Symantec Event Collector 4.3 for Check Point FireWall-1 Quick Reference

Transcription

1 Symantec Event Collector 4.3 for Check Point FireWall-1 Quick Reference

2 Symantec Event Collector for Check Point FireWall-1 Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation Stevens Creek Blvd. Cupertino, CA Printed in the United States of America

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system

5 Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support... 4 Chapter 1 Introducing Symantec Event Collector for Check Point FireWall About this quick reference... 9 Compatibility requirements for Check Point FireWall-1 Event Collector System requirements for the Check Point FireWall-1 Event Collector computer About the installation sequence for Check Point FireWall-1 Event Collector Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager Installing the compat-libstdc++ package on Red Hat Enterprise Linux Configuring Check Point FireWall-1 to work with the collector Running LiveUpdate for collectors Chapter 2 Implementation notes Product ID for Check Point FireWall-1 Event Collector Event example Schema packages Event mapping for Information Manager Chapter 3 Event filtering and aggregation Event filtering and aggregation for Check Point FireWall-1 Event Collector... 35

8 8 Contents

9 Chapter 1 Introducing Symantec Event Collector for Check Point FireWall-1 This chapter includes the following topics: About this quick reference Compatibility requirements for Check Point FireWall-1 Event Collector System requirements for the Check Point FireWall-1 Event Collector computer About the installation sequence for Check Point FireWall-1 Event Collector Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager 4.5 Installing the compat-libstdc++ package on Red Hat Enterprise Linux 3.0 Configuring Check Point FireWall-1 to work with the collector Running LiveUpdate for collectors About this quick reference This quick reference includes information that is specific to Symantec Event Collector for Check Point FireWall-1. General knowledge about installing and configuring collectors is assumed, as well as basic knowledge of Check Point FireWall-1. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide.

10 10 Introducing Symantec Event Collector for Check Point FireWall-1 Compatibility requirements for Check Point FireWall-1 Event Collector For information on Check Point FireWall-1, see your product documentation. Compatibility requirements for Check Point FireWall-1 Event Collector The collector is compatible with the following Check Point products: Check Point FireWall-1 NG Application Intelligence R55 and NGX 6.x, including 6.0, 6.2, and 6.5, that runs on one of the following operating systems: Microsoft Windows 2000 Advanced Server with Service Pack 4 or later Red Hat Enterprise Linux AS 3.0 Check Point Provider-1 NG and NGX 6.x, including 6.0, 6.2, and 6.5 on Red Hat Enterprise 3, Sun Solaris, and Check Point SecurePlatform with the following configurations: Check Point Provider-1 with MDS/CMA/log server all on one computer Check Point Provider-1 with separate MLM/CLM computers The collector can collect from the Check Point Audit log, as well as the security log. The collector is also compatible with Check Point R55 and 6.x, including 6.0, 6.2, and 6.5, that runs on the Nokia IP series appliances. Please go to the Nokia Web site for detailed information: The collector runs on the following operating systems: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later Microsoft Windows Server 2003 Standard Edition with Service Pack 1 or later Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 If you use Red Hat Enterprise Linux AS 3.0, you must install the compat-libstdc++ package. See Installing the compat-libstdc++ package on Red Hat Enterprise Linux 3.0 on page 14. Red Hat Enterprise Linux AS 4.0

11 Introducing Symantec Event Collector for Check Point FireWall-1 System requirements for the Check Point FireWall-1 Event Collector computer 11 Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2000/2003. Note: If the Check Point LEA Server is installed on a platform other than Windows or Linux, a remote configuration setup is required. System requirements for the Check Point FireWall-1 Event Collector computer Minimum system requirements for a remote collector installation are as follows: Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class) 512 MB minimum, 1 GB of memory recommended for the Symantec Event Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE, and the collector TCP/IP connection to a network from a static IP address About the installation sequence for Check Point FireWall-1 Event Collector The collector is preinstalled on the Information Manager 4.6 appliance. You can also install this collector on a remote computer or on an Information Manager 4.5 appliance. The collector installation sequence is as follows: Complete the preinstallation requirements. For these procedures, see the Symantec Event Collectors Integration Guide. Configure Check Point FireWall-1 to work with the collector. If you use Red Hat Enterprise Linut 3.0, you must install the compat-libstdc++ package. See Installing the compat-libstdc++ package on Red Hat Enterprise Linux 3.0 on page 14. Close the Symantec Security Information Manager Client console. Register the collector for all off-appliance collector installations.

12 12 Introducing Symantec Event Collector for Check Point FireWall-1 Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager 4.5 If you use Information Manager 4.6, the collector is pre-registered. You do not have to register it. For this procedure see the Symantec Event Collectors Integration Guide Install the Symantec Event Agent on the collector computer. You must install the agent for all remote installations. Symantec Event Agent build 12 or later is required. Run LiveUpdate on earlier collectors. If you install a 4.3 collector on a computer that has an earlier collector on it, you must first run LiveUpdate on all components of the earlier version of the collector. You must update the earlier collector before you install the 4.3 collector. See Running LiveUpdate for collectors on page 22. Install the collector component. The collector is preinstalled on the Information Manager 4.6 appliance. If you want to use the collector on a remote computer, you must install it on the remote computer. You can upgrade the collector on the Information Manager 4.5 appliance. However, you must first apply Information Manager with Maintenance Release 1 (or later) upgrade package on the appliance. See Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager 4.5 on page 12. You can install the collector on the Information Manager 4.5 appliance. However, you must first apply Information Manager with Maintenance Release 1 (or later) upgrade package on the appliance. For procedures on how to install the collector on a remote computer or on an appliance, see the Symantec Event Collectors Integration Guide. Configure the sensor. Run LiveUpdate. See Running LiveUpdate for collectors on page 22. For all procedures that are not covered in the quick reference, see the Symantec Event Collectors Integration Guide. Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager 4.5 Check Point FireWall-1 Event Collector 4.3 comes preinstalled on the Information Manager 4.6 appliance.

13 Introducing Symantec Event Collector for Check Point FireWall-1 Upgrading the on-appliance collector from 4.2 to 4.3 on Information Manager Check Point FireWall-1 Event Collector 4.2 comes preinstalled on the Information Manager 4.5 appliance. You can upgrade your collector from 4.2 to 4.3 on the Information Manager 4.5 appliance. You must install Information Manager with Maintenance Release 1 (or later) before you upgrade Check Point FireWall-1 Event Collector 4.2 to 4.3 on the Information Manager appliance. To upgrade the on-appliance Check Point FireWall-1 Event Collector from 4.2 to Contact Symantec to get the upgrade package. 2 Unzip the upgrade package onto your Information Manager 4.5 client computer. 3 Start the Symantec Security Information Manager client and then log in with administrator credentials. 4 Export the existing sensor settings and all custom filters and aggregators to.xml files. For more information, see the Symantec Event Collectors Integration Guide. 5 Close the Symantec Security Information Manager client. 6 From a Web browser, navigate to the Symantec Security Information Manager Administrator Web page and log in with administrator credentials. 7 From the list on the left, click System Updates. 8 From Options, click Install and browse to the location where you unzipped the upgrade package. 9 Select the update-checkpointcollector.jar file and click Upload and Install. 10 In the Confirm Installation page, click Continue. 11 When done, click Cancel. 12 Close the Symantec Security Information Manager Administrator Web page. 13 Start the Symantec Security Information Manager client and logon with administrator credentials. 14 Import the sensor settings and custom filters and aggregators from the.xml files that you created in step 4. For more information, see the Symantec Event Collectors Integration Guide.

14 14 Introducing Symantec Event Collector for Check Point FireWall-1 Installing the compat-libstdc++ package on Red Hat Enterprise Linux 3.0 Installing the compat-libstdc++ package on Red Hat Enterprise Linux 3.0 If you use Red Hat Enterprise Linux 3.0, you must install the compat-libstdc++ package. The compat-libstdc++ package is located in a Red Hat install package rpm file named as follows: compat-libstdc++-version_number.architecture.rpm To install the compat-libstdc++ package At a Linux command prompt, type the following command: up2date compat-libstdc++ Configuring Check Point FireWall-1 to work with the collector If you have Check Point FireWall-1 only, you can configure it for a local, remote, or distributed collector installation, as follows: A local collector resides on the LEA server. See To configure Check Point FireWall-1 for a local collector installation on page 15. A remote collector does not reside on the LEA server. See To configure Check Point FireWall-1 for a remote collector installation on page 16. In a distributed collector installation, the Check Point FireWall-1 gateway, Check Point Management Server, and Check Point Log Server reside on separate computers, and the collector may reside either on the log server computer, or another computer altogether. See To configure Check Point FireWall-1 in a distributed environment on page 17. If you have Check Point Provider-1, you have the following configuration options: With a Multi-Domain Server (MDS), multiple Customer Management Add-Ons (CMAs), and Log server on one computer. The CMA receives the logs. See To configure Check Point Provider-1 with MDS/CMA/Log server all on one computer on page 19. With a Multi-Domain Log Module (MLM) server and multiple Customer Log Modules (CLM). The CLM's server receives the logs.

15 Introducing Symantec Event Collector for Check Point FireWall-1 Configuring Check Point FireWall-1 to work with the collector 15 See To configure Check Point Provider-1 with separate MLM/CLM computers on page 21. If you have the Nokia IP series, you can configure the Check Point FireWall-1 that resides on the Nokia IP appliance for a remote collector installation. If you have Check Point FireWall-1 running on SecurePlatform, you can configure the Check Point FireWall-1 for a remote collector installation. The remote collector does not reside on the LEA server. See To configure Check Point FireWall-1 for a remote collector installation on page 16. For information on how to create and enable firewall rules, see the documentation that came with Check Point. To configure Check Point FireWall-1 for a local collector installation 1 On the LEA server, use a text editor to open the appropriate configuration: On Windows, using WordPad to preserve UNIX file format, open the following files: C:\WINNT\fw1\R55\conf\fwopsec.conf C:\WINNT\fw1\R55\conf\cpmad_opsec.conf The R55\ directory location only applies to the NG version of Check Point. The NGX version uses R60\. On Linux, open the following files: /var/opt/cpfw1-55/conf/fwopsec.conf /var/opt/cpfw1-55/conf/cpmad_opsec.conf 2 Clear the cpmad_opsec.conf file, and then add the following lines: lea_server ip lea_server auth_port 0 lea_server port lea_server auth_type local 3 Clear the fwopsec.conf file, and then add the following lines: lea_server ip lea_server auth_port 0 lea_server port lea_server auth_type local The contents of the cpmad_opsec file and the fwopsec.conf file should be identical. 4 Save and close each file.

16 16 Introducing Symantec Event Collector for Check Point FireWall-1 Configuring Check Point FireWall-1 to work with the collector 5 Use the tools that are provided by Check Point FireWall-1 Event Collector to add a rule that prevents remote access to port To force the changes to cpmad_opsec.conf and fwopsec.conf to take effect, do one of the following steps: If the Check Point log server is running on Linux, run the following command: cprestart If the Check Point log server is running on Windows, run the following command: cprestart.exe To configure Check Point FireWall-1 for a remote collector installation 1 On the Management server, using the Check Point FireWall-1 SmartDashboard, create a new OPSEC application by completing the following steps in the order given: Create a name for the OPSEC application. This value is used during the configuration of the collector. For the Host value, specify the IP address of the collector computer. For the Client Entities type, choose LEA. In the communications dialog box, type a password for the Activation Key. This password is used to generate an SSL certificate that is used during the collector configuration. After you have entered the password, click Initialize. Record the settings that you have made. Include the name of the OPSEC application, the password, and the string that Check Point FireWall-1 Event Collector places in the DN field during configuration. These settings are also used to configure the sensor. Close the dialog box. When you close the dialog box, the Trust State should be changed from Uninitialized to Initialized but trust not established. 2 On the LEA server, use a text editor to open the appropriate configuration, as follows: On Windows, using WordPad to preserve UNIX file format, open the following files: C:\WINNT\fw1\R55\conf\fwopsec.conf C:\WINNT\fw1\R55\conf\cpmad_opsec.conf On Linux, open the following files:

17 Introducing Symantec Event Collector for Check Point FireWall-1 Configuring Check Point FireWall-1 to work with the collector 17 /var/opt/cpfw1-55/conf/fwopsec.conf /var/opt/cpfw1-55/conf/cpmad_opsec.conf 3 Clear the cpmad_opsec.conf file, then add the following lines: lea_server ip IP_address_of_LEA_server lea_server auth_port lea_server port 0 lea_server auth_type sslca 4 Clear the fwopsec.conf file, and then add the following lines: lea_server ip IP_address_of_LEA_server lea_server auth_port lea_server port 0 lea_server auth_type sslca The contents of the cpmad_opsec file and the fwopsec.conf file should be identical. 5 Save and close each file. 6 To force the changes to cpmad_opsec.conf and fwopsec.conf to take effect, do one of the following steps: If the Check Point log server is running on Linux, run the following command: cprestart If the Check Point log server is running on Windows, run the following command: cprestart.exe To configure Check Point FireWall-1 in a distributed environment 1 On the Management server, using the Check Point FireWall-1 SmartDashboard, create a new OPSEC application by completing the following steps in the order given: Create a name for the OPSEC application. This value is used during the configuration of the collector. For the Host value, specify the IP address of the collector computer. For the Client Entities type, choose LEA. In the communications dialog box, enter a password for the Activation Key. This password is used to generate an SSL certificate that is used during the collector configuration.

18 18 Introducing Symantec Event Collector for Check Point FireWall-1 Configuring Check Point FireWall-1 to work with the collector After you have entered the password, click Initialize. Record the settings that you have made. Include the name of the OPSEC application, the password, and the string that Check Point FireWall-1 Event Collector places in the DN field during configuration. These settings are also used to configure the sensor. Close the dialog box. When you close the dialog box, the Trust State should be changed from Uninitialized to Initialized but trust not established. Install the policy database on the Check Point Log Server using the SmartDashboard. 2 Make sure that no firewall rule blocks communication between the collector computer and the log server computer on port Make sure that all other computers are prevented from accessing port on the log server computer. 4 On the Log Server, use a text editor to open the appropriate configuration file, as follows: On Windows using WordPad to preserve UNIX file format, open the following files: C:\WINNT\fw1\R55\conf\fwopsec.conf C:\WINNT\fw1\R55\conf\cpmad_opsec.conf On Linux, open the following files: /var/opt/cpfw1-55/conf/cpmad_opsec.conf /var/opt/cpfw1-55/conf/fwopsec.conf 5 Clear the cpmad_opsec.conf file, and then add the following lines: lea_server ip IP_address_of_Log_Server lea_server auth_port 0 lea_server port lea_server auth_type local 6 Clear the fwopsec.conf file, and then add the following lines: lea_server ip IP_address_of_Log_Server lea_server auth_port 0 lea_server port lea_server auth_type local The contents of the cpmad_opsec file and the fwopsec.conf file should be identical.

19 Introducing Symantec Event Collector for Check Point FireWall-1 Configuring Check Point FireWall-1 to work with the collector 19 7 Save and close each file. 8 To force the changes to cpmad_opsec.conf and fwopsec.conf to take effect, do one of the following steps: If the Check Point log server is running on Linux, run the following command: cprestart If the Check Point log server is running on Windows, run the following command: cprestart.exe To configure Check Point Provider-1 with MDS/CMA/Log server all on one computer 1 On a Check Point Provider-1 NGX installation, a single Global OPSEC application can be created using the Global SmartDashboard console and installed on all CMAs using a Global policy. On previous versions of Check Point Provider-1, individual OPSEC applications must be created for each CMA using the standard SmartDashboard. Use either the Global SmartDashboard or the standard SmartDashboard to create a new host node to represent the computer where the Check Point collector resides by doing the following steps in the order given: Right-click Network Objects > Nodes, and then click New Node > Host. In the New Host Node window, on the General Properties tab, type the host name of the computer where the Check Point collector resides. Click Get Address, and then click OK. If Get Address fails to resolve the host name, you must fix the DNS resolution or add an entry to the /etc/hosts file. The /etc/hosts file must contain the IP address where the Check Point collector resides. Save the changes by doing one of the following actions: Click the floppy icon. Click File > Save. Press Ctrl-S. 2 Create a new OPSEC Application to represent the computer where the Check Point collector resides by completing the following actions in the order given: Right-click Servers and OPSEC Applications > OPSEC Applications > New OPSEC Application. In the New OPSEC Application window, type the name of the OPSEC application, and then make a note of the OPSEC application name. The

20 20 Introducing Symantec Event Collector for Check Point FireWall-1 Configuring Check Point FireWall-1 to work with the collector OPSEC Application name must be different than the name that you specified for the host node in step 1. From the Host drop-down menu, select the Host Node that was created in step 1. In Client Entities, confirm that the check box for LEA is checked. In Secure Internal Communication, click Communication, and then type an activation key (password). The Check Point collector sensor uses this key to establish SIC (Secure Internal Communication) and confirm the activation key. Make a note of the password. Click Initialize. When you close the dialog box, the Trust State should change from Uninitialized to Initialized but trust not established. Make a note of the SIC DN string that gets generated after you initialized SIC. For example, CN=ssim451mr1,O=cma1..hipfr8. Click Close. 3 Make the Firewall Gateway aware of the OPSEC Application that connects to the Log Server (by LEA), by completing the following actions in the order given: In the SmartDashboard, click Policy > Install. If a warning appears, click OK. Click Firewall Gateway Installation Target, and then click OK. If the policy installation fails, a problem between the Firewall Gateway and the MDS/CMA may exist. The problem must be resolved before you continue. 4 In the SmartDashboard, double-click Network Objects > Check Point > Name_of_the_CMA. 5 In General Properties, make a note of the SIC DN. For example, CN=cp_mgmt,o=cma1..hipfr8. 6 On the MDS/CMA/Log server, for each CMA, open the appropriate configuration file using a text editor as follows: For Check Point Provider-1 NGX, open the following file: /var/opt/cpmds-r60/customs/cma_name/cpsuite-r60/fw1/conf/ cpmad_opsec.conf

21 Introducing Symantec Event Collector for Check Point FireWall-1 Configuring Check Point FireWall-1 to work with the collector 21 For Check Point Provider-1 R55, open the following file: /var/opt/cpmds-r55/customs/cma_name/cpsuite-r55/fw1/conf/ cpmad_opsec.conf 7 Clear the cpmad_opsec.conf file, and then add the following lines: lea_server ip lea_server auth_port lea_server port 0 lea_server auth_type sslca 8 Save and close the file. 9 From the UNIX prompt, run the following command so the changes that you made to cpmad_opsec.conf take effect: cprestart To configure Check Point Provider-1 with separate MLM/CLM computers 1 On a Check Point Provider-1 NGX installation, a single Global OPSEC application can be created using the Global SmartDashboard console and installed on all CMAs using a Global policy. On previous versions of Check Point Provider-1, individual OPSEC applications must be created for each CMA using the standard SmartDashboard. Using either the Global SmartDashboard or the standard SmartDashboard, create a new OPSEC application by completing the following steps in the order given: Keep a record of the settings that you used. Include the name of the OPSEC application, the password, and the string that Check Point FireWall-1 Event Collector places in the DN field during configuration. These settings are also used to configure the sensor. Install the policy database on the CLM from the CMA's SmartDashboard. 2 On the MLM server, for each CLM from which the collector collects event data, open the appropriate configuration using a text editor as follows: For Check Point Provider-1 NGX, open the following files: /var/opt/cpmds-r60/customers/clm_name/cpsuite-r60/fw1/conf/ cpmad_opsec.conf /var/opt/cpmds-r60/customers/clm_name/cpsuite-r60/fw1/conf/ fwopsec.conf For Check Point Provider-1 R55, open the following files: /var/opt/cpmds-r55/customers/cma_name/cpsuite-r55/fw1/conf/ cpmad_opsec.conf

22 22 Introducing Symantec Event Collector for Check Point FireWall-1 Running LiveUpdate for collectors /var/opt/cpmds-r55/customers/cma_name/cpsuite-r55/fw1/conf/ fwopsec.conf 3 Clear the cpmad_opsec.conf file, and then add the following lines: lea_server ip lea_server port lea_server auth_port 0 lea_server auth_type local 4 Edit the fwopsec.conf file, by adding the following lines: lea_server auth_port 0 lea_server port lea_server auth_type local 5 Save and close the file. 6 From the UNIX prompt, run the following command so the changes that were made to cpmad_opsec.conf take effect: cprestart Running LiveUpdate for collectors You can run LiveUpdate to receive collector updates such as support for new events and query updates. If you install a collector on Information Manager 4.5, you must complete the following procedures in the order presented: Run LiveUpdate for collectors added to the Information Manager 4.5 appliance. See To run LiveUpdate for collectors added to the Information Manager 4.5 appliance on page 23. Verify that LiveUpdate ran successfully on Information Manager 4.5. See To verify that LiveUpdate ran successfully on Information Manager 4.5 on page 24. If you install a collector on Information Manager 4.6, or if you use a collector that is preinstalled on Information Manager 4.6, you must complete the following procedures in the order presented: Use the Administrator Web page to run LiveUpdate. Use the Administrator Web page to verify that LiveUpdate ran successfully. See To run LiveUpdate from the Administrator Web page on page 23.

23 Introducing Symantec Event Collector for Check Point FireWall-1 Running LiveUpdate for collectors 23 If you installed the collector on a separate computer, you must complete the following tasks in the order presented: Run LiveUpdate for a collector installed on a separate computer. See To run LiveUpdate for a collector installed on a separate computer on page 24. Verify that LiveUpdate ran successfully for a collector installed on a separate computer. See To verify that LiveUpdate ran successfully for a collector installed on a separate computer on page 25. For information about running LiveUpdate on internal LiveUpdate servers, see the Symantec LiveUpdate Administrator User's Guide. To run LiveUpdate from the Administrator Web page 1 From a Web browser, navigate to the Information Manager Administrator Web page, and then log in with administrator credentials. 2 From the list on the left, click LiveUpdate. 3 In the list of products, to select the items to update, in the corresponding check box, check Update. At the bottom of the page, you can also click Check All. 4 At the bottom of the page, click Update. If LiveUpdate runs successfully, the status column in the Summary page displays Success. 5 To troubleshoot a problem with LiveUpdate, under Session Log, click View Log File. To run LiveUpdate for collectors added to the Information Manager 4.5 appliance 1 Connect to the Information Manager 4.5 appliance, and log in as root. 2 Navigate to the collectors directory. The default directory is /opt/symantec/sesa/agent/collectors/checkpoint 3 At the command prompt, type the following command: sh./runliveupdate.sh 4 To stop the Symantec Event Agent, type the following command: service sesagentd stop 5 To change the ownership of the updated collector files, type the following command: chown -R sesuser.ses *

24 24 Introducing Symantec Event Collector for Check Point FireWall-1 Running LiveUpdate for collectors 6 Navigate to the Symantec Event Agent directory. The default directory is /opt/symantec/sesa/agent/ 7 To restart the Symantec Event Agent, type the following command: service sesagentd start To verify that LiveUpdate ran successfully on Information Manager Connect to the Information Manager 4.5 appliance, and log in as root. 2 Navigate to the collectors subdirectory of the Symantec Event Agent directory. The default directory is as follows: /opt/symantec/sesa/agent/collectors/checkpoint 3 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 4 Navigate to the LiveUpdate directory. The default directory is as follows: /opt/symantec/liveupdate 5 To view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log more The first part of the log is in text format; the second part of the log repeats the information in XML format. If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code ). To run LiveUpdate for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows: On Windows, the default directory is as follows: C:\Program Files\Symantec\Event Agent\collectors\checkpoint On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/checkpoint 2 At a command prompt, do one of following tasks: On Windows, type the following command: runliveupdate.bat

25 Introducing Symantec Event Collector for Check Point FireWall-1 Running LiveUpdate for collectors 25 On UNIX, as the root user, type the following command: runliveupdate.sh To verify that LiveUpdate ran successfully for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows: On Windows, the default directory is as follows: C:\Program Files\Symantec\sesa\Event Agent\collectors\checkpoint On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/checkpoint 2 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 3 Navigate to the LiveUpdate directory as follows: On Windows, the default LiveUpdate directory is as follows: C:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate On UNIX, the default LiveUpdate directory is as follows: /opt/symantec/liveupdate 4 To view the liveupdt.log file, do one of the following tasks: On Windows, use a text editor such as Notepad to view the liveupdt.log file. On UNIX, to view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log more The first part of the log is in text format; the second part of the log repeats the information in XML format. If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code ).

26 26 Introducing Symantec Event Collector for Check Point FireWall-1 Running LiveUpdate for collectors

27 Chapter 2 Implementation notes This chapter includes the following topics: Product ID for Check Point FireWall-1 Event Collector Event example Schema packages Event mapping for Information Manager Product ID for Check Point FireWall-1 Event Collector The product ID of the collector is Event example The following is a log example: time orig i/f_dir inbound alert alert has_accounting 0 product VPN-1 & FireWall-1 policy_id_tag product=vpn-1 & FireWall-1[db_tag={50CD2D74-9F60-11DA-B0DD- 0A03005B3C3C};mgmt=CMA_2;date= ;policy_name=Standard] Total logs 24 Suppressed logs 23 proto icmp dst src message_info Ping Of Death The following is the event structure: time (event_date) orig (machine) i/f_dir (network_direction) product (product name) Total logs (event_count) proto (network_protocol) dst (destination_ip) src (source_ip) message_info (event_description) The following is an audit log example:

28 28 Implementation notes Schema packages time action accept orig i/f_dir outbound i/f_name has_accounting 0 product SmartDashboard Operation Log In Machine checkpoint Subject Administrator Login Audit Status Failure Additional Info Administrator failed to log in: Wrong Password Operation Number 8 Schema packages The collector uses the following schema packages: symc_base_class symc_host_intrusion symc_intrusion_class symc_network_class symc_firewall_network_class symc_fw_conn_stats_class Event mapping for Information Manager Table 2-1 shows shows events mapping for common fields. Table 2-1 Event mapping for common fields Information Manager field name Category ID Collection Device Host Event Date Logging Device IP Logging Device Name Vendor Device ID Check Point field name N/A orig time orig orig N/A Comment Assigned: Security ( ) Assigned: 34 Table 2-2 shows event mapping for variable fields.

29 Implementation notes Event mapping for Information Manager 29 Table 2-2 Event mapping for variable fields Information Manager field name Description Destination Host Name Event Class Name Event Count Event Type ID Firewall Direction ID Firewall Event Details Firewall Source Interface Name ICMP Code ICMP Type ID Intrusion Outcome ID IP Destination Address IP Destination Port IP Source Address IP Source Port Network Protocol Check Point field name message_info or product, whichever exists dst, gateway, or orig, whichever exists N/A logs N/A i/f_dir N/A i/f_name icmp-code icmp-type N/A dst, gateway, or orig, whichever exists service src, gateway, or orig, whichever exists s_port proto Comment symc_firewall_network, symc_network_intrusion, symc_fw_conn_stats, or symc_base See Table , , , , , , , or See Table 2-3 Assigned numeric value See Table 2-4 Assigned , , or See Table 2-3 Assigned , , , or in certain events See Table 2-5

30 30 Implementation notes Event mapping for Information Manager Table 2-2 Event mapping for variable fields (continued) Information Manager field name Network Protocol ID Option 1 Rule Severity ID Source Host Name Symantec Device Action Target Resource TCP Flags Translated Destination IP Address Translated Destination Port Translated Source IP Address Translated Source Port User ID User Name Vendor Signature Check Point field name proto rule_uid rule N/A src, gateway, or orig, whichever exists N/A resource, ObjectName, or Info, whichever exists tcp_flags or th_flags xlatedst xlatedport xlatesrc xlatesport follows from user N/A Comment See Table 2-6 Assigned numeric value See Table 2-5 Exists in FW Connection Statistics events only Assigned based on existing text or general description of various events See CheckPoint Vendor Signature list.csv Table 2-3 shows Event Class Name, Event Type ID, and Firewall Event Details assignments. Table 2-3 Event Class Name, Event Type ID, Firewall Event Details assignments Event class name Event type ID Firewall event details Check Point event criteria symc_firewall_network (Connection Dropped) (Bad TCP flags) TCP packet out of state and Invalid TCP flag combination events

31 Implementation notes Event mapping for Information Manager 31 Table 2-3 Event Class Name, Event Type ID, Firewall Event Details assignments (continued) Event class name Event type ID Firewall event details Check Point event criteria symc_firewall_network (Connection Rejected) (Service denied) Smart Defense Enforcement Violation events symc_firewall_network (Connection Rejected) (No additional details) Vendor Signature = CheckPointFTPGETDenied, CheckPointHTTPGETDenied, CheckPoint FTPPUTDenied, CheckPointFTPSITEDenied, CheckPointSMTPMailDenied, CheckPoint EncryptFail, or CheckPointPacketDropped AND "ftp not allowed" exists symc_firewall_network (Connection Dropped) ( No additional details) Vendor Signature = CheckPoint XMasPacketDropped, CheckPoint FINPacketDropped, CheckPointPacketDropped or CheckPointNullTCPPacketDropped symc_firewall_network (User Authenticated) (No additional details) Vendor Signature = CheckPointLogin Successful symc_firewall_network (User Authentication Failed) (No additional details) Vendor Signature = CheckPoint LoginFailedInvalidUserName, CheckPoint LoginFailed, or CheckPoint MultipleLoginFailure symc_firewall_network (Remote Management Connection) (No additional details) Vendor Signature = CheckPointLogOut, CheckPointObjectOperation, or CheckPoint FileOperation symc_fw_conn_stats (Connection Statistics) (No additional details) Vendor Signature = CheckPoint PacketPermitted, CheckPointFTPGETDetected, CheckPointFTPPUTDetected, CheckPoint SMTPMailSent, or Invalid_DNS symc_network_intrusion (Network Intrusion Event) N/A Address_Spoofing, Login_Failure, Successive_ Alerts, Successive_Multiple_Connections, Blocked_Connection_Port_Scanning, Port_ Scanning, Local_Interface_Spoofing, Denial_of_Service, teardrop, SYN_Attack, Ping_of_death, Large_ping, Land_attack, FTP_Bounce, Small_PMTU, CIFS_worm, URL_worm, Bad_packet, Bad_TCP_sequence, or Invalid_DNS AND "Smart Defense" exists

32 32 Implementation notes Event mapping for Information Manager Table 2-3 Event Class Name, Event Type ID, Firewall Event Details assignments (continued) Event class name Event type ID Firewall event details Check Point event criteria symc_base (Generic Base Event) N/A Vendor Signature = CheckPointCatchAll Table 2-4 shows Firewall Direction ID assignments. Table 2-4 Firewall Direction ID assignments Firewall Direction ID Inbound Outbound Internal External Checkpoint Event criteria INBOUND or inbound exists OUTBOUND or outbound exists INTERNAL or internal exists EXTERNAL or external exists Table 2-5 shows Intrusion Outcome ID and Symantec Device Action assignments. Table 2-5 Intrusion Outcome ID and Symantec Device Action assignments Intrusion Outcome ID (Failed) (Prevented) (Succeeded) (Unknown) N/A N/A N/A N/A Symantec Device Action (Accepted) 1 (Deny) Check Point event criteria CPaction field = failed CPaction field = drop, blocked, or reject Vendor Signature = CheckPointObjectOperation or CheckPointFileOperation All other Events where Event Class Name = symc_network_intrusion Event Type ID = , , or Event Type ID = or Event Type ID = Event Type ID = Table 2-6 shows Severity ID assignments.

33 Implementation notes Event mapping for Information Manager 33 Table 2-6 Severity ID assignments Severity ID 1 (Informational) 2 (Warning) 4 (Major) 3 (Minor) Check Point event criteria Description = Ping invoked by Sensor Vendor Signature = CheckPointPacketPermitted, CheckPointFTPGETDetected, CheckPointFTPPUTDetected, CheckPointSMTPMailSent, or CheckPointLoginSuccessful Vendor Signature = CheckPointMultipleLoginFailure, Successive_Alerts, Denial_of_Service, CIFS_worm, or URL_worm All other Events

34 34 Implementation notes Event mapping for Information Manager

35 Chapter 3 Event filtering and aggregation This chapter includes the following topics: Event filtering and aggregation for Check Point FireWall-1 Event Collector Event filtering and aggregation for Check Point FireWall-1 Event Collector Firewalls generate many events that may not be required for correlating events. Depending on your environment, these events may be considered excess events. You can filter or aggregate similar events, provided that the role of Symantec Security Information Manager is not the retention of all events. Possible filters and aggregators include the following examples: Connection rejected Connection rejected events indicate that the firewall is operating as it is configured. These events do not ordinarily pose security threats and can be filtered at the collector. This filter removes ICMP traffic that was rejected at the firewall. Filter or aggregator properties are set as follows: Network Protocol ID = Event Type ID = Connection accepted Connection accepted events are generated by legitimate network traffic. You can filter or aggregate these events by IP address. If an individual event from

36 36 Event filtering and aggregation Event filtering and aggregation for Check Point FireWall-1 Event Collector an unwanted connection is accepted, and defense-in-depth theories are properly applied, the intrusion detection system identifies and reports the attack. This aggregation consolidates successful ICMP Echo Request connections from a single source. Filter or aggregator properties are set as follows: ICMP Type ID = 8 Event Type ID = IP Source Address as the similar property