per polling interval)
  • Max Idle Time Poll = 0

For very active Check Point event sources, it is a good practice to set up a connection that stays open until you stop collection (persistent connection). This ensures that Check Point collection maintains the pace of the events generated by these active event sources. The persistent connection avoids restart and connection delays and prevents Check Point collection from lagging behind event generation.

To establish a persistent connection for a Check Point event source, set the following parameters to the following values:

  • Polling Interval = -1
  • Max Duration Poll = 0
  • Max Events Poll = 0
  • Max Idle Time Poll = 0
Parameter Description
Port Port on the Check Point server that Log Collector connects to. Default value is 18184.
Collect Log Type

Type of logs that you want to collect: Valid values are:

  • Audit - collects audit events.
  • Security - collects security events.

If you want to collect both audit and security events, you must create a duplicate event source. For example, first you would create an event source with Audit selected pulling a certificate into the trust store for this event source. Next you would create another event source with the same values except that you would select Security for the Collect Log Type and you would select the same certificate in Certificate Name that you pulled when you set up the first set of parameters for this event source and you would make sure that Pull Certificate was not selected.
Collect Logs From

When you set up a Check Point event source, NetWitness collects events from the current log file. Valid values are:

  • Now - Start collecting logs now (at this point in time in the current log file).
  • Start of Log - Collect logs from the beginning of the current log file.

If you choose "Start of Log" for this parameter value, you may collect a very large amount of data depending on how long the current log file has been collecting events. Note that this option is effective only for the first collection session.
Polling Interval

Interval (amount of time in seconds) between each poll. The default value is 180.

For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.
Max Duration Poll The maximum duration of polling cycle (how long the cycle lasts) in seconds.
Max Events Poll The maximum number of events per polling cycle (how many events collected per polling cycle).
Max Idle Time Poll Maximum idle time, in seconds, of a polling cycle. 0 indicates no limit.> 300 is the default value.
Forwarder Enables or disables the Check Point server as a forwarder. By default it is disabled.

Log Type (Name Value Pair)

Logs from the event source in Name Value format. By default it is disabled.
Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables and disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.

If you change this value, the change takes effect immediately (no restart required).

Verify Check Point Collection is Working

The following procedure illustrates how you can verify that Check Point collection is working from the Administration > Health & Wellness > Event Source Monitoring tab.

To verify Check Point collection from the Event Source Monitoring tab:

  1. Access the Manage tab from the netwitness_adminicon_25x22.png (Admin) > Event Sources view.
  2. Find a checkpoint event source in the Event Sources column.
  3. Look for activity in the Total Count column to verify that Check Point collection is accepting events.

To verify Check Point collection from the Investigation > Events view:

The following procedure illustrates how you can verify that Check Point collection is working from the Investigation > Events view.

  1. Access the Investigation > Events view.
  2. Select the Log Decoder (for example, LD1) collecting Check Point events in the Investigate a Device dialog.
  3. Look for a Check Point event source parser (for example, checkpointfw1) in the device.type field in the Details column to verify that Check Point collection is accepting events.

Note: If the logs from the VSX Checkpoint firewall server are collected by the Log Collector checkpoint service, to translate the VSX IP in the logs to ip.orig meta, you must add the VSX hostname and the VSX IP address to the /etc/hosts file in the Log Collector.