Above R77.30 or R80.10 with Jumbo Hotfix 56

If your Check Point is above R80.10 with the Jumbo Hotfix 56 then you can use the new simplified Syslog Exporter instead of setting up the LEA application.  The LEA setup below still works for your newer Check Point, so you can use it if you would like to, but it requires much more setup.

On your Check Point Management Server CLI, run the following command once you have replaced <blumira_sensor> with the IP of the Blumira Sensor that you have stood up.

cp_log_export add name Blumira target-server <blumira_sensor> target-port 514 protocol tcp format cef

This will read files from the log files on the Management Server, no filtering of the logs being shipped should be required.

References:

Under R80.10 with Jumbo Hotfix 56

Prerequisite Check Point Setup

The detailed process is:

  1. Log in to the firewall management CLI (accessible from the firewall management web interface), as user admin and type the following commands:
    1. expert    (This will ask for your expert password.)
    2. grep auth_type $FWDIR/conf/fwopsec.conf
    3. if the grep output shows “lea_server auth_type sslca”, then you can skip to the SmartConsole steps.
    4. echo 'lea_server auth_type sslca' >> $FWDIR/conf/fwopsec.conf
    5. cpstop; cpstart    (This will cause some downtime, and your console may be disconnected.)
  2. Run SmartConsole and do the following steps. (Download it from the firewall management web interface if you haven’t already.)
    1. In the Objects pull-down menu, navigate to More object types → Server → OPSEC Application → New application...
    2. Choose a name for the LEA object (letters, digits, underscores, and hyphens are the only allowed characters).
    3. From the host pull-down menu, pick the host the sensor is running on. If it is not in there, click New next to the Host field to create a new host. Bug alert: After creating a new host, if it doesn’t appear in the host pull-down menu, you may need to cancel out of the application dialog and start over at step 2a.
    4. In the server entities section, leave all unchecked.
    5. In the client entities, check LEA and leave all others unchecked.
    6. Click on the Communication... button. Choose a one-time password and enter it (twice). Leave the Trust state field unchanged. Click on Initialize, then on Close.
    7. Click OK to create the LEA object.
    8. Click Install Policy, and click through the dialogs until the policy is successfully installed.

Blumira Check Point Module Setup

When you add the Blumira Sensor Module, you will need to provide the following information:

  • IP Address of Check Point Management Server
  • The LEA object name that you chose above.
  • The one-time password that you chose above.
  1. If the Sensor is already created, select the far right edit button and click View Detail.CheckPoint Firewall Timezone Setting
  2. Once the flyout for your Sensor opens, click Add a module, which will then open the Module selection screen. Select the Check Point Module from the dropdown, as of writing this article the latest version is 1.0.0.  If your Sensor does not have a Logger module yet, add this module as well using it’s latest version, 1.1.0 at the time of writing this.Checkpoint FIrewall Module
  3. Taking the One-time Password you set earlier, the LEA Object Name you chose during setup, the address of the Check Point Management Server, and the LEA port, if different from the default, enter them into the form after selecting the module. Once completed, click Create, Blumira will push the Check Point module down to your selected Sensor.Checkpoint Module One-Time Password
  4. Blumira will drop the Check Point Module with your defined information down into the Sensor platform and complete the certificate exchange to start pulling logs via LEA. Logs should start flowing in the next 5-15 minutes depending on the utilization of the device and its setup.