Support Center > Search Results > SecureKnowledge Details
How to enable SmartEvent to read logs from external Security Management Server / externally managed Log Server
Solution

The following procedure shows how to configure SmartEvent to read logs from an externally-managed Log Server or an external Security Management Server.
An externally managed Log Server is managed by a different Security Management Server than the one that manages the SmartEvent Server. An external Security Management Server is not the one that manages the SmartEvent Server. 

Important Notes

  • This procedure is not supported on CLM\CMA as Log server.
  • This procedure must be performed during a maintenance window.
  • Before making any changes, take a complete backup / snapshot of each involved machine.
  • For any assistance, contact Check Point Support.

 

Example Environment

  • Main Security Management Server ('SMS') with IP address 10.0.0.1
  • SmartEvent and Correlation Unit Server with IP address 10.0.0.2
  • External Security Management Server ('Ext_SMS') with IP address 10.0.0.3
  • SmartEvent Server object is defined on Main Security Management Server ('SMS') and SIC is established between them.

Goal - enable SmartEvent (Correlation Unit) to read logs from external Security Management Server ('Ext_SMS').

 

Procedure

  • Show / Hide instructions for R80.X

    For R80 and R80.10, contact Check Point Support to get a special hotfix before implementing the below procedure.
    For R80.20 and above, continue with the procedure.


    Step 1 - Allow the SmartEvent to read log from the external Log server

    1. Connect with SmartConsole to the Security Management Server that manages the external Log server.

    2. Create a new OPSEC Application:


      • Under 'Host', create the SmartLog/SmartEvent Server object by using the 'New...' button. (If this object already exists, select it). This object represents the SmartEvent Server that will read logs from this External log server.

      • Under 'Client Entities' select the 'LEA' box:

      • Click on the 'Communication' button and in the popup dialog, enter the 'Activation Key' and press 'Initialize'.

      • Click OK


    3. In the 'Policy' menu, click on 'Install Database...' and select objects of all involved machines


    On SmartEvent Server machine

    1. Change the directory to $INDEXERDIR  

      From the command line, run the 'opsec_pull_cert' command with the following parameters:

      # ./opsec_pull_cert -h <IP_address_of_Host> -n <OPSec-Application-Name> -p <Activation-Key> -o <Name-of-Certificate-File>

      Example (assuming IP address of External Log-Server is 192.168.1.1):

      [Expert@HostName]# # # ./opsec_pull_cert -h 192.168.1.1 -n SmartEvent_server -p dks$elFd -o SmartEvent_cert.p12

      Note: This should be done once per Security Management (if there are multiple Log Servers, managed by the same Security Management)

    2. Edit the $INDEXERDIR/log_indexer_custom_settings.conf file:

      Find the 'log_servers' parameter that should look more or less like this:
      :log_servers (
      	: (
      	:name (127.0.0.1)
      	:uuid ()
      	:log_files (all)
      	:folder ("/opt/CPsuite-R80/fw1/log")
      	:is_local (true)
      	:read_mode (FILES)
      	) 
       
      Add another external Log Server, so after modification it looks like this:
      :log_servers (
      	: (
      	:name (127.0.0.1)
      	:uuid ()
      	:log_files (all)
      	:folder ("/opt/CPsuite-R80/fw1/log")
      	:is_local (true)
      	:read_mode (FILES)
      	)		
      
      	: (
      	:name (192.168.1.1)
      	:log_files (all)
      	:is_local (false)
      	:certificate_file (SmartEvent_cert.p12)
      	:sic_name_client ("CN=SmartEvent_server,O=flow_mgmt..tp7tbr")
      	:sic_name_server ("CN=cp_mgmt,O=flow_mgmt..tp7tbr")
      	:read_mode (LEA)
      		)
              
      Where
      • name - should contain the IP address of the external Log Server
      • log_files = all
      • is_local = false
      • certificate_file - should contain the name of the certificate file
      • sic_name_client - can be found in the OPSEC application DN text box

      • sic_name_server - should be similar to 'sic_name_client', but with CN= of the Log Server - in our example, the Log Server's name is 'cp_mgmt', so the string should be "CN=cp_mgmt,O=flow_mgmt..tp7tbr".

      If the Log Server is also a Management Server or Secondary Management Server, the SIC name that should be used is:
      • for Primary Management Server: "CN=cp_mgmt,O=<Name_of_Object_of_Primary_Management>..tp7tbr"
      • for Secondary Management Server: "CN=cp_mgmt_<Name_of_Object_of_Secondary_Management>,O=<Name_of_Object_of_Primary_Management>..tp7tbr"


    3. Run: stopIndexer;startIndexer


    Step 2 – Allow the correlation unit to read logs and create events

    1. On Main Security Management Server ('SMS') that manages SmartEvent

      1. Connect with SmartDashboard to the Main Security Management Server ('SMS').

      2. Go to 'Manage' menu - click on 'Network Objects...'.

      3. Click on " button - select 'Check Point' - click on 'Host...'.
      4. This object will represent the External Security Management Server / externally managed Log Server:

        1. Assign the name 'Ext_SMS'.

        2. Assign the IPv4 address 10.0.0.3

        3. Go to the 'Management' tab - check the box 'Logging & Status'.

        4. Do NOT establish SIC for this object.

        5. Click on 'OK' to create the object.


      5. Click on 'Close' to close the 'Network Objects...' window.

      6. Save the changes: go to 'File' menu - click on 'Save'.


    2. On SmartEvent Server

      1. Connect with SmartEvent GUI to SmartEvent.

      2. Go to 'Policy' tab - expand 'General Settings' - expand 'Initial Settings' - click 'Correlation Units'.
      3. Click on 'Add...' button - select the object that represents the External Security Management Server / externally managed Log Server - 'Ext_SMS'.

         

        Note: Correlation Unit will read logs from this External Security Management Server / externally managed Log Server.

      4. Click 'Save' button.

      5. Go to the 'Actions' menu - click 'Install Event Policy' and install policy on the Correlation Unit.

         


    3. On Correlation Unit Server

      Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

      1. Connect to command line and log in to the Expert mode. 
      2. Stop Check Point services:  [Expert@HostName]# cpstop

      3. Install a Check Point authentication password:

        [Expert@HostName]# fw putkey -p <Shared_Secret> IP_Address_of_Ext_SMS

        Notes:

        • <Shared_Secret> - is a shared password to be defined on both machines (Correlation Unit Server and External Security Management Server / externally managed Log Server)
        • IP_Address_of_Ext_SMS - in our example, is 10.0.0.3
      4. Backup the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

      5. Edit the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

        In the [Outbound Rule] section:

        [Outbound rules]
        # apply_to  peer(s)    port(s) service(s)   auth-method(s)
        # -------------------------------------------------------- 
        

        Modify the following SIC rules:

        1. Modify this SIC rule:

          from:
          # for LC: should implement 'Loggers' hook
          ANY    ; Loggers    ;ANY; lea       ; sslca
          
          to:
          # for LC: should implement 'Loggers' hook
          ANY    ; Loggers    ;ANY; lea    ; ssl, sslca
          


        2. Modify this SIC rule:

          from
          # for log_export tool and Abacus analyzer
          ANY    ; ANY        ;ANY; lea    ; sslca
          
          to:
          # for log_export tool and Abacus analyzer
          ANY    ; ANY        ;ANY; lea    ; ssl, sslca
          


    4. On External Security Management Server / externally managed Log Server

      1. Connect to command line and log in to the Expert mode. 
      2. Install a Check Point authentication password:

        [Expert@HostName]# fw putkey -p <Shared_Secret>  IP_Address_of_Correlation_Unit

        Notes:

        • <Shared_Secret> - is a shared password to be defined on both machines (External Security Management Server / externally managed Log Server and Correlation Unit Server)
        • IP_Address_of_Correlation_Unit - in our example, is 10.0.0.2
      3. Stop Check Point services: [Expert@HostName]# cpstop

      4. Backup the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

      5. Edit the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

        In the [Inbound Rule] section:

        [Inbound rules]
        # apply_to  peer(s)    port(s) service(s)   auth-method(s)
        # -------------------------------------------------------- 
        

        Modify the 5th SIC rule in 'Abacus' section:

        from:
        # Abacus
        ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
        ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
        ANY  ; SEAM_analyzers, Reporting_Tool; ANY; lea  ; sslca
        SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
        
        to:
        # Abacus
        ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
        ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
        ANY  ; ANY ; ANY; lea  ; ssl, sslca
        SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
        

        Important Note:

        With this "new" SIC rule, clients with 'sslca' (SSL and Certificate) will fail to connect. Therefore, this change has to be done carefully. All the LEA connections will be done in SSL, while there may be other LEA clients/products that require 'sslca' (with certificate validation). If SmartEvent is the only LEA client, then this "new" SIC rule is a valid solution. If there are other Log Servers (other LEA clients), then this "new" SIC rule must be modified in the following way:

        From
        # Abacus
        ANY ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event ; sslca
        ANY ; SEAM_mgmt, Reporting_Tool ; ANY; InstallPolicy; sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool ; ANY; sam ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool ; ANY; cpmi ; sslca
        ANY ; SEAM_analyzers, Reporting_Tool; ANY; lea ; sslca
        SEAM_analyzers, Reporting_Tool ; SEAM_mgmt, Reporting_Tool ; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca   
            
        To
        # Abacus
        ANY ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event ; sslca
        ANY ; SEAM_mgmt, Reporting_Tool ; ANY; InstallPolicy; sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool ; ANY; sam ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool ; ANY; cpmi ; sslca
        ANY ; <sic name of smart event machine> ; ANY; lea ; ssl
        ANY ; ANY ; ANY; lea ; sslca
        SEAM_analyzers, Reporting_Tool ; SEAM_mgmt, Reporting_Tool ; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
            
      6. Start Check Point services: [Expert@HostName]# cpstart



    5. On Correlation Unit Server

      Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

      1. Connect to command line and log in to the Expert mode. 
      2. Start Check Point services: [Expert@HostName]# cpstart

      3. Check that the Correlation Unit is reading logs from External Security Management Server / externally managed Log Server:

        [Expert@HostName]# cpstat cpsead
         
  • Show / Hide instructions for R77.X

    This procedure is supported only when all involved servers are R77.X. 

    1. On Main Security Management Server ('SMS')

      1. Connect with SmartDashboard to the Main Security Management Server ('SMS').

      2. Go to 'Manage' menu - click on 'Network Objects...'.

      3. Click on " button - select 'Check Point' - click on 'Host...'.
      4. This object will represent the External Security Management Server / externally managed Log Server:

        1. Assign the name 'Ext_SMS'.

        2. Assign the IPv4 address 10.0.0.3

        3. Go to the 'Management' tab - check the box 'Logging & Status'.

        4. Do NOT establish SIC for this object.

        5. Click on 'OK' to create the object.


      5. Click on 'Close' to close the 'Network Objects...' window.

      6. Save the changes: go to 'File' menu - click on 'Save'.


    2. On SmartEvent Server

      1. Connect with SmartEvent GUI to SmartEvent.

      2. Go to 'Policy' tab - expand 'General Settings' - expand 'Initial Settings' - click 'Correlation Units'.
      3. Click on 'Add...' button - select the object that represents the External Security Management Server / externally managed Log Server - 'Ext_SMS'.

         

        Note: Correlation Unit will read logs from this External Security Management Server / externally managed Log Server.

      4. Click 'Save' button.

      5. Go to the 'Actions' menu - click 'Install Event Policy' and install policy on the Correlation Unit.

         


    3. On Correlation Unit Server

      Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

      1. Connect to command line and log in to the Expert mode. 
      2. Stop Check Point services:  [Expert@HostName]# cpstop

      3. Install a Check Point authentication password:

        [Expert@HostName]# fw putkey -p <Shared_Secret> IP_Address_of_Ext_SMS

        Notes:

        • <Shared_Secret> - is a shared password to be defined on both machines (Correlation Unit Server and External Security Management Server / externally managed Log Server)
        • IP_Address_of_Ext_SMS - in our example, is 10.0.0.3
        • For more details, refer to R77 Command Line Interface Reference Guide - Chapter 3 'Security Management Server and Firewall Commands' - fw - fw putkey
      4. Backup the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

      5. Edit the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

        In the [Outbound Rule] section:

        [Outbound rules]
        # apply_to  peer(s)    port(s) service(s)   auth-method(s)
        # -------------------------------------------------------- 
        

        Modify the following SIC rules:

        1. Modify this SIC rule:

          from:
          # for LC: should implement 'Loggers' hook
          ANY    ; Loggers    ;ANY; lea       ; sslca
          
          to:
          # for LC: should implement 'Loggers' hook
          ANY    ; Loggers    ;ANY; lea    ; ssl, sslca
          


        2. Modify this SIC rule:

          from
          # for log_export tool and Abacus analyzer
          ANY    ; ANY        ;ANY; lea    ; sslca
          
          to:
          # for log_export tool and Abacus analyzer
          ANY    ; ANY        ;ANY; lea    ; ssl, sslca
          


    4. On External Security Management Server / externally managed Log Server

      1. Connect to command line and log in to the Expert mode. 
      2. Install a Check Point authentication password:

        [Expert@HostName]# fw putkey -p <Shared_Secret>  IP_Address_of_Correlation_Unit

        Notes:

        • <Shared_Secret> - is a shared password to be defined on both machines (External Security Management Server / externally managed Log Server and Correlation Unit Server)
        • IP_Address_of_Correlation_Unit - in our example, is 10.0.0.2
        • For more details, refer to R77 Command Line Interface Reference Guide - Chapter 3 'Security Management Server and Firewall Commands' - fw - fw putkey
      3. Stop Check Point services: [Expert@HostName]# cpstop

      4. Backup the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

      5. Edit the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

        In the [Inbound Rule] section:

        [Inbound rules]
        # apply_to  peer(s)    port(s) service(s)   auth-method(s)
        # -------------------------------------------------------- 
        

        Modify the 5th SIC rule in 'Abacus' section:

        from:
        # Abacus
        ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
        ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
        ANY  ; SEAM_analyzers, Reporting_Tool; ANY; lea  ; sslca
        SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
        
        to:
        # Abacus
        ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
        ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
        ANY  ; ANY ; ANY; lea  ; ssl, sslca
        SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
        

        Important Note:

        With this "new" SIC rule, clients with 'sslca' (SSL and Certificate) will fail to connect. Therefore, this change has to be done carefully. All the LEA connections will be done in SSL, while there may be other LEA clients/products that require 'sslca' (with certificate validation). If SmartEvent is the only LEA client, then this "new" SIC rule is a valid solution. If there are other Log Servers (other LEA clients), then this "new" SIC rule must be modified in the following way:

        From
        # Abacus
        ANY ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event ; sslca
        ANY ; SEAM_mgmt, Reporting_Tool ; ANY; InstallPolicy; sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool ; ANY; sam ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool ; ANY; cpmi ; sslca
        ANY ; SEAM_analyzers, Reporting_Tool; ANY; lea ; sslca
        SEAM_analyzers, Reporting_Tool ; SEAM_mgmt, Reporting_Tool ; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca   
            
        To
        # Abacus
        ANY ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event ; sslca
        ANY ; SEAM_mgmt, Reporting_Tool ; ANY; InstallPolicy; sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool ; ANY; sam ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool ; ANY; cpmi ; sslca
        ANY ; <sic name of smart event machine> ; ANY; lea ; ssl
        ANY ; ANY ; ANY; lea ; sslca
        SEAM_analyzers, Reporting_Tool ; SEAM_mgmt, Reporting_Tool ; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
            
      6. Start Check Point services: [Expert@HostName]# cpstart



    5. On Correlation Unit Server

      Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

      1. Connect to command line and log in to the Expert mode. 
      2. Start Check Point services: [Expert@HostName]# cpstart

      3. Check that the Correlation Unit is reading logs from External Security Management Server / externally managed Log Server:

        [Expert@HostName]# cpstat cpsead
         
  • Show / Hide instructions for R70, R71, R75 or R76

    This procedure is supported only when all involved servers are R70, R71, R75 or R76.

    1. On Main Security Management Server ('SMS')

      1. Connect with SmartDashboard to Main Security Management Server ('SMS').

      2. Go to 'Manage' menu - click on 'Network Objects...'.

      3. Click on " button - select 'Check Point' - click on 'Host...'.

      4. This object will represent the External Security Management Server / externally managed Log Server:

        1. Assign the name 'Ext_SMS'.

        2. Assign the IPv4 address 10.0.0.3

        3. Go to the 'Management' tab - check the box 'Logging & Status'.

        4. Do NOT establish SIC for this object.

        5. Click 'OK' to create the object.


      5. Click 'Close' to close the 'Network Objects...' window.

      6. Save the changes: go to 'File' menu - click on 'Save'.


    2. On SmartEvent Server

      1. Connect to command line and log in to Expert mode. 
      2. Stop Check Point services: [Expert@HostName]# cpstop

      3. Backup the current $FWDIR/conf/sem_network_objects.C file:

        [Expert@HostName]# cp -v $FWDIR/conf/sem_network_objects.C $FWDIR/conf/sem_network_objects.C_ORIGINAL
      4. Edit the current $FWDIR/conf/sem_network_objects.C file:

        [Expert@HostName]# vi  $FWDIR/conf/sem_network_objects.C

      5. Find the Host object of External Security Management Server.

      6. Change from:
        ":location (external)"
        
        to:
        ":location (internal)"
        
      7. Start Check Point services: [Expert@HostName]# cpstart

      8. Connect with SmartEvent GUI to SmartEvent.

      9. Go to 'Manage' menu - click on 'Network Objects...'.

      10. Go to 'Policy' tab - expand 'General Settings' - expand 'Initial Settings' - click on 'Correlation Units'.
      11. Click on 'Add...' button - select the object that represents the External Security Management Server / externally managed Log Server - 'Ext_SMS'.

        Note: Correlation Unit will read logs from this External Security Management Server / externally managed Log Server.

      12. Click 'Save'.

      13. Go to 'Actions' menu - click on 'Install Event Policy' - install policy on the Correlation Unit.


    3. On Correlation Unit Server

      Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

      1. Connect to command line and log in to the Expert mode. 
      2. Stop Check Point services: [Expert@HostName]# cpstop

      3. Install a Check Point authentication password:

        [Expert@HostName]# fw putkey -p <Shared_Secret>  IP_Address_of_Ext_SMS

        Notes:

        • <Shared_Secret> - is a shared password to be defined on both machines (Correlation Unit Server and External Security Management Server / externally managed Log Server)
        • IP_Address_of_Ext_SMS - in our example, is 10.0.0.3
        • For more details, refer to Command Line Interface Reference Guide (R70, R71, R75, R75.20, R75.40, R75.40VS, R76) - Chapter 3 'Security Management Server and Firewall Commands' - fw - fw putkey
      4. Backup the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

      5. Edit the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

        In the [Outbound Rule] section:

        [Outbound rules]
        # apply_to  peer(s)    port(s) service(s)   auth-method(s)
        # -------------------------------------------------------- 
        

        Modify the following SIC rules:

        1. Modify this SIC rule:

          from:
          # for LC: should implement 'Loggers' hook
          ANY    ; Loggers    ;ANY; lea       ; sslca
          
          to:
          # for LC: should implement 'Loggers' hook
          ANY    ; Loggers    ;ANY; lea    ; ssl
          


        2. Modify this SIC rule:

          from
          # for log_export tool and Abacus analyzer
          ANY    ; ANY        ;ANY; lea    ; sslca
          
          to:
          # for log_export tool and Abacus analyzer
          ANY    ; ANY        ;ANY; lea    ; ssl
          


    4. On External Security Management Server / externally managed Log Server

      1. Connect to command line and log in to the Expert mode. 
      2. Stop Check Point services: [Expert@HostName]# cpstop

      3. Install a Check Point authentication password:

        [Expert@HostName]# fw putkey -p <Shared_Secret>  IP_Address_of_Correlation_Unit

        Notes:

        • <Shared_Secret> - is a shared password to be defined on both machines (External Security Management Server / externally managed Log Server and Correlation Unit Server)
        • IP_Address_of_Correlation_Unit - in our example, is 10.0.0.2
        • For more details, refer to Command Line Interface Reference Guide (R70, R71, R75, R75.20, R75.40, R75.40VS, R76) - Chapter 3 'Security Management Server and Firewall Commands' - fw - fw putkey
      4. Backup the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

      5. Edit the current $CPDIR/conf/sic_policy.conf file:

        [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

        In the [Inbound Rule] section:

        [Inbound rules]
        # apply_to  peer(s)    port(s) service(s)   auth-method(s)
        # -------------------------------------------------------- 
        

        Modify the 5th SIC rule in 'Abacus' section:

        from SSLCA:
        # Abacus
        ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
        ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
        ANY  ; SEAM_analyzers, Reporting_Tool; ANY; lea  ; sslca
        SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
        
        to SSL:
        # Abacus
        ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
        ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
        DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
        DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
        ANY  ; SEAM_analyzers, Reporting_Tool; ANY; lea  ; ssl
        SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
        DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
        
        Important Note:
        With this "new" SIC rule, clients with 'sslca' (SSL and Certificate) will fail to connect. Therefore, this change has to be done carefully.
        All the LEA connections will be done in SSL, while there may be other LEA clients/products that require 'sslca' (with certificate validation).
        If SmartEvent is the only LEA client, then this "new" SIC rule is a valid solution.
        If there are other Log Servers (other LEA clients), then this "new" SIC rule must be modified in another way (contact Check Point Support).

      6. Start Check Point services: [Expert@HostName]# cpstart



    5. On Correlation Unit Server

      Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

      1. Connect to command line and log in to Expert mode. 
      2. Start Check Point services: [Expert@HostName]# cpstart

      3. Check that the Correlation Unit is reading logs from External Security Management Server / externally managed Log Server:

        [Expert@HostName]# cpstat cpsead


Related solutions

Applies To:
  • 01456790, 01595398, 01512627, 01481868
  • CRYPT-19 , PMTR-1306 , CRYPT-257 , PRHF-2517

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment