Table of Contents:

1. Overview
2. Installation
3. Advanced Configuration
4. Troubleshooting
5. Example McAfee Remediation Workflow Configuration
6. Uninstall

 

(1) Overview

The Check Point LEA/DXL Connector, combined with the Check Point Plug-in for McAfee ePO, can be used to integrate between the Check Point Threat Prevention Blades and McAfee ePO, over the McAfee Data Exchange Layer (DXL).

The connector establishes an OPSEC LEA (Log Extraction API) connection with the Check Point Log Server, and will, by default, receive logs from the following Blades:

• Threat Emulation
• Anti-Bot
• Anti-Virus

Check Point logs that contain information on detected threats will be processed and published to preconfigured DXL subjects. These subjects are used by default:

• /open/threat/fw/checkpoint/antibot for Anti-Bot logs (any severity)
• /open/threat/fw/checkpoint/threatemulation for Anti-Virus and Threat Emulation logs (malicious files only)

 

(2) Installation

1. Configure the McAfee ePO Server:

   1. Install the McAfee ePO plug-in:

      Download the Check Point Plug-in for McAfee ePO Server:

      Package	Link
      Check Point Plug-in for McAfee ePO Server (v1.0)	(ZIP)

      On the ePO Server:

      1. Navigate to Software > Extensions.
      2. Click Install Extension and upload the Check Point Plug-in to the McAfee ePO Server.
      3. Start the installation by clicking OK at the bottom-right corner of the ePO Server GUI.

   2. Define the Connector User:

      Define a new, non-administrator user, to be used later with the LEA/DXL Connector.

      1. Navigate to User Management > Users.
      2. Click New User.
      3. Under Manually assigned permission sets, choose Selected permission sets.
      4. Click Save.

   3. Create a Permission Set for the Connector User:

      1. Navigate to User Management > Permission Sets.
      2. Click New Permission Set, and create a permission set with any name.
      3. Click Save.
      4. Edit the newly-created permission set by selecting it from the Permission Sets list.
      5. On the right-hand pane, find the CheckPoint permission and click Edit.
      6. Choose Run Permission for CheckPoint Command and Queries.
      7. Click Save.

2. Install the LEA/DXL Connector:

   Package	Link
   Check Point LEA/DXL Connector for Windows - Full Installation (v1.0)	(EXE)
   Check Point LEA/DXL Connector for Windows - Core Installation (*) (v1.0)	(MSI)
   Check Point LEA/DXL Connector for Windows - Manual Installation (*) (v1.0)	(ZIP)

   ^(*) The "Core" and "Manual" packages do not include the Microsoft .NET Framework 4 Client Profile and Visual C++ 2010 Redistributable, which are required to run the Connector.

   • Automatic Installation

     On a Windows-based machine, download and run the Check Point LEA/DXL Connector installer (Auto/Core).

     The installer will initialize communications with the McAfee ePO Server based on the user credentials specified in (1), as well as Secure Internal Communication (SIC) with the Check Point Management Server.

     Note: SIC and ePO connectivity must be established for the installation to complete successfully. See the "Manual Installation" section below to initialize these components manually.

     Step 1: You must create an OPSEC LEA object in Check Point SmartConsole / SmartDashboard to be initialized during the installation:

     • Show / Hide instructions for SmartConsole R8x
       
       

       1. Connect with SmartConsole to Security Management Server / Domain Management Server.

       2. Go to the Objects menu - click on the Object Explorer.

          

       3. In the Object Explorer, in the left tree, click on the Servers.

       4. At the top, click on the New... button - go to the Server menu - go to the OPSEC Application menu - click on the Application... menu.

          

       5. On the General tab:

          1. In the Name: field, enter the desired name for this object.

          2. In the Host: field, select the Host object that represents the machine, on which the Connector will be installed.
             If such Host object was not created yet, then click on the New... button and create it.

          3. In the Vendor: field, select the User defined option.

          4. In the Client Entities section, check the box LEA.

          5. At the bottom, click on the Communication... button.

             

          6. Enter a one-time-password and click on the Initialize button.

             Note: SIC trust will be established by connecting from the host running the Check Point LEA/DXL Connector installer to the Check Point Management Server over TCP port 18210 (which is covered by the predefined Check Point service 'FW1_ica_pull'). Logs will be withdrawn from the Log Server over TCP port 18184 (which is covered by the predefined Check Point service 'FW1_lea'). Your Firewall policy must allow these connections for the Check Point LEA/DXL Connector to function.

             

       6. On the LEA Permissions tab:

          1. Select the Show all log fields.

             

          2. Click on OK.

       7. Close the Object Explorer window.

          

       8. Go to the main Application Menu - click on the Publish session.

          

       9. Go to the main Application Menu - click on the Install database....

          

       
       
       
     • Show / Hide instructions for SmartDashboard R7x
       
       

       1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

       2. Go to the Manage menu - click on the Servers and OPSEC Applications....

          

       3. Click on the New... button - click on the OPSEC Application.

          

       4. On the General tab:

          1. In the Name: field, enter the desired name for this object.

          2. In the Host: field, select the Host object that represents the machine, on which the Connector will be installed.
             If such Host object was not created yet, then click on the New... button and create it.

          3. In the Vendor: field, select the User defined option.

          4. In the Client Entities section, check the box LEA.

          5. At the bottom, click on the Communication... button.

             

          6. Enter a one-time-password and click on the Initialize button.

             Note: SIC trust will be established by connecting from the host running the Check Point LEA/DXL Connector installer to the Check Point Management Server over TCP port 18210 (which is covered by the predefined Check Point service 'FW1_ica_pull'). Logs will be withdrawn from the Log Server over TCP port 18184 (which is covered by the predefined Check Point service 'FW1_lea'). Your Firewall policy must allow these connections for the Check Point LEA/DXL Connector to function.

             

       5. On the LEA Permissions tab:

          1. Select the Show all log fields.

             

          2. Click on OK.

       6. Click on the Close button in the Servers and OPSEC Applications window.

          

       7. Go to the Policy menu - click on the Install Database... - select the Security Management Server / Domain Management Server object.

          

     Step 2: Run the Check Point LEA/DXL Connector installer:

     1. Run the installer, and follow the installation steps. Click Help for assistance during the installation.

     2. Once successfully installed, the LEA/DXL Connector will automatically launch in the background, and will withdraw, process, and publish logs as described in the Overview above.

   • Manual Installation (requires Python 2.x and Microsoft .NET Framework 4 Client Profile)

     1. On a Windows machine, download and extract the LEA/DXL Connector manual installation archive to a location of your choice.

     2. Initialize SIC with Check Point Management Server by running the LEACON\wizard.py script.

     3. Specify the ePO credentials in the DXLCON\epo.conf file.

     4. Install the Connector service:

        cpdxlsrv.exe /i

     5. Start the service:

        net start cpdxlsrv

     6. Verify the state of the service:

        sc query cpdxlsrv

        Output should show "RUNNING".

 

(3) Advanced Configuration

SIC credentials and LEA configuration are necessary for the LEA connection to function.
The SIC configuration wizard (wizard.py) that is included in the manual installation, can automatically initialize SIC and configure the LEA client.

The LEA/DXL Connector receives log entries from Check Point Security Gateway over LEA using the LEACON\fw1-loggrabber.exe executable.

Accepted FW-1 log entries are defined in the LEACON\fw1-loggrabber.conf file, and can be reconfigured by editing the FW1_FILTER_RULE property in that file.

Logs are processed and sent to LEA/DXL Connector using the DXLCON\fw1-dxlcon.exe executable.

McAfee ePO credentials and log matching rule configuration are necessary for the DXL processor to function.
McAfee ePO credentials are defined in the epo.conf file.
DXL topics and matching rules for Check Point Security Gateway logs are defined in the fw1-dxlcon.conf file.

These components are managed by the cpdxlsrv.exe service.

All the LEACON\logs\*.log files are processed by default.
The output DXL messages are written to the LEACON\logs\out\*.json file.

Check Point Security Gateway log entries and DXL entries are deleted when processing is complete.

 

(4) Troubleshooting

LEA/DXL connectivity can be monitored through the Windows Event Viewer - Application and Service Logs - CheckPoint.

LEA/DXL log retrieval and processing can be monitored by viewing the DXLCON\fw1-dxlcon.log file.

Direct execution of the DXLCON\fw1-dxlcon.exe executable and LEACON\fw1-loggrabber.exe executable is permitted, provided that the Check Point LEA/DXL Connector service is stopped.
If launched interactively, the fw1-dxlcon.exe will also print log messages on the console window.

Troubleshooting features can be enabled by editing the [debug] section in the DXLCON\fw1-dxlconf.conf file:

Note: All properties must be defined for the [debug] section settings to apply.

Property	Default	Description
flush_incoming_fw1log	on	Determines whether to delete incoming Check Point Security Gateway logs in the LEACON\logs\ folder after processing them.
flush_outgoing_json	on	Determines whether to delete outgoing DXL JSON messages in the LEACON\logs\out\ folder after posting to DXL.
post_to_dxl	on	Determines whether to post accepted messages to DXL.
verbose	off	Determines whether to display additional information in the DXL Connector console window (all incoming Check Point Security Gateway logs, including those that do not match DXL rules).
pause_on_exit	off	Determines whether to automatically terminate the DXL Connector on fatal errors. Useful when applying advanced configuration.

 

(5) Example McAfee Remediation Workflow Configuration

This information is provided by courtesy of McAfee Inc.

• McAfee Software Prerequisites

  The following components must be set-up and configured within the environment, in addition to the components mentioned above:

  1. McAfee Data Exchange Layer (DXL) Environment

     1. DXL Broker
     2. DXL Client

  2. McAfee Active Response (MAR) Environment

     1. MAR Server
     2. MAR Client

  3. McAfee ePolicy Server (ePO) Environment

     1. Required Extension for DXL Environment
     2. Required Extension for MAR Environment
  
  
  

• DXL Workflow

  This section of the article assumes that the customer (or) other partner has previously created a custom DXL module to subscribe to and monitor for Check Point DXL topics. While not limited to this specific implementation, this module may have business logic to perform various remediation actions using McAfee and/or 3rd party products integrated within the environment.

  The following example of a remediation flow will be utilizing the McAfee Active Response (MAR) threat defense and detection tool. This example will consume threat information from Check Point Threat Emulation, search the McAfee environment using a parameter such as a file hash, and finally assign an ePO tag to endpoints that has been identified as having the malware present so that a preconfigured ePO policy can be initiated to remediate the issue.

  Create a custom DXL module to perform the following actions:

  1. Subscribe to Check Point's Threat Emulation topic:

     (/open/threat/fw/checkpoint/threatemulation)

  2. Parse the event payload from this topic, and get the Threat Emulation file details like File Name, File Hash, File MD5, and File URL.

     Note: Threat Emulation event payloads will contain File Name, File Hash, File MD5, File URL, Source IP, etc.

  3. Invoke the MAR search command using Open DXL MAR APIs to search whether this file exists in the environment.

     The MAR search can be performed based on File Name (or) File Hash (or) File MD5 (or) File URL, etc.

  4. With the response from MAR, invoke the OpenDXL ePO Client to assign an ePO tag to endpoints found within the environment.

  References:

  • Details on how to create an OpenDXL client module: https://github.com/opendxl
  • Details on how to invoke MAR APIs via OpenDXL: https://github.com/opendxl/opendxl-mar-client-python
  • Details on how to assign tags within ePO via OpenDXL: https://github.com/opendxl/opendxl-epo-client-python

 

(6) Uninstall

1. Go to Control Panel:

   • On Windows 2000 / 2003 - click on Add/Remove Programs
   • On Windows 2008 / Vista / 7 - click on Programs and Features

2. Select the package - click on Uninstall button.

3. You may have to stop the LEA/DXL Connector service manually (run "net stop cpdxlsrv" as an administrator, or use the Services MMC Snap-In) to avoid a reboot (the installer will prompt you about this).

Note: The LEA/DXL Connector that uses the OPSEC LEA API for log withdrawal, is deprecated starting from R80.20, and has not seen extensive testing on the latest Log Server versions. A new version, based on the new Log Exporter, will also provide bi-directional enforcement (Check Point will enforce indicators received from McAfee DXL).
We highly suggest waiting for the new version (ETA TBD, 2020) when deploying an integrated Check Point/McAfee environment on production networks.