Check Point Next-Gen Firewall

Check Point Next Generation Firewall Integration

Blumira’s modern cloud SIEM platform integrates with Check Point’s Next Generation Firewalls to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.

When configured, the Blumira integration with Check Point Next-Gen Firewalls will stream security event logs to the Blumira service for threat detection and actionable response.

When Blumira’s dynamic blocklist capabilities are configured with the Check Point Firewall, Blumira can provide automated blocking of known threats, automatically add new block rules when threats are detected and provide blocking based on Blumira’s community of customers that have detected new threats. All through automation without requiring any human interaction.

Learn more about enabling Blumira’s Dynamic Block Lists to block malicious source IP addresses and domains for automated threat response.

In this document, you will learn how to configure Check Point to allow a LEA client to connect using an authenticated SSL CA connection or use the new log_exporter syslog solution added with R77.30/R80.10 JH 56.

Above R77.30 or R80.10 with Jumbo Hotfix 56

If your Check Point is above R80.10 with the Jumbo Hotfix 56 then you can use the new simplified Syslog Exporter instead of setting up the LEA application. The LEA setup still works below for your newer Check Point so you can use it if you would like to, it requires much more setup however.

On your Check Point Management Server CLI, run the following command once you have replaced <blumira_sensor> with the IP of the Blumira Sensor that you have stood up.

cp_log_export add name Blumira target-server <blumira_sensor> target-port 514 protocol tcp format cef

This will read files from the log files on the Management Server, no filtering of the logs being shipped should be required.

References:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#How%20does%20it%20Work
https://community.checkpoint.com/t5/Logging-and-Reporting/R80-10-Syslog-Exporter/m-p/37042
https://community.checkpoint.com/t5/Logging-and-Reporting/Exporting-Check-Point-logs-over-syslog-LogExporter-with-Log/td-p/38410

Under R80.10 with Jumbo Hotfix 56

Prerequisite Check Point Setup

The detailed process is:

Log in to the firewall management CLI (accessible from the firewall management web interface), as user admin and type the following commands:
1. expert (This will ask for your expert password.)
2. grep auth_type $FWDIR/conf/fwopsec.conf
3. if the grep output shows “lea_server auth_type sslca”, then you can skip to the SmartConsole steps.
4. echo 'lea_server auth_type sslca' >> $FWDIR/conf/fwopsec.conf
5. cpstop; cpstart (This will cause some downtime, and your console may be disconnected.)
Run SmartConsole and do the following steps. (Download it from the firewall management web interface if you haven’t already.)
1. In the Objects pull-down menu, navigate to More object types → Server → OPSEC Application → New application...
2. Choose a name for the LEA object (letters, digits, underscores, and hyphens are the only allowed characters).
3. From the host pull-down menu, pick the host the sensor is running on. If it is not in there, click New next to the Host field to create a new host. Bug alert: After creating a new host, if it doesn’t appear in the host pull-down menu, you may need to cancel out of the application dialog and start over at step 2a.
4. In the server entities section, leave all unchecked.
5. In the client entities, check LEA and leave all others unchecked.
6. Click on the Communication... button. Choose a one-time password and enter it (twice). Leave the Trust state field unchanged. Click on Initialize, then on Close.
7. Click OK to create the LEA object.
8. Click Install Policy, and click through the dialogs until the policy is successfully installed.

Blumira Check Point Module Setup

When you add the Blumira Sensor Module, you will need to provide the following information:

IP Address of Check Point Management Server
The LEA object name that you chose above.
The one-time password that you chose above.

1. If the Sensor is already created, select the far right edit button and click View Detail.

2. Once the flyout for your Sensor opens, click Add a module, which will then open the Module selection screen. Select the Check Point Module from the dropdown, as of writing this article the latest version is 1.0.0. If your Sensor does not have a Logger module yet, add this module as well using it’s latest version, 1.1.0 at the time of writing this.

3. Taking the One-time Password you set earlier, the LEA Object Name you chose during setup, the address of the Check Point Management Server, and the LEA port, if different from the default, enter them into the form after selecting the module. Once completed, click Create, Blumira will push the Check Point module down to your selected Sensor.

4. Blumira will drop the Check Point Module with your defined information down into the Sensor platform and complete the certificate exchange to start pulling logs via LEA. Logs should start flowing in the next 5-15 minutes depending on the utilization of the device and its setup.