Security Manager for Check Point

Release Notes

Date Published: May 2011

 
 

 

Security Manager for Check Point allows you to monitor Check Point SmartCenter Servers, formerly called Management Servers, and provides support for all Open Platform for Secure Enterprise Connectivity (OPSEC)-standardized Check Point SmartCenter Servers, including those on Nokia, Solaris, and Linux platforms. Security Manager for Check Point helps indicate, correct, and prevent possible external intrusions, attacks, and performance or configuration problems by detecting and responding to events in real-time. For example, Security Manager for Check Point enables you to perform the following tasks:

  • Detect misconfigurations in your firewall environment
  • Back up your configuration settings
  • Identify external attacks, such as unusual port scans, a malformed packet, or an IP spoofing event, and then respond with an alert and notify Security Specialists
  • Monitor memory usage for the Reporting Server services on Windows platforms
  • Notify the Security Specialists notification group of serious issues
  • Monitor your environment from a single console

Security Manager for Check Point collects events from logs and stores them in secure repositories so you can archive this data, create reports for management or auditing purposes, and analyze critical events to research issues. For Check Point products, Security Manager for Check Point collects the firewall log, audit log, and accounting log.

Supported Products

This release supports the following products:

  • NGX R65 and later

Return to Top

Why Install This Version?

This release of Security Manager for Check Point contains various improvements to address functional and performance issues.

Improves Configuration Wizard Usability

This release improves the usability of the Check Point Configuration Wizard, combining Security Manager agent and Check Point device configuration into a streamlined set of windows. Users can now configure the Check Point provider to collect both firewall and audit logs at the same time, without configuring the provider separately for each log type. (ENG304628, ENG304629, ENG304832, ENG304726)

Resolves OPSEC Provider Event Count Issue

This release resolves an issue where if there are no events to process in the Windows agent queue when the OPSEC provider starts, the provider shuts down. The OPSEC provider now starts correctly and continues to run even when there are no events in the queue for processing. (ENG300128)

Adds Columns to Check Point Firewalls Forensic Analysis Report Type

This release expands the number of columns available when you create Forensic Analysis queries using the Check Point Firewalls report type. Users can now filter Check Point Forensic Analysis report data using the following new fields:

  • Additional Info
  • Operation
  • Status
  • Subject

(ENG298141, ENG292826, ENG300121)

Enables Real-Time Audit Data Monitoring

This release enables customers to create real-time rules based on Check Point audit data. This version of the Check Point module does not include the Filter Rule for Audit Trail Logs rule, which had previously filtered incoming audit data. (ENG272938)

Optimizes Handling of Check Point Control Events

This release optimizes the way Security Manager alerts on Check Point events labeled as control, by updating the existing Alert - Events of Control Type rule to no longer alert on all control events and renaming the rule to Policy Installed. The updated Policy Installed rule only alerts on "Policy Installed" control type events and filters out other extraneous control events.

Provides Check Point Event Message Information

This release provides a single, detailed description for each Check Point event collected by Security Manager, located in the "Message" field. The "Message" field now contains all collected event fields, concatenated together in "Field Name: Field Value" format. The "Message" field can be useful for finding data that is not automatically displayed in Forensic Analysis queries and reports.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent monitoring Check Point. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 2.4GHz Intel Pentium IV or equivalent. Dual-core processor recommended.
Memory 80MB minimum.
Software
  • Ensure you have Security Manager 6.0, 6.0 Service Pack 4, 6.5, 6.5 Service Pack 1, 6.5.2, or 6.5.3 installed.
  • If you are using Security Manager 6.0, install Security Manager Hotfix 70468 before installing this module.
  • A Windows agent must be installed for each Check Point device you want to monitor. Check Point FireWall-1/VPN-1 may be configured using either a local agent installed on the LEA server or a proxy agent installed on a separate computer. Check Point Provider-1/SiteManager-1 must be configured using a proxy agent.
  • Install each Windows agent and Check Point device on a computer inside the firewall and on a subnet as physically close to each other as possible. Fewer network hops provide better performance.
  • Install the Windows agent on a separate computer from the database server or central computer to avoid performance issues.
  • If you are using SSLCA to communicate, do not install the Windows agent on the Check Point Logging Server.

Return to Top

Installing This Module

Install the module using the Module Installer utility. For more information about installing modules, see the User Guide for NetIQ Security Manager. After you install the module, run the Configuration Wizard to configure the module.

Unmanaged agents cannot receive providers from the central computer if a module requires a provider package. To load a provider on an unmanaged agent, complete the following steps:

  1. Log on to the central computer with a user account that is a member of the OnePointOp ConfgAdms group.
  2. On the central computer, copy the OPSECProvider.cab file from the ...\NetIQ Security Manager\OnePoint\Providers\release\IncomingPrgProviders folder.
  3. On the unmanaged agent you want to monitor Check Point, paste the OPSECProvider.cab file in the ...\NetIQ Security Manager\OnePoint\Providers\release\IncomingPrgProviders folder.

The next time Security Manager checks for updated providers, the Security Manager service will extract and install the provider.

Return to Top

Configuring Check Point Connections

Security Manager requires a Windows agent for each LEA (Log Extraction Agent) server you want to monitor. The type of connection method to configure depends on whether you have implemented a local or remote installation of the Windows agent. These terms are defined as follows:

sslca connection
NetIQ recommends connecting through sslca to a remote Windows agent installed on a separate computer, not on an LEA server. You must configure a secure connection between the Windows agent and the LEA server. If you have Provider-1/SiteManager-1, you must use this type of connection.
Configuration file
If you cannot connect using sslca due to requirements in your environment, you can manually change the configuration file to connect locally. Install the Windows agent and Check Point FireWall-1/VPN-1 LEA server on the same computer. You can configure a clear connection, which uses no encryption. You can also use an encrypted connection method. Check Point recommends using a clear connection for local installations. If you choose this method, you must work directly with NetIQ Solutions Support to configure your environment.

Configure a secure connection between each proxy agent and LEA server you want to monitor. Each customer site uses a unique LEA server to which the firewall logs events. Each LEA server is supported by a unique proxy agent. For more information about connection types and authentication methods supported by OPSEC, see the Check Point Web site at http://www.opsec.com.

The following process requires you to modify your firewall policy. In order for Security Manager to collect data from your firewall, install the newly modified policy on all firewalls you want to monitor.

To set up a secure connection using the sslca connection method, complete the following steps, in order, for each proxy agent:

Defining an OPSEC Object in SmartDashboard

Define an OPSEC LEA application object in the Check Point SmartDashboard by completing the following steps:

  1. If you have not already installed SmartDashboard, download and install the SmartDashboard software.
  2. Start the SmartDashboard software.
  3. On the Manage menu, click Servers and OPSEC Applications.
  4. Click New > OPSEC Application.
  5. In the Name field, specify a Security Manager LEA application name. You can specify any name. For example, the examples in this task use LEASIC.
  6. Create the SM_Agent host object and specify the IP address for the Windows agent computer that monitors the LEA server. For more information about objects, see the Check Point product documentation.
  7. Repeat the previous step for each Windows agent monitoring an LEA server.
  8. In the Client Entities section, select LEA.
  9. Click Communication.
  10. In the Activation Key field, specify a key to enable Secure Internal Communications (SIC). The key can be any combination of alphanumeric characters you choose.
  11. Re-type the key in the Confirm Activation Key field.
  12. Click Initialize. The Trust state field displays the following message:
    Initialized but trust not established.
  13. Click Close to exit the Communication window.
  14. The DN field displays a domain name assigned to this OPSEC LEA application. For example:
    CN=LEASIC,O=computername.domainname.6ppsqh.
  15. Copy the information from the DN field.
  16. Click OK.
  17. Install the policy on all firewalls you want to monitor.

    Note
    Keep this window open. You will need to copy information from this window, including the DN field value, to configure the Security Manager for Check Point module.

Configuring the NetIQ Security Manager for Check Point Module

After you finish defining an OPSEC LEA application object in the Check Point SmartDashboard, configure the NetIQ Security Manager for Check Point module by completing the following steps:

  1. Open the Security Manager for Check Point Configuration Wizard.
  2. On the Select Check Point Logging Server page, select Add.
    1. In the Check Point Server IP specify the IP of the Check Point firewall.
    2. Select SSL Certificate Authentication (SSLCA).
    3. Select Audit Logs or Firewall Logs for your log type.
  3. Click Next.
  4. Paste the value copied in step 15 of the previous process into the OPSEC SIC Name field.
  5. Paste the DN of the Check Point Firewall into the OPSEC Entity SIC Name field from SmartDashboard.
  6. On the Windows proxy agent computer, open a command-line interface.
  7. Navigate to the NetIQ Security Manager\OnePoint folder.
  8. In the command-line interface, enter the following command:
    opsec_pull_cert h host n object-name p activation-key
    Where host is the licensed IP address of the LEA server, object-name is the Security Manager LEA application name defined in Step 6 of the previous process and activation-key is the key used in Step 10 of the previous process.

    Note
    For Microsoft Windows 2008 agent computers, you must use an account with Administrator privileges to run the opsec_pull_cert command in the command-line interface.

    When the command runs successfully, the command-line interface displays the following message:
    Certificate was created successfully and written to opsec.p12.
  9. Copy and paste the full path of the p12 file from Step 8 into the SSLCA File field, including the p12 file name.
  10. In the Port field type 18184.
  11. Click Finish.
  12. Repeat steps 2 through 11 for each managed agent you want to monitor.
  13. Install the security policies on all appropriate gateways. For more information about installing security policies, see the Check Point product documentation.

Return to Top

Configuring the Module

Configure the module with the Configuration Wizard. The Configuration Wizard also creates the connections between the Security Manager and Check Point. Add operators to the Security Specialists group to receive notifications from the associated rules. For more information about using the Configuration Wizard, see the User Guide for NetIQ Security Manager.

This module contain processing rules that you can customize with the Development Console. Processing rules configure Security Manager to process events, alerts, and responses. Review processing rules that contain the word Customize to see if you want to customize them for your environment. You can perform a search for these rules in the Development Console, and then read the Knowledge Base for each rule. For more information about finding processing rules you can customize, see the Installation Guide for NetIQ Security Manager.

Customizing Processing Rules and Scripts for Check Point FireWall-1

If you have Event Manager, and you installed a Windows agent locally on a Check Point FireWall-1 SmartCenter Server, you can customize Event Manager to back up and audit the Check Point FireWall-1 configuration. The following rules require customizing and are disabled by default:

Backup Firewall Configuration (Customize) rule
Specify one or more source directories to be backed up and a destination folder. You can also specify the backup schedule, which is 2:20 AM by default. For more information about customizing this rule, see "Backing Up Your Firewall Configuration" below.
Audit Firewall Configuration (Customize) rule
Specify the security policy file or rule base file that contains the appropriate security policies and the backup configuration file. You can also specify the audit schedule, which is 2:40 AM by default. For more information about customizing this rule, see "Auditing Your Firewall Configuration" below.

Backing Up Your Firewall Configuration

If you have a local installation of the Windows agent, you can customize Event Manager to back up your Check Point FireWall-1 firewall configurations. The default response script for the Backup Firewall Configuration (Customize) rule contains parameters that require configuration. You need to specify the source and destination paths for backup purposes and then enable the rule.

  1. Log on to the Development Console computer using an account that is a member of the OnePointOp ConfgAdms group.
  2. Start the Development Console in the NetIQ Security Manager program folder.
  3. In the left pane, expand Security Manager Development Console > Processing Rule Groups > Check Point > Firewalls > Security Manager Agents on Windows Check Point SmartCenter Servers.
  4. In the right pane, click the Backup Firewall Configuration (Customize) rule.
  5. On the General tab, select Enabled.
  6. On the Responses tab, select the Check Point FireWall-1 Backup Firewall Configuration script.
  7. Click Edit.
  8. Set the DstDirPath parameter to a secure folder on the SmartCenter Server where the configuration files should be copied.
  9. Set the SrcDirPathArray parameter to list of FirewallDir\conf folders, typically \WINNT\FW1\NG\conf, on the SmartCenter Servers you want to back up. Use commas to separate folders in the list.
  10. Click OK.
  11. Click OK.

Auditing Your Firewall Configuration

If you have a local installation of the Windows agent, you can customize Event Manager to audit your Check Point FireWall-1 firewall configurations. The default response script for the Audit Firewall Configuration (Customize) rule contains parameters that require configuration. You need to specify the standard and test configuration files for auditing purposes, and then enable the rule. The standard configuration file is the configuration file used by the Management Server to configure firewalls. For example, the standard configuration file could be conf\rulebases_5_0.fws on the Management Server. The test configuration file is a backup of the configuration file.

You can also specify the audit schedule, which is 2:40 AM by default. Ensure the audit schedule is approximately 20 minutes later than the backup schedule to provide time to save the backup files before comparing them to the standard configuration file.

To specify the configuration files in the Audit Firewall Configuration (Customize) rule:

  1. Log on to the Development Console computer using an account that is a member of the OnePointOp ConfgAdms group.
  2. Start the Development Console in the NetIQ Security Manager program folder.
  3. In the left pane, expand Security Manager Development Console > Processing Rule Groups > Check Point > Firewalls > Security Manager Agents on Windows Check Point SmartCenter Servers.
  4. In the right pane, click the Audit Firewall Configuration (Customize) rule.
  5. On the General tab, select Enabled.
  6. On the Responses tab, select the Check Point FireWall-1 Audit Firewall Configuration script.
  7. Click Edit.
  8. Set the StdConfigFileName parameter to the name and path of the standard configuration file.
  9. Set the TstConfigFileName parameter to the name and path of the test configuration file.
  10. Click OK.
  11. Click OK.

Defining Agent Host Objects

You must define a host object for each Windows agent computer that monitors events logged by a LEA server.

To define an agent host object:

  1. Start the Check Point Policy Editor or SmartDashboard.
  2. Create the SM_Agent host object and specify the IP address for the Windows agent computer that monitors the LEA server. For more information about objects, see the Check Point product documentation.
  3. Repeat Step 2 for each Windows agent monitoring an LEA server.

Defining Policy Rules for Windows agent and Central Computer Communication through a Firewall

If you have a firewall between the Windows agent and the Security Manager central computer, define a security policy rule to enable a connection between the agent as a source object and the central computer as a destination object. The values used in the rules are:

SM_Agent
An object that specifies the Windows agent host computer by IP address.
SM_Central
An object that must be created to specify the Security Manager central computer by IP address.
SM_Port
A service object that specifies the communication port and protocol used by the Windows agent and the central computer to communicate, typically port 1270.
Accept
Specifies to accept communication from the specified source to the destination.
Log
Specifies to write to a Check Point log when communication attempts are made from the specified source to the specified destination. For more information about viewing Check Point logs, see the Check Point product documentation.

To define the security policy rules for communication through a firewall:

  1. Start the Check Point Policy Editor or SmartDashboard.
  2. Create the SM_Central host object and specify the IP address for the Security Manager central computer.
  3. Create a TCP service object named SM_Port and specify port 1270. For more information about creating services, see the Check Point product documentation.
  4. Add a new rule to the top of the list and specify the Source, Destination, Service, Action, and Track as provided in the following table. For more information about adding rules, see the Check Point product documentation.
    Rule Item Value
    Source

    SM_Agent

    Destination

    SM_Central

    Service

    SM_Port

    Action

    Accept

    Track

    Log

  5. Install the policy on all firewalls you want to monitor.
  6. Repeat Step 2 through 5 for each Windows agent.

Defining Hosts, Services, and Security Policy Rules for Monitoring Check Point Firewalls Through a Firewall

If you are using a Windows agent to monitor a LEA server on a firewall, you must define the source and destination hosts, services, and security policy rule to enable communication between each Windows agent and the firewall being monitored. In this security policy rule, the Windows agent is listed as a source object and the firewall is listed as a destination object. The values used in the rule are defined as follows:

SM_Agent
An object that specifies the Windows agent host computer by IP address.
Firewall
An existing object that specifies the firewall that is functioning as the LEA Server.
Lea_Port
A service object that specifies the communication port and protocol used by the Windows agent and the LEA server to communicate. Use the same port specified in the fwopsec.conf file, typically port 18184.
Accept
Specifies to accept communication from the specified source to the destination.
Log
Specifies to write to a Check Point log when communication occurs between the specified source and destination. For more information about viewing Check Point logs, see the Check Point product documentation.

To define the security policy rules for monitoring Check Point firewalls:

  1. Start the Check Point Policy Editor or SmartDashboard.
  2. Locate an existing service using TCP port 18184, typically named FW1_LEA, or create a TCP service object named Lea_Port and specify port 18184. For more information about creating services, see the Check Point product documentation.
  3. Locate an existing TCP service, typically named FW1_ica_pull.
  4. Add a new rule to the top of the list and specify the Source, Destination, Service, Action, and Track as provided in the following table. Specify two TCP services as indicated. For more information about adding rules, see the Check Point product documentation.

    Rule Item Value
    Source

    SM_Agent

    Destination

    Firewall

    Service

    Lea_Port or FW1_LEA

    FW1_ica_pull

    Action

    Accept

    Track

    Log

  5. Install the policy on all firewalls you want to monitor.
  6. Repeat Step 2 through 5 for each Windows agent.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact NetIQ Solutions Support (www.netiq.com/support).

Upgrading Does Not Maintain State

Due to significant changes required to support the new provider, some information is lost during the upgrade process. After upgrading, the new provider will start collecting records from the end of the logfile.

Setting and then Disabling Filters Changes Log Collection

If you set and enable a filter, then disable that filter, the provider will start collecting logs from the location of the last event collected instead of the end of the log.

Incorrect Text for Filter Removal Verification

When you delete a filter, a window prompts you to verify that action. The window incorrectly asks if you want to delete the server instead of the filter. Click Yes to delete the filter.

Return to Top

Troubleshooting

If you experience issues in your environment that are not addressed in the Known Issues section, refer to the following troubleshooting topics. If you need further assistance with any issue, please contact NetIQ Technical Support (www.netiq.com/support).

Check Point Module Configured But Agent Not Receiving Events

If after you install and configure the Check Point module Security Manager does not display Check Point events properly in the Control Center, a problem may exist with your configuration. Use the following steps to troubleshoot possible configuration issues:

  1. Locate and open the SampleConfiguration.xml file in the installation directory on the agent computer.

    Note
    For unmanaged agents, you will need to manually copy the OPSECPRovider.cab file from the central computer to the unmanaged agent and unpackage the contents.

  2. Edit the following XML code in SampleConfiguration.xml, replacing the sample values with the values for your environment:
  3. Save and close SampleConfiguration.xml.
  4. Open a command-line interface.
  5. Navigate to the OPSECTestTool.exe file in the installation directory.
  6. In the command-line interface, enter the following command:
    Where Configuration File Path is the path to the location of the SampleConfiguration.xml file, Output File Path is the location where you want to save an output file, and Output File Name is the name you want to use for the output file.

    Note
    If you want to see the sample events generated in the console, do not configure the output file option (-o).

  7. Verify that the OPSECTestTool.exe outputs sample events.

    Note
    If you do not receive sample events, verify that the information you entered in step 2 is correct and that your SSLA file is up to date. Update the configuration information as necessary and repeat steps 2 through 7 until you begin receiving Check Point events.

  8. Follow the steps in the Configuring Check Point Connections section using the configuration information you verified in steps 2 through 7.

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

Return to Top