Support Center > Search Results > SecureKnowledge Details
R80 SmartEvent Server supplement for IBM QRadar Technical Level
Solution

Check Point SmartView and IBM QRadar Integration

The integration of Check Point SmartView and IBM QRadar delivers network data and security events from Check Point appliances to QRadar, for real-time threat information in the QRadar console. This integration significantly speeds up the analytical process, with all analysis functions, from both QRadar and Check Point SmartEvent, on the one QRadar console. Security analysts also benefit from SmartEvent internal aggregation functions, which summarize Check Point logs to easy-to-read event data. A security analyst with full access to QRadar and SmartEvent can fine-tune Check Point protections directly from the SmartEvent-QRadar integration toolset.

Note: this supplement is included starting from R80.10

Table of Contents

  • System Requirements and Prerequisites
  • Usage
  • Check Point SmartView supplement installation instructions
  • Check Point's Server configuration
  • Documentation

 

System Requirements and Prerequisites

  • IBM Security QRadar Log Manager, version 7.2.6 and higher
  • Check Point R80 SmartEvent Server, and the Check Point SmartView supplement
  • Check Point Security Management Server or Multi-Domain Management Server, version R77 or higher
  • SmartView for QRadar installed on the QRadar machine

 

Usage

From the QRadar tab, open the Check Point features:

  • Check Point tab - Graphical security overview of important attacks, allowed high risk applications, infected machines, and quick access to the Check Point SmartView portal

  • Search in Check Point SmartView - Click on a Log Activity or Offense to drill down for advanced investigation with Check Point SmartEvent features

 

Check Point SmartView supplement installation instructions

Before you install this application:

  • Make sure the IBM QRadar server is connected to a Check Point Log Server to read logs
  • Make sure the Check Point R80 SmartEvent server is connected to a Check Point Log Server to read logs
  • Make sure you have Admin permission for IBM QRadar

Procedure:

  1. Configure your R80 machine as SmartEvent Server:

    • In the First Time Configuration Wizard Products page, select Log Server/SmartEvent only.
    • In the Secure Internal Communication (SIC) page, define the Activation Key. Use this key to configure the dedicated server for SmartEvent object in SmartConsole.
  2. Install the supplement on this R80 SmartEvent Server (It is already included in the R80.10 version):

    1. Contact Check Point Support to get this package.
      A Support Engineer will make sure the package is compatible with your environment before providing the package.
      For faster resolution and verification, please collect CPinfo files from the Security Management Server and SmartEvent Server involved in the case.

    2. Procedure:

      Note: In Management HA environment, this procedure must be performed on both Management Servers.

      • On Gaia OS - using CPUSE:

        Refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent):

        • Section "(4-A-c)" / "(4-A-d)" - refer to import instructions for Offline procedure
        • Section "(4-B-a)" - refer to installation instructions for Hotfixes

        Note: Reboot is required.

      • On Gaia OS - using Legacy CLI:

        1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

        2. Unpack and install the hotfix package:

          [Expert@HostName:0]# cd /some_path_to_fix/
          [Expert@HostName:0]# tar -zxvf ReportingServer_<HOTFIX_NAME>.tgz
          [Expert@HostName:0]# ./ReportingServer_<HOTFIX_NAME>

          Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
        3. Reboot the machine.

 

Check Point's Server configuration

If Check Point App for QRadar does not work, then follow these steps:

  1. Connect to command line on R80 SmartEvent Server.

  2. Log in to Expert mode.

  3. Backup the current /web/conf/extra/httpd2-smartview.conf file:

    [Expert@HostName:0]# cp -v /web/conf/extra/httpd2-smartview.conf /web/conf/extra/httpd2-smartview.conf_ORIGINAL
  4. Edit the current /web/conf/extra/httpd2-smartview.conf file:

    [Expert@HostName:0]# vi /web/conf/extra/httpd2-smartview.conf
  5. Change this line:

    from:
    "Header always set X-Frame-Options SAMEORIGIN"
    to:
    "Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval';connect-src https: http: wss:; img-src 'self' data:; frame-ancestors 'self' https://<IP/Hostname>;"
  6. Save the changes and exit from Vi editor.

  7. Restart the httpd2 daemon:

    [Expert@HostName:0]# tellpm process:httpd2
    [Expert@HostName:0]# tellpm process:httpd2 t

 

Documentation

Applies To:
  • 02076805 , 02452875 , 02509127

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment