How to configure the External Security Log Server on Locally Managed SMB appliances
Follow these steps:
- Connect with SmartDashboard to Security Management Server / Domain Management Server.
Create a new Security Gateway object for the appliance:
In Network Objects, right-click on Check Point - go to Check Point - click on Security Gateway/Management...:
Select Wizard Mode:
On the General Properties page:
- Enter Gateway Name exactly as it is on the GW
- In Gateway platform, select "Other"
- Enter Gateway IP address
- Click on Next
On the Trusted Communication page, select Skip and initiate trusted communication later - click on "Next":
- Click on "Finish".
Click on "Save" to save the changes (or go to File menu - click on Save).
- The new Gateway object should appear in Network Objects.
Open the appliance's object - click on Communication...:
- Select platform Small Office Appliance
- Select "Initiate trusted communication securely by using a one-time password"
- Select "Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time"
- Click on "OK"
- Save the changes (go to File menu - click on Save).
Get the Management Server's SIC name:
- Connect to the command line on the Security Management Server / Multi-Domain Security Management Server.
- Login to Expert mode.
On the Multi-Domain Security Management Server, switch to the context of the involved Domain Management Server:
[Expert@HostName:0]# mdsenv <Name of Domain Management Server>
Get the SIC name:
[Expert@HostName:0]# $CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0
Copy the entire string.
Configure the External Security Log Server in the appliance's WebUI:
- Connect to the appliance's WebUI and log in.
- Go to Logs & Monitoring tab - in the left pane, click on Log Servers
- In the " External Security Log Server - not configured" line, click on Configure...
Configure the External Security Log Server:
- Enter the IP address of the Security Management Server / Domain Management Server.
- Enter the Management Server's SIC name.
- Enter the SIC password.
- Click on Apply.
A message should appear in SmartDashboard that SIC was established with the appliance.
Connect with SmartView Tracker to the Security Management Server / Domain Management Server and verify that logs are received from the appliance.
If the connection between the GW and the MGMT Server does not succedded, we may get the following error on the GW:
Unable to connect to Log Server. Exit Code 1
What to check:
Run CPCA debug on the MGMT server: #fw debug cpca on TDERROR_ALL_ALL=5 ;
Run #tail -f $FWDIR/log/cpca.elg ;
Try to search for : "...common name is missing in dn" that states that the GW name/certificate is not the same/invalid.
Try to fix it by reinitialize the GW Internal CA and to create a GW object with the same name as the physical GW.
Verify that the Gateway object name is now identical to the name that is configured on the physical Gateway.
Reinitialize the SIC between the locally managed gateway and the management server.
In the MGMT, check the CPCA debug again and look for "... cert status is now valid ".
Turn of the debug: fw debug cpca off RDERROR_ALL_ALL=0 ;
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.