Eventia Suite. Getting Started Guide. Version: NGX R January 10, 2007

Transcription

1 TM Eventia Suite Getting Started Guide Version: NGX R January 10, 2007

2

3 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider- 1, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see THIRD PARTY TRADEMARKS AND COPYRIGHTS on page 47. 3

4 4

5 Contents Chapter 1 Architecture Overview... 8 Data Analysis and Event Identification Event Management Eventia Analyzer Client Log Consolidation Eventia Reporter Generator Eventia Reporter Client Interoperability with SmartCenter Check Point Licenses Chapter 2 Installing the Eventia Suite Introduction Installation Windows Platform Solaris, Linux and SecurePlatform Enabling Connectivity Through a Firewall Preparing Eventia Suite in SmartCenter Preparing Eventia Suite on Provider-1 MDS For Provider-1/SiteManager-1 Version R For Provider-1/SiteManager-1 Version R For Provider-1/SiteManager-1 Version R61 and Up Table of Contents 5

6 Chapter 3 Initial Configuration Introduction to Initial Configuration...32 Enabling Connectivity with Provider-1/SiteManager Configuring the Eventia Suite Clients...34 Installing the Eventia Suite Clients Define the Internal Network for Eventia Analyzer Creating a Consolidation Session for Eventia Reporter Defining Correlation Units and Log Servers for Eventia Analyzer 38 Incorporating Third-Party Devices...39 Syslog Devices Windows Events SNMP Traps Chapter 4 Upgrading Eventia 6

7 Chapter 1 Architecture In This Chapter Overview page 8 Data Analysis and Event Identification page 10 Event Management page 11 Eventia Analyzer Client page 11 Log Consolidation page 11 Eventia Reporter Generator page 11 Eventia Reporter Client page 12 Interoperability with SmartCenter page 12 Check Point Licenses page 12 7

8 Overview Overview Eventia Suite has several components that work together to help track down security threats and make your network more secure: Correlation Unit, which analyzes log entries on Log Servers Eventia Analyzer TM Server, which contains the Events Database Eventia Analyzer Client, which manages Eventia Analyzer Eventia Reporter TM Server, which contains the Reporter Database. Eventia Reporter Client, which manages the Reporter. They work together in the following manner:. The Correlation Unit analyzes each log entry as it enters a Log Server, looking for patterns according to the installed Event Policy. The logs contain data from both Check Point products and certain third-party devices. When a threat pattern is identified, the Correlation Unit forwards what is known as an event to the Eventia Analyzer Server. When the Eventia Analyzer Server receives events from a Correlation Unit, it assigns a severity level to the event, invokes any defined automatic reactions, and adds the event to the Events Database, which resides on the server. The severity level and automatic reaction are based on the Events Policy. The Eventia Analyzer Client displays the received events, and is the place to manage events (such as filtering and closing events) and fine-tune and install the Events Policy. On the Eventia Reporter Server the Log Consolidator process reads logs from log servers and stores the relevant logs in the Eventia Reporter database. The Eventia Reporter Generator generates reports from data in the Eventia Reporter database. It also generates reports based on events found in the Eventia Analyzer database. 8

9 Overview The Eventia Reporter Client allows the creation of Log Consolidation sessions and allows the users to edit, schedule and generate reports. It also enables users to manage the Eventia Reporter Server. The Eventia Suite components can be installed on a single machine or spread out over multiple machines and sites to handle higher volumes of logging activity. Figure 1-1 Eventia Suite Architecture Chapter 1 Architecture 9

10 Data Analysis and Event Identification Depending on the volume of logging activity and load on the machines, you may want to install multiple Correlation Units, each of which can analyze the logs of multiple Log Servers. You may also wish to install the Eventia Reporter server on a separate machine from the Eventia Analyzer Server. Note - If the Eventia Analyzer is installed without Eventia Reporter some Eventia Reporter components are installed to enable the generate of Eventia Analyzer reports. The Eventia Reporter Client will only contain Eventia Analyzer reports. Data Analysis and Event Identification The Correlation Unit is responsible for identifying events, which it does by analyzing log entries. When analyzing a log entry, the Correlation Unit does one of the following: Marks log entries that by themselves are not events, but may be part of a larger pattern to be identified in the near future. Takes a log entry that meets one of the criteria set in the Events Policy and generates an event. Takes a log entry that is part of a group of items that together depict a security event. New log entries may be added to ongoing events. Discards all log entries that do not meet event criteria. 10

11 Event Management Event Management The Eventia Analyzer Server receives all the items that are identified as an event by the Correlation Unit(s). Further analysis takes place on the Eventia Analyzer Server to determine the severity level of the event and what action should take place. The event is then stored in the system database. Eventia Analyzer Client The Eventia Analyzer Client is used to configure the system, define the rules and monitor the events. The Eventia Analyzer Client interacts with the Eventia Analyzer Server and database. Log Consolidation The Log Consolidator reads the logs from the log servers and stores relevant logs in the Eventia Reporter database. The logs that are stored and the level of consolidation can be configured through the consolidation policy that is found in SmartDashboard. Eventia Reporter Generator The Eventia Reporter Generator generates reports on demand or on schedule as defined in the Eventia Reporter Server. After a report is generated it is stored on the server and can be distributed to a web server, sent via or distributed in a custom manner. Chapter 1 Architecture 11

12 Eventia Reporter Client Eventia Reporter Client The Eventia Reporter Client is used to: access and schedule reports customize report definitions create consolidation sessions manage space on the Eventia Reporter database manage memory allocation Interoperability with SmartCenter Eventia Suite imports certain objects from the SmartCenter Server to define the internal network without having to recreate the objects in the Eventia Reporter and Eventia Analyzer. Changes made to the objects on the SmartCenter Server are reflected in the Eventia Clients. Eventia Suite can work with multiple versions of SmartCenter Management and Provider-1/SiteManager-1 from R55 and up. In addition, Eventia Analyzer can work with SmartCenter Management R54. Check Point Licenses Check Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point User Center. The Certificate Key is used in order to receive a License Key for products that you are evaluating. 12

13 Check Point Licenses In order to purchase the required Check Point products, contact your reseller. Check Point software that has not yet been purchased will work for a period of 15 days. You are required to go through the User Center in order to register this software. 1. Activate the Certificate Key shown on the back of the media pack via Check Point User Center at The Certificate Key activation process consists of: adding the Certificate Key activating the products choosing the type of license entering the software details Once this process is complete, a License Key is created and made available to you. 2. Once you have a new License Key, you can start the installation and configuration process. During this process, you will be required to: read the End Users License Agreement and if you accept it, select Yes. import the license that you obtained from the User Center for the product that you are installing. Licenses are imported via the Check Point Configuration Tool. The License Keys tie the product license to the IP address of the Eventia Analyzer Server. This means that: Only one IP address is needed for all licenses. All licenses are installed on the Eventia Suite Server. Correlation Units are licensed by the number of units that are attached to the Eventia Analyzer Server. Chapter 1 Architecture 13

14 Check Point Licenses 14

15 Chapter 2 Installing the Eventia Suite In This Chapter Introduction page 16 Installation page 17 Enabling Connectivity Through a Firewall page 21 Preparing Eventia Suite in SmartCenter page 23 Preparing Eventia Suite on Provider-1 MDS page 25 15

16 Introduction Introduction This chapter covers installing Eventia Suite which is comprised of the following: Eventia Reporter which consists of the Eventia Reporter Server and the Eventia Reporter Client. Eventia Analyzer which consists of the Eventia Analyzer Server, Correlation Unit and the Eventia Analyzer Client. For Hardware Requirements and Supported Platforms please refer to the NGX R63 Release Notes document. This installation process consists of three phases: 1. Install Eventia Suite 2. Prepare Eventia Suite in SmartCenter 3. Configuring Eventia Suite To perform steps 2 and 3 refer to the Initial Configuration on page

17 Installation Installation In This Section Windows Platform page 17 Solaris, Linux and SecurePlatform page 19 Note - Eventia Suite is installed on a separate machine than the SmartCenter Server. Windows Platform The Eventia Suite is installed on top of a log server and therefore the installation consists of two components: Log Server Package found under the <platform>/cpvpn folder on the installation disk. Eventia Suite Package found under the <platform>/eventiasuite folder on the installation disk. To install the Log Server package perform the following on the machine that will hold the Eventia Suite: 1. Login as an administrator. 2. Go to the directory windows\cpvpn and double-click the setup.exe. The Installation Wizard begins. 3. Click Next and Yes to accept the agreement. 4. In the Destination Location window verify that the location of the Log Server is correct and click Next. 5. Click OK to finish the installation. Chapter 2 Installing the Eventia Suite 17

18 Installation To install the Eventia Suite package perform the following on the machine that contains the Log Server package: 1. Login as an administrator. 2. Go to the directory windows\eventiasuite and double-click the setup.exe. The Installation Wizard begins. 3. Click Next and Yes to accept the agreement. 4. Select the components you wish to install (Eventia Reporter, Eventia Analyzer Server and/or Correlation Unit) and click Next. 5. In the Destination Location window verify that the location of the Eventia Suite package is correct and click Next. Select a disk that has a lot of space since this is the location of your Eventia Reporter database. The Check Point Configuration program, CPConfig, opens. 6. Select Add to enter the Product License information provided by Check Point and click OK and then Next. Alternatively, you may use the 15-day evaluation license. 7. The Administrators window appears. Select Add and enter the administrator name and password. Select OK. Then set permissions for the administrator. Add more administrators if you like, and then select Next. 8. The GUI Clients window appears. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add more GUI Clients if you like, and then select Next. 9. To ensure secure communication between the Eventia Suite and SmartCenter servers, an identical Activation Key must be set on both. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the SmartCenter server. Select Finish. 18

19 Installation 10. To complete the installation of Eventia Reporter and continue with the next phase of the installation, select Yes and click Finish to reboot the machine. Solaris, Linux and SecurePlatform The installation for Solaris and Linux systems is nearly identical. Where it is not, the instructions detail the differences. 1. On Linux: a. Login as root. b. run the command rpm -i <mount point>/linux/cpvpn/cpsuite-r63-00.i386.rpm c. run the command rpm -i <mount point>/linux/eventiasuite/cprt-r63-00.i386.rpm On Solaris: a. Login as root. b. CD to a temporary directory and extract the packages <mount point>/solaris2/cpvpn/cpsuite.tgz and <mount point>/solaris2/eventiasuite.tgz with the following command: gtar xvfz <path_to_the_package> Enter the command pkgadd -d./ and install both the cpsuite and Eventia Suite packages. On SecurePlatform: a. Insert the installation CD into the disk drive. b. Reboot. c. Follow the steps that appear. Note - Installing SecurePlatform reformats the computers hard disk. Chapter 2 Installing the Eventia Suite 19

20 Installation For additional details refer to the SecurePlatform User Guide. 2. Log out and log in again. On SecurePlatform login with username admin and pasword admin. Since this is the initial username and password you will be prompted to change the password. 3. Run the command cpconfig. 4. Read the License Agreement and, if you accept, type Y to continue. 5. In the next window that appears select the components you wish to install (Eventia Reporter, Eventia Analyzer Server and/or Correlation Unit) and select Next 6. Enter the license information you received from Check Point or use the 15-day evaluation license. 7. Add an administrator for the Eventia Suite by typing Y and entering the administrator name and password. Then set permissions for the administrator. Add more administrators if you like, and then type N to advance to the next screen. 8. To configure GUI Clients, type Y and enter the IP addresses of the machines that are permitted to run the Eventia Analyzer and Reporter Clients. Then type N to advance to the next screen. 9. To ensure secure communication between the Eventia Suite and SmartCenter servers, an identical activation key must be set on both. Enter a SIC activation key and record it to be entered later on the SmartCenter server. 10. The system will now ask if you want to start the installed products. Answer Y. 20

21 Enabling Connectivity Through a Firewall Enabling Connectivity Through a Firewall Certain additions to the Rule Base need to be made if a Firewall exists between any Eventia Suite components and the Management Server, and either of the following conditions apply: the management is prior to NGX (R60) the implied rules have been disabled If either of these conditions is true, modify the Rule Base to enable connectivity between components as follows: Table 2-1 Additions to the Rule Base to Enable Connectivity Source Destination Service Eventia Analyzer Client Eventia Reporter Client Management Server Eventia Analyzer Server Eventia Analyzer Server Correlation Unit Third-party devices that issue syslog messages Eventia Analyzer Server Eventia Reporter Server Eventia Analyzer and Reporter Server Management Server Correlation Unit Eventia Analyzer Server Log Server enabled to receive syslog messages CPMI CPMI CPMI, FW1_ica_push FW1_sam CPD, CPD_amon CPD_seam (TCP/18266) UDP syslog Chapter 2 Installing the Eventia Suite 21

22 Enabling Connectivity Through a Firewall For NGX SmartCenter R60 the following rule needs to be added to the Rule Base if a firewall exists between any Eventia Analyzer components and the Management Server: Source Destination Service Correlation Unit Log Server LEA 22

23 Preparing Eventia Suite in SmartCenter Preparing Eventia Suite in SmartCenter 1. Launch SmartDashboard. 2. Create a new host for each Eventia Suite machine that contains an Eventia Suite component: Manage > Network Object > New > Check Point > Host 3. In the General Properties window, click Communication and enter the activation key. Note - If the SmartCenter Server and Eventia Suite are installed on either side of a firewall, add a rule to the firewall that allows SIC communication between the two. 4. The version is not automatically entered if the Eventia Suite s version is newer than SmartCenter. If so, select the most recent version available from the Version drop-down list. 5. In the Check Point product list, select the appropriate Eventia Suite component that you installed on the host that you created in step 2. If the SmartCenter version is pre-ngx, select both SmartView Reporter and Log Server in place of Eventia Analyzer Server or Eventia Correlation Unit. Chapter 2 Installing the Eventia Suite 23

24 Preparing Eventia Suite in SmartCenter 6. Install the Security Policy, (Policy > Install) or install the database (Policy > Install Database) to make the Eventia Suite functional. 7. In order to enable the Eventia Analyzer Server to block attacks from specific IP addresses, the Management Server must be configured to accept SAM commands from the Eventia Analyzer Server. On the Management Server, edit the file sic_policy.conf, which is located in the directory $CPDIR\conf. Search for the section [Inbound rules], and add the following line under # sam proxy: DN_Mgmt ; Reporting_Tool; ANY; sam ; sslca 8. From the command line in the Management Server machine run the following commands: cpstop cpstart 24

25 Preparing Eventia Suite on Provider-1 MDS Preparing Eventia Suite on Provider-1 MDS Preparing Eventia Suite on Provider-1 MDS varies according to the version you are currently working with. Refer to the appropriate section below based on your version of Provider-1. For Provider-1/SiteManager-1 Version R55 In Provider-1/SiteManager-1 R55, Eventia Suite can read the logs of multiple CMAs with the use of putkey operations. 1. In the Provider-1/SiteManager-1 Global SmartDashboard, create a Check Point Host Object, name it, enter its IP address and enable the product SmartView Reporter. 2. Select Communication and enter the activation key you created during installation. Select Initialize to establish communication. Note - Do not run the Get Version operation. Instead, specify the most recent version possible. 3. Select Close and OK. 4. From the File menu, select Save. 5. From the MDG, install Global Policy on all CMAs participating with Eventia Suite. 6. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want the Eventia Suite to read logs. 7. From the command line of the Eventia machine run the following commands: Chapter 2 Installing the Eventia Suite 25

26 Preparing Eventia Suite on Provider-1 MDS a. syslog -r b. cpstop c. cpstart Note - Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Analyzer. 8. On the Eventia Suite machine and/or the Correlation Unit machine that will read logs from a CMA, run the command cpstop. 9. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. Search for the section [Outbound rules], and change the following lines from: # for log_export tool and Abacus analyzer ANY ;ANY ;ANY; lea ; sslca to: # for log_export tool, Eventia Analyzer Provider-1 ANY ;ANY ;ANY; lea ; ssl, sslca Note - Be sure to insert ssl, before sslca. 10. On the Eventia Suite machine, run the command cpstart. 11. On the Provider-1/SiteManager-1 MDS, run the command mdsstop. 12. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. In the section [Inbound rules], locate the following two lines: # log export to DB utility (lea client from any SVN host) ANY ; CP_PRODUCT; ANY; lea ; sslca 26

27 Preparing Eventia Suite on Provider-1 MDS Add the following rule after these lines: ANY ;ANY ;ANY; lea ; ssl 13. Run the command mdsstart. 14. Execute the putkey operation in the following manner: a. On the Eventia Suite machine, run cpstop and fw putkey -p [shared_password] [CMA_IP]. b. On the MDS, while in the CMA environment, run mdsstop_customer [CMA_IP] and fw putkey -p [shared_ password] [Eventia Suite Server_IP] Note - Enter the command mdsenv <customer_name> to switch to the appropriate CMA environment. To return to the MDS environment, enter the command mdsenv. c. Run mdsstart_customer [CMA_IP] on the CMA. d. Run cpstart on the Eventia Suite machine. Note - Wait a few minutes for the putkey operation to complete. For Provider-1/SiteManager-1 Version R60 1. In Global SmartDashboard, create a Check Point Host Object, name it and enter its IP address. 2. Select Communication and enter the activation key you created during installation. Select Initialize to establish communication. Note - Do not run the Get Version operation. Instead, specify the most recent version possible. Chapter 2 Installing the Eventia Suite 27

28 Preparing Eventia Suite on Provider-1 MDS 3. Select Close and OK. 4. Make sure that the products Eventia Reporter is enabled. 5. From the File menu, select Save. 6. From the MDG, install Global Policy on all CMAs participating with Eventia Suite. 7. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs. 8. From the command line of the Eventia machine run the following commands: a. syslog -r b. cpstop c. cpstart Note - Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Suite. For Provider-1/SiteManager-1 Version R61 and Up 1. In Global SmartDashboard, create a Check Point Host Object, name it and enter its IP address. 2. Select Communication and enter the activation key you created during installation. Select Initialize to establish communication. Note - Do not run the Get Version operation. Instead, specify the most recent version possible. 28

29 Preparing Eventia Suite on Provider-1 MDS 3. Select Close and OK. 4. Make sure that the appropriate products (Eventia Reporter, Eventia Analyzer Server, Eventia Correlation Unit and Log Server) are enabled. 5. In the properties of the new Host object, select Log and Masters > Additional Logging Configuration, and enable the property Accept Syslog messages. 6. From the File menu, select Save. 7. From the MDG, install Global Policy on all CMAs participating with Eventia Suite. 8. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs. Chapter 2 Installing the Eventia Suite 29

30 Preparing Eventia Suite on Provider-1 MDS 30

31 Chapter 3 Initial Configuration In This Chapter Introduction to Initial Configuration page 32 Enabling Connectivity with Provider-1/SiteManager-1 page 33 Configuring the Eventia Suite Clients page 34 Incorporating Third-Party Devices page 39 31

32 Introduction to Initial Configuration Introduction to Initial Configuration The various Eventia Suite components require secure internal communication (SIC) with the Management Server (either a SmartCenter Server or a Provider-1/SiteManager-1 CMA). Instructions are in the section Enabling Connectivity with Provider-1/SiteManager-1 below. Once connectivity is established, install the Eventia Suite and begin to configure the system. See Configuring the Eventia Suite Clients on page 34 for details. 32

33 Enabling Connectivity with Provider-1/SiteManager-1 Enabling Connectivity with Provider-1/SiteManager-1 1. Open the Eventia Analyzer client, go to Policy tab > General Settings > Objects > Customers, and add all of the Customers with whom you will be working. Objects will be synchronized from the CMAs this may take some time. 2. Go to Policy tab > General Settings > Objects > Network Objects, and add networks and hosts that are not defined in the CMAs. 3. Go to Policy tab > General Settings > Initial Settings > Internal Network, and add the networks and hosts that are part of the Internal Network. 4. Go to Policy tab > General Settings > Initial Settings > Correlation Units, click Add... and select the Correlation Unit and its Log Servers. For traffic logs, select the relevant CLM or MLM Log Server; for audit logs, select the relevant CMA. 5. Install the Event Policy. Chapter 3 Initial Configuration 33

34 Configuring the Eventia Suite Clients Configuring the Eventia Suite Clients In This Section Installing the Eventia Suite Clients page 35 Define the Internal Network for Eventia Analyzer page 35 Creating a Consolidation Session for Eventia Reporter page 37 Defining Correlation Units and Log Servers for Eventia Analyzer page 38 The final stage of getting started with Eventia Suite is the installation and initial configuration of the Eventia Suite Clients. The workflow is as follows: 1. Install the Eventia Suite Clients 2. For Eventia Analyzer: Define the Internal Network and Correlation Units Install the Event Policy 3. For Eventia Reporter: Create Consolidation Session(s) Once you have accomplished the tasks for Eventia Analyzer, events will begin to appear in the Eventia Analyzer client. Once you have accomplished the tasks for Eventia Reporter logs will be created and sent to the Eventia Reporter database. As a result, reports can be created. 34

35 Installing the Eventia Suite Clients Installing the Eventia Suite Clients The Eventia Suite Clients are supported on Windows platforms only. To install the Eventia Suite Clients, follow these instructions: 1. Insert the Eventia Suite CD into the CD-ROM drive. 2. Under the directory \windows\cpclnt run setup.exe. 3. The Installation Wizard begins. Select Next. 4. Select the location in which to install the NGX R63 clients and select Next. 5. Choose the clients you want to install and select Next. Note - SmartView Tracker TM is used in conjunction with Eventia Analyzer. 6. Select whether or not you want to create SmartConsole shortcuts on your Desktop. 7. Select OK. 8. Select Finish. Define the Internal Network for Eventia Analyzer To help Eventia Analyzer determine whether events have originated internally or externally, the Internal Network must be defined. Certain network objects are copied from the Management Server to the Eventia Analyzer Server during the initial sync and updated afterwards periodically. Define the Internal Network from these objects. To define the Internal Network, do the following: 1. Start the Eventia Analyzer Client. 2. From the Policy view, select General Settings > Initial Settings > Internal Network. Chapter 3 Initial Configuration 35

36 Define the Internal Network for Eventia Analyzer 3. Add internal objects. Note - it is recommended to add all internal Network objects, and not Host objects. 36

37 Creating a Consolidation Session for Eventia Reporter Creating a Consolidation Session for Eventia Reporter The Consolidation session reads logs from the log server and adds them to the Eventia Reporter database. If there is a single log server connected to SmartCenter a Consolidation session will automatically be created to read newly generated logs. If there is more than one log server connected to your SmartCenter Server, a Consolidation session will already be created to read the latest logs that are added to the log sequence. When creating a Consolidation session you are determining the log server that should be used to extract information and the database table in which the consolidated information should be stored. 1. In the Selection Bar view, select Management > Consolidation. 2. Select the Sessions tab. 3. Click the Create New... button to create a new session. The New Consolidation Session - Select Log Server window appears. 4. Select the log server from which logs will be collected and will be used to generate reports. 5. Click Next. The New Consolidation Session - Select Log Files and database for consolidation session window appears. 6. Choose whether to use the default source logs and default database tables or select specific source logs and specific database tables for consolidation. If you select Select default log files and database click Finish to complete the process. This option indicates that the source of the reports will be preselected logs and all the information will be stored in the default database table named CONNECTIONS. The preselected Chapter 3 Initial Configuration 37

38 Defining Correlation Units and Log Servers for Eventia Analyzer logs are the sequence of log files that are generated by Check Point products. The preselected logs session will begin at the beginning of last file in the sequence or at the point the sequence was stopped. If you want to customize the Consolidation session refer to the Eventia Reporter User Guide. Defining Correlation Units and Log Servers for Eventia Analyzer 1. From the Policy view of the Eventia Analyzer Client, select General Settings > Initial Settings > Correlation Units. 2. Select Add. 3. Click the [...] symbol and select a Correlation Unit from the displayed window. 4. Select OK. 5. Click Add and select the Log Servers available as data sources to the Correlation Unit from the displayed window. 6. Select Save. 7. From the Actions menu, select Install Events policy. Once the Correlation Units and Log Servers are defined, and the Events Policy installed, Eventia Analyzer will begin reading logs and detecting events. To learn to manage and fine-tune the system through the Eventia Analyzer Client, see the Eventia Analyzer User Guide. 38

39 Incorporating Third-Party Devices Incorporating Third-Party Devices In This Section Syslog Devices page 39 Windows Events page 40 SNMP Traps page 43 Syslog Devices Various third-party devices use the syslog format for logging. Eventia Suite can process third-party syslog messages by reformatting the raw data. As the reformatting process should take place on Eventia machine, it is therefore recommended to enable a Log Server on one of them, and to direct all third-party syslog traffic there. Instructions are as follows: 1. On the Management Server, open SmartDashboard and edit the properties of the Eventia object. For that object only, enable the property Log Server under Check Point Products. For the purposes of this section, this object will be referred to as the syslog Log Server. 2. Open Logs and Masters > Additional Logging. 3. Enable the property Accept Syslog messages. 4. Select Policy > Install Database. 5. On the third-party device, configure syslogs to be sent to the syslog Log Server. Chapter 3 Initial Configuration 39

40 Windows Events 6. On the Management Server, enable the following rule in the Rule Base. Source Destination Service Third-party devices that issue syslog messages 7. On the Eventia Analyzer Client, add the syslog Log Server to a Correlation Unit, if not already enabled. See Defining Correlation Units and Log Servers for Eventia Analyzer on page 38 for instructions. 8. Install Event Policy on the Eventia Analyzer Server. 9. Reboot the syslog Log Server. Windows Events Introduction Check Point Windows Event Service is an application that runs as a Windows service to read Windows events, normalize the data and place them in the Check Point Log Server for processing by Eventia Analyzer. The process can only be installed on a Windows machine, though it does not have to be a machine running the Eventia Suite. This way Windows events can be processed even when Eventia Suite is installed on a different platform. How it Works syslog Log Server UDP syslog Check Point Windows Event Service is given the addresses of Windows computers that it will read and the address of a Log Server to which it will write. It reads a Windows event at a time, converts the fields of the event according to configuration files and stores the Windows event as a log in the Log Server. 40

41 Permissions Windows Events Check Point Windows Event Service is first installed as a service on the user's machine and the user provides a username and password. The username can be either that of a domain administrator of the machines whose Windows events will be read, or that of a local administrator on the machine that provides the Windows events. Check Point Windows Event Service requires trust to be established so it can communicate with the Log Server. Installation SmartDashboard 1. On the OPSEC tab, select OPSEC Applications, right click, select New > OPSEC Application. 2. Enter the name (which name?) 3. Click on New to create a Host. 4. Enter a name and the IP address of the machine that will run WinEventToCPLog, then select OK. 5. Under Client Entities, select ELA. 6. Select Communication. 7. Enter an Activation Key, repeat it in the confirmation line, and keep a record of it for later use. 8. Select Initialize. The system should report the trust state as Initialized but trust not established. 9. Select Close. 10. Select OK. 11. From the File menu, select Save. Chapter 3 Initial Configuration 41

42 Windows Events Windows Machine 12. Install the package WinEventToCPLog from the Eventia Suite CD. 13. When the installation completes, restart the machine. 14. Open a command prompt window and go to the following location: C:\Program Files\CheckPoint\WinEventToCPLog\R63\bin 15. Run the command windoweventtocplog -pull_cert a. Enter the IP address of the management server b. Enter the OPSEC Application object name you created in step 2. c. Enter the Activation Key that you used in step Restart the Check Point Windows Event Service. 17. If this machine is running a log server then install the Event Policy on this machine. SmartDashboard 18. Edit the OPSEC Application you created in step Select Communication, and verify that the trust state is Trust Established. 20. From the Policy menu, select Install Database. On Each Machine that will Send Windows Events 21. From the Start menu, select Settings > Control Panel > Administrative Tools > Local Security Policy > Local Policies > Audit Policy. 22. Make sure that the Security Setting for the Policy Audit Logon Events is set to Failure. If not, double click and select Failure. 42

43 SNMP Traps 23. Open a command prompt window and change to C:\Program Files\CheckPoint\WinEventToCPLog\ENF\WinEventToCPLog\bin 24. Run the following commands: windoweventtocplog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that will receive the Windows Events. windoweventtocplog -a <ipaddr>, where <ipaddr> is the IP address of each machine that will send Windows Events. windoweventtocplog -s, where you will be prompted for an administrator name and the administrator password that will be registered with the windoweventtocplog service. Note - When configuring windoweventtocplog so that it should read Windows events from a remote machine you need to check that the administrator that is registered with windoweventtocplog has access to the remote machine s events. A simple way to test this is to log in as the administrator and from this machine attempt to read the events from the remote machine using the Microsoft Event Viewer. SNMP Traps To convert SNMP traps to the cplog format, the machine must first be registered as a server that accepts SNMP traps. Run the following commands on an Eventia machine: 1. snmptraptocplog -r 2. For each machine from which you want to read SNMP traps, run the command snmptraptocplog -a IPaddress. 3. cpstop 4. cpstart Chapter 3 Initial Configuration 43

44 SNMP Traps 44

45 Chapter 4 Upgrading Eventia To upgrade the Eventia Suite, see the Upgrade Guide available in the Docs directory of your installation CD. 45

46 46

47 THIRD PARTY TRADEMARKS AND COPYRIGHTS Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.cmu DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Check Point Software Technologies Ltd. U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) Fax: (650) , info@checkpoint.com International Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: Fax: ,

48 The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group. The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) Jean-loup Gailly and Mark Adler. This software is provided 'asis', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.you should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 48

49 The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at licenses/license-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) , Daniel Stenberg, <daniel@haxx.se>.all rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright 49

50 notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from < THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 50