The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
LEA/DXL Connector for McAfee ePO Integration
Technical Level
Solution ID
sk116678
Technical Level
Product
Threat Emulation, Anti-Bot, Anti-Virus
Version
R77.30, R80, R80.10
OS
Windows
Platform / Model
Intel/PC
Date Created
18-May-2017
Last Modified
06-Oct-2020
Solution
Table of Contents:
Overview
Installation
Advanced Configuration
Troubleshooting
Example McAfee Remediation Workflow Configuration
Uninstall
(1) Overview
The Check Point LEA/DXL Connector, combined with the Check Point Plug-in for McAfee ePO, can be used to integrate between the Check Point Threat Prevention Blades and McAfee ePO, over the McAfee Data Exchange Layer (DXL).
The connector establishes an OPSEC LEA (Log Extraction API) connection with the Check Point Log Server, and will, by default, receive logs from the following Blades:
Threat Emulation
Anti-Bot
Anti-Virus
Check Point logs that contain information on detected threats will be processed and published to preconfigured DXL subjects. These subjects are used by default:
/open/threat/fw/checkpoint/antibot for Anti-Bot logs (any severity)
/open/threat/fw/checkpoint/threatemulation for Anti-Virus and Threat Emulation logs (malicious files only)
(2) Installation
Configure the McAfee ePO Server:
Install the McAfee ePO plug-in:
Download the Check Point Plug-in for McAfee ePO Server:
Package
Link
Check Point Plug-in for McAfee ePO Server (v1.0)
(ZIP)
On the ePO Server:
Navigate to Software > Extensions.
Click Install Extension and upload the Check Point Plug-in to the McAfee ePO Server.
Start the installation by clicking OK at the bottom-right corner of the ePO Server GUI.
Define the Connector User:
Define a new, non-administrator user, to be used later with the LEA/DXL Connector.
Navigate to User Management > Users.
Click New User.
Under Manually assigned permission sets, choose Selected permission sets.
Click Save.
Create a Permission Set for the Connector User:
Navigate to User Management > Permission Sets.
Click New Permission Set, and create a permission set with any name.
Click Save.
Edit the newly-created permission set by selecting it from the Permission Sets list.
On the right-hand pane, find the CheckPoint permission and click Edit.
Choose Run Permission for CheckPoint Command and Queries.
Click Save.
Install the LEA/DXL Connector:
Package
Link
Check Point LEA/DXL Connector for Windows - Full Installation (v1.0)
(EXE)
Check Point LEA/DXL Connector for Windows - Core Installation (*) (v1.0)
(MSI)
Check Point LEA/DXL Connector for Windows - Manual Installation (*) (v1.0)
On a Windows-based machine, download and run the Check Point LEA/DXL Connector installer (Auto/Core).
The installer will initialize communications with the McAfee ePO Server based on the user credentials specified in (1), as well as Secure Internal Communication (SIC) with the Check Point Management Server.
Note: SIC and ePO connectivity must be established for the installation to complete successfully. See the "Manual Installation" section below to initialize these components manually.
Step 1: You must create an OPSEC LEA object in Check Point SmartConsole / SmartDashboard to be initialized during the installation:
Connect with SmartConsole to Security Management Server / Domain Management Server.
Go to the Objects menu - click on the Object Explorer.
In the Object Explorer, in the left tree, click on the Servers.
At the top, click on the New... button - go to the Server menu - go to the OPSEC Application menu - click on the Application... menu.
On the General tab:
In the Name: field, enter the desired name for this object.
In the Host: field, select the Host object that represents the machine, on which the Connector will be installed. If such Host object was not created yet, then click on the New... button and create it.
In the Vendor: field, select the User defined option.
In the Client Entities section, check the box LEA.
At the bottom, click on the Communication... button.
Enter a one-time-password and click on the Initialize button.
Note: SIC trust will be established by connecting from the host running the Check Point LEA/DXL Connector installer to the Check Point Management Server over TCP port 18210 (which is covered by the predefined Check Point service 'FW1_ica_pull'). Logs will be withdrawn from the Log Server over TCP port 18184 (which is covered by the predefined Check Point service 'FW1_lea'). Your Firewall policy must allow these connections for the Check Point LEA/DXL Connector to function.
On the LEA Permissions tab:
Select the Show all log fields.
Click on OK.
Close the Object Explorer window.
Go to the main Application Menu - click on the Publish session.
Go to the main Application Menu - click on the Install database....
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Go to the Manage menu - click on the Servers and OPSEC Applications....
Click on the New... button - click on the OPSEC Application.
On the General tab:
In the Name: field, enter the desired name for this object.
In the Host: field, select the Host object that represents the machine, on which the Connector will be installed. If such Host object was not created yet, then click on the New... button and create it.
In the Vendor: field, select the User defined option.
In the Client Entities section, check the box LEA.
At the bottom, click on the Communication... button.
Enter a one-time-password and click on the Initialize button.
Note: SIC trust will be established by connecting from the host running the Check Point LEA/DXL Connector installer to the Check Point Management Server over TCP port 18210 (which is covered by the predefined Check Point service 'FW1_ica_pull'). Logs will be withdrawn from the Log Server over TCP port 18184 (which is covered by the predefined Check Point service 'FW1_lea'). Your Firewall policy must allow these connections for the Check Point LEA/DXL Connector to function.
On the LEA Permissions tab:
Select the Show all log fields.
Click on OK.
Click on the Close button in the Servers and OPSEC Applications window.
Go to the Policy menu - click on the Install Database... - select the Security Management Server / Domain Management Server object.
Step 2: Run the Check Point LEA/DXL Connector installer:
Run the installer, and follow the installation steps. Click Help for assistance during the installation.
Once successfully installed, the LEA/DXL Connector will automatically launch in the background, and will withdraw, process, and publish logs as described in the Overview above.
Manual Installation (requires Python 2.x and Microsoft .NET Framework 4 Client Profile)
On a Windows machine, download and extract the LEA/DXL Connector manual installation archive to a location of your choice.
Initialize SIC with Check Point Management Server by running the LEACON\wizard.py script.
Specify the ePO credentials in the DXLCON\epo.conf file.
Install the Connector service:
cpdxlsrv.exe /i
Start the service:
net start cpdxlsrv
Verify the state of the service:
sc query cpdxlsrv
Output should show "RUNNING".
(3) Advanced Configuration
SIC credentials and LEA configuration are necessary for the LEA connection to function. The SIC configuration wizard (wizard.py) that is included in the manual installation, can automatically initialize SIC and configure the LEA client.
The LEA/DXL Connector receives log entries from Check Point Security Gateway over LEA using the LEACON\fw1-loggrabber.exe executable.
Accepted FW-1 log entries are defined in the LEACON\fw1-loggrabber.conf file, and can be reconfigured by editing the FW1_FILTER_RULE property in that file.
Logs are processed and sent to LEA/DXL Connector using the DXLCON\fw1-dxlcon.exe executable.
McAfee ePO credentials and log matching rule configuration are necessary for the DXL processor to function. McAfee ePO credentials are defined in the epo.conf file. DXL topics and matching rules for Check Point Security Gateway logs are defined in the fw1-dxlcon.conf file.
These components are managed by the cpdxlsrv.exe service.
All the LEACON\logs\*.log files are processed by default. The output DXL messages are written to the LEACON\logs\out\*.json file.
Check Point Security Gateway log entries and DXL entries are deleted when processing is complete.
(4) Troubleshooting
LEA/DXL connectivity can be monitored through the Windows Event Viewer - Application and Service Logs - CheckPoint.
LEA/DXL log retrieval and processing can be monitored by viewing the DXLCON\fw1-dxlcon.log file.
Direct execution of the DXLCON\fw1-dxlcon.exe executable and LEACON\fw1-loggrabber.exe executable is permitted, provided that the Check Point LEA/DXL Connector service is stopped. If launched interactively, the fw1-dxlcon.exe will also print log messages on the console window.
Troubleshooting features can be enabled by editing the [debug] section in the DXLCON\fw1-dxlconf.conf file:
Note: All properties must be defined for the [debug] section settings to apply.
Property
Default
Description
flush_incoming_fw1log
on
Determines whether to delete incoming Check Point Security Gateway logs in the LEACON\logs\ folder after processing them.
flush_outgoing_json
on
Determines whether to delete outgoing DXL JSON messages in the LEACON\logs\out\ folder after posting to DXL.
post_to_dxl
on
Determines whether to post accepted messages to DXL.
verbose
off
Determines whether to display additional information in the DXL Connector console window (all incoming Check Point Security Gateway logs, including those that do not match DXL rules).
pause_on_exit
off
Determines whether to automatically terminate the DXL Connector on fatal errors. Useful when applying advanced configuration.
(5) Example McAfee Remediation Workflow Configuration
This information is provided by courtesy of McAfee Inc.
McAfee Software Prerequisites
The following components must be set-up and configured within the environment, in addition to the components mentioned above:
McAfee Data Exchange Layer (DXL) Environment
DXL Broker
DXL Client
McAfee Active Response (MAR) Environment
MAR Server
MAR Client
McAfee ePolicy Server (ePO) Environment
Required Extension for DXL Environment
Required Extension for MAR Environment
DXL Workflow
This section of the article assumes that the customer (or) other partner has previously created a custom DXL module to subscribe to and monitor for Check Point DXL topics. While not limited to this specific implementation, this module may have business logic to perform various remediation actions using McAfee and/or 3rd party products integrated within the environment.
The following example of a remediation flow will be utilizing the McAfee Active Response (MAR) threat defense and detection tool. This example will consume threat information from Check Point Threat Emulation, search the McAfee environment using a parameter such as a file hash, and finally assign an ePO tag to endpoints that has been identified as having the malware present so that a preconfigured ePO policy can be initiated to remediate the issue.
Create a custom DXL module to perform the following actions:
Subscribe to Check Point's Threat Emulation topic:
(/open/threat/fw/checkpoint/threatemulation)
Parse the event payload from this topic, and get the Threat Emulation file details like File Name, File Hash, File MD5, and File URL.
Note: Threat Emulation event payloads will contain File Name, File Hash, File MD5, File URL, Source IP, etc.
Invoke the MAR search command using Open DXL MAR APIs to search whether this file exists in the environment.
The MAR search can be performed based on File Name (or) File Hash (or) File MD5 (or) File URL, etc.
With the response from MAR, invoke the OpenDXL ePO Client to assign an ePO tag to endpoints found within the environment.
On Windows 2000 / 2003 - click on Add/Remove Programs
On Windows 2008 / Vista / 7 - click on Programs and Features
Select the package - click on Uninstall button.
You may have to stop the LEA/DXL Connector service manually (run "net stop cpdxlsrv" as an administrator, or use the Services MMC Snap-In) to avoid a reboot (the installer will prompt you about this).
Note: The LEA/DXL Connector that uses the OPSEC LEA API for log withdrawal, is deprecated starting from R80.20, and has not seen extensive testing on the latest Log Server versions. A new version, based on the new Log Exporter, will also provide bi-directional enforcement (Check Point will enforce indicators received from McAfee DXL). We highly suggest waiting for the new version (ETA TBD, 2020) when deploying an integrated Check Point/McAfee environment on production networks.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?