Support Center > Search Results > SecureKnowledge Details
How to configure an R80/R80.x SmartEvent Server with an R77.x Security Management
Solution

Table of Contents:

  • Demo of R80 SmartEvent Server managed by an R77.30 Security Management Server
  • Background
  • Installing a Dedicated SmartEvent Server
  • Configuring the SmartEvent components in the First Time Configuration WizardR80/R80.x
  • Connecting R80/R80.x SmartEvent to R77.xx Security Management Server
  • Connecting R80/R80.x SmartEvent to R77.xx Multi-Domain Server
  • Limitations

Demo of R80 SmartEvent Server managed by an R77.30 Security Management Server

Background

SmartEvent Server is integrated with the Security Management Server architecture. It communicates with Security Management Log Servers to read and analyze logs.

You can enable SmartEvent on the Security Management Server or deploy it as a dedicated server. You can deploy R80/R80.x SmartEvent on a dedicated server and connect it to Security Management Servers or Multi Domain servers of version R77.xx. This lets you extend an R77.xx environment with the new capabilities of R80/R80.x SmartEvent.

Installing a Dedicated SmartEvent Server

  1. Download the installation ISO file:
    1. For R80 - from sk108623.
    2. For R80.10 - from sk111841.
    3. For R80.20 - from sk122485
    4. For R80.20.M1 - from sk123473.
    5. For R80.20.M2 - from sk123473
  2. Install the ISO on a Check Point Smart-1 appliance or an Open Server. Allocate sufficient partition size:
    • Root partition: at least 20 GB
    • Logs partition: more than allocated for root partition and backup (set maximum possible) to let the server keep a long history.
  3. When prompted, reboot.

Configuring the SmartEvent components in the First Time Configuration Wizard

Configure the SmartEvent components on a Smart-1 appliance, or on an Open Server.

  1. Connect to the Gaia Portal on the SmartEvent Server: https://<IP Address of the SmartEvent Server>
  2. Run the First Time Configuration Wizard. For details, see the Installation and Upgrade Guide (R80, R80.10).
  3. On the Installation Type page, select "Security Management".
  4. On the Products page:
    • When installing on a Smart-1 appliance, select Dedicated Server and SmartEvent.
    • When installing on an Open Server, select "Log Server / SmartEvent" only.
  5. Install the R80/R80.x SmartConsole GUI client. The R80/R80.x SmartConsole has the Logs & Monitor catalog of views, which includes the views in the SmartEvent GUI.

Connecting R80/R80.x SmartEvent to R77.xx Security Management Server

This procedure explains how to configure a dedicated server for these components:

  • SmartEvent Server and Correlation Unit
  • SmartEvent Correlation Unit

To connect R80/R80.x SmartEvent Server and Correlation Unit to an R77.xx Security Management Server:

  1. Connect over SSH to the SmartEvent Server.
  2. Run this script: $RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
  3. Wait until the script has finished running. This is when cpstart has finished and you have a prompt.
  4. Run: cpconfig
  5. Select (2) Administrator to configure the SmartEvent Server administrators.
    Note: Administrators that are configured in R77.xx SmartDashboard cannot manage the R80/R80.x SmartEvent Server.
  6. Open the R77.xx SmartDashboard.
  7. Create a Check Point Host object for the SmartEvent Server R80/R80.x.
  8. Establish a SIC trust between the Security Management Server and the new server for SmartEvent R80/R80.x.
  9. Define it with the highest version available and ignore the Warning message.
  10. For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: in the "Logs" page, click "Enable Log Indexing".
  11. In the "Check Point Host" object, on the "Management" tab, enable these Software Blades:
    • Logging & Status
    • SmartEvent Server (if applicable)
    • SmartEvent Correlation Unit
  12. Click "OK".
  13. Go to the "File" menu > "Policies" menu > click on "Install Database" (make sure to select all objects).
  14. Wait until the server synchronizes and loads SmartEvent.
  15. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open the R80/R80.x SmartConsole to the IP address of the SmartEvent Server:
      1. In SmartConsole, on the Navigation Toolbar click "LOGS & MONITOR', click "+" to open a catalog (new tab).
      2. Click "SmartEvent Settings & Policy".
    2. On "Policy" tab, click "Correlation Units", define a SmartEvent Correlation Unit object.
    3. Select the production Log Servers and local Log Server on the SmartEvent Server that will send logs to the SmartEvent Correlation Unit.
    4. On "Policy" tab, click "Internal Network", define the internal Network.
    5. For R77.30 Gateways and lower: Optional - Enable the Network Activity report.
      The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.
      To enable this report, on the SmartEvent GUI Policy tab, select and enable "Consolidated Sessions" > "Firewall Session".
      Note: This configuration increases the number of events a day by five. This can have a performance effect.
    6. Click "Save".
    7. Install the Event Policy on the SmartEvent Correlation Unit: "SmartEvent" menu > "Actions" > "Install Event Policy".

Connecting R80/R80.x SmartEvent to R77.xx Multi-Domain Server

You can connect R80/R80.x SmartEvent components to one or more Domains in an R77.xx Multi-Domain Security Management environment.

This procedure explains how to configure a dedicated server for these components:

  • SmartEvent Server and Correlation Unit
  • SmartEvent Correlation Unit

Configure SmartEvent to read logs from one domain or a number of domains.

To connect R80/R80.x SmartEvent Server and Correlation Unit to an R77.xx Multi-Domain Server:

  1. Connect over SSH to the Correlation Unit Server.
  2. Run this script: $RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
  3. Run cpstart and wait until the script has finished running. This is when cpstart has finished and you have a prompt.
  4. Open R77.xx SmartConsole for Multi-Domain Security.
  5. Enable SmartLog on all Domain logs servers.
  6. Login to the global Domain.
  7. Create a Check Point Host object for the dedicated server for SmartEvent Server R80/R80.x. Define it with the highest version possible, and ignore the Warning message.
  8. In the "Check Point Host" object, go to "Management" pane, select these Management Blades:
    • Logging & Status
    • SmartEvent Server (if applicable)
    • SmartEvent Correlation Unit
  9. Initialize SIC between the Multi-Domain Server and the new server for SmartEvent R80/R80.x.
  10. For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: on the "Logs" page, click "Enable Log Indexing".
  11. Click "OK".
  12. Click "Save".
  13. Reassign the Global Policy for the Domains that use SmartEvent. For new Domains, create a new global assignment.
  14. In each Domain Management Server, open SmartConsole.
  15. Go to "Menu", click "Install Database" - select each Multi-Domain Server and Domain Log Server.
  16. Wait until the server synchronizes and loads SmartEvent.
  17. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open R80/R80.x SmartConsole.
    2. Launch the SmartEvent GUI client.
      1. On the Navigation Toolbar, click "LOGS & MONITOR", click on "+" to open a catalog (new tab).
      2. Click the "SmartEvent Settings & Policy" link.
        Note: The primary GUI application is the R80/R80.x SmartConsole. With R80/R80.x, some configurations can be done only in the SmartEvent GUI client.
    3. If SmartEvent is connected to a Multi-Domain Server, then on "Policy" tab > "Domains", define the required domains to connect to.
    4. On "Policy" tab > "Correlation Units", define a Correlation Unit object.
    5. Select the production Log Servers and local log server on the SmartEvent Server to read logs from.
    6. On "Policy" tab > "Internal Network", define the internal Network.
    7. For R77.xx and lower Gateways: Optional - Enable the Network Activity report.
      The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.
      To enable this report, on the SmartEvent GUI Policy tab, select and enable "Consolidated Sessions" > "Firewall Session".
      Note: This configuration increases the number of events a day by five. This can have a performance effect.
    8. Click "Save".
    9. Install the Event Policy on the Correlation Unit: "SmartEvent" menu > "Actions" > "Install Event Policy".

 

Limitations

  • Upgrade from SmartEvent NGSE to R80/R80.x is not supported.
  • When connecting R80 SmartEvent to to R77.30 Security Management Server, only local administrators (that are configured using cpconfig) are supported. (SmartDashboard administrators can manage R80 SmartEvent since sk111536 - Jumbo Hotfix Accumulator for R80 Take 29.)
  • Several SmartEvent reports are accessible only for administrators that have Identity permissions.
  • R80 SmartConsole is required to manage an R80 SmartEvent Server. If the R80 SmartEvent Server reads logs from a R77.xx Log Server (either a dedicated Log Server, or on the Security Management Server), packet capture from the R80 SmartConsole does not work. Use the R80 SmartEvent GUI for packet capture.
  • R80/R80.x SmartEvent cannot also be the Log Server (when the management version is lower than R80), since the Log Server and the management must be on the same version (see sk42080)

 

Notes:

  • Make sure that clocks are synchronized on all the machines in the environment.

 

Required information in case the issue persists :

Debug of the relevant processes:

Run the SmartEvent debug from sk105806 :

 

  1. Start the debug:
    # SmartEventSetDebugLevel all trace

  2. Let it run for 5 minutes

  3. Stop the debug :
    # SmartEventSetDebugLevel all off

  4. Collect the debug output files :
    # SmartEventCollectLogs --full --system_stats

    The default output file is /var/log/CollectSmartEventLogsOut/AllSmartEvent.out.tar or /var/log/re/AllSmartEvent.out.tgz

 

 

Additional Information:

 

  1. Make sure that dbsync mode is pre-R80 and provide the following output:
    # grep -i dbsync_mode $CPDIR/registry/HKLM_registry.data

  2. The $FWDIR/log/dbsync.log file from the Security Management Server

 

 

 

Related Solutions:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment