Security Manager for Check Point
Date Published: May 2011
Security Manager for Check Point allows you to monitor Check Point SmartCenter Servers, formerly called Management Servers, and provides support for all Open Platform for Secure Enterprise Connectivity (OPSEC)-standardized Check Point SmartCenter Servers, including those on Nokia, Solaris, and Linux platforms. Security Manager for Check Point helps indicate, correct, and prevent possible external intrusions, attacks, and performance or configuration problems by detecting and responding to events in real-time. For example, Security Manager for Check Point enables you to perform the following tasks:
Security Manager for Check Point collects events from logs and stores them in secure repositories so you can archive this data, create reports for management or auditing purposes, and analyze critical events to research issues. For Check Point products, Security Manager for Check Point collects the firewall log, audit log, and accounting log.
This release supports the following products:
Why Install This Version?
This release of Security Manager for Check Point contains various improvements to address functional and performance issues.
Improves Configuration Wizard Usability
This release improves the usability of the Check Point Configuration Wizard, combining Security Manager agent and Check Point device configuration into a streamlined set of windows. Users can now configure the Check Point provider to collect both firewall and audit logs at the same time, without configuring the provider separately for each log type. (ENG304628, ENG304629, ENG304832, ENG304726)
Resolves OPSEC Provider Event Count Issue
This release resolves an issue where if there are no events to process in the Windows agent queue when the OPSEC provider starts, the provider shuts down. The OPSEC provider now starts correctly and continues to run even when there are no events in the queue for processing. (ENG300128)
Adds Columns to Check Point Firewalls Forensic Analysis Report Type
This release expands the number of columns available when you create Forensic Analysis queries using the Check Point Firewalls report type. Users can now filter Check Point Forensic Analysis report data using the following new fields:
(ENG298141, ENG292826, ENG300121)
Enables Real-Time Audit Data Monitoring
This release enables customers to create real-time rules based on Check Point audit data. This version of the Check Point module does not include the Filter Rule for Audit Trail Logs rule, which had previously filtered incoming audit data. (ENG272938)
Optimizes Handling of Check Point Control Events
This release optimizes the way Security Manager alerts on Check Point events labeled as control, by updating the existing Alert - Events of Control Type rule to no longer alert on all control events and renaming the rule to Policy Installed. The updated Policy Installed rule only alerts on "Policy Installed" control type events and filters out other extraneous control events.
Provides Check Point Event Message Information
This release provides a single, detailed description for each Check Point event collected by Security Manager, located in the "Message" field. The "Message" field now contains all collected event fields, concatenated together in "Field Name: Field Value" format. The "Message" field can be useful for finding data that is not automatically displayed in Forensic Analysis queries and reports.
The following table lists additional requirements for a Windows agent monitoring Check Point. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.
Installing This Module
Install the module using the Module Installer utility. For more information about installing modules, see the User Guide for NetIQ Security Manager. After you install the module, run the Configuration Wizard to configure the module.
Unmanaged agents cannot receive providers from the central computer if a module requires a provider package. To load a provider on an unmanaged agent, complete the following steps:
The next time Security Manager checks for updated providers, the Security Manager service will extract and install the provider.
Configuring Check Point Connections
Security Manager requires a Windows agent for each LEA (Log Extraction Agent) server you want to monitor. The type of connection method to configure depends on whether you have implemented a local or remote installation of the Windows agent. These terms are defined as follows:
Configure a secure connection between each proxy agent and LEA server you want to monitor. Each customer site uses a unique LEA server to which the firewall logs events. Each LEA server is supported by a unique proxy agent. For more information about connection types and authentication methods supported by OPSEC, see the Check Point Web site at http://www.opsec.com.
The following process requires you to modify your firewall policy. In order for Security Manager to collect data from your firewall, install the newly modified policy on all firewalls you want to monitor.
To set up a secure connection using the sslca connection method, complete the following steps, in order, for each proxy agent:
Defining an OPSEC Object in SmartDashboard
Define an OPSEC LEA application object in the Check Point SmartDashboard by completing the following steps:
Configuring the NetIQ Security Manager for Check Point Module
After you finish defining an OPSEC LEA application object in the Check Point SmartDashboard, configure the NetIQ Security Manager for Check Point module by completing the following steps:
Configuring the Module
Configure the module with the Configuration Wizard. The Configuration Wizard also creates the connections between the Security Manager and Check Point. Add operators to the Security Specialists group to receive notifications from the associated rules. For more information about using the Configuration Wizard, see the User Guide for NetIQ Security Manager.
This module contain processing rules that you can customize with the Development Console. Processing rules configure Security Manager to process events, alerts, and responses. Review processing rules that contain the word Customize to see if you want to customize them for your environment. You can perform a search for these rules in the Development Console, and then read the Knowledge Base for each rule. For more information about finding processing rules you can customize, see the Installation Guide for NetIQ Security Manager.
Customizing Processing Rules and Scripts for Check Point FireWall-1
If you have Event Manager, and you installed a Windows agent locally on a Check Point FireWall-1 SmartCenter Server, you can customize Event Manager to back up and audit the Check Point FireWall-1 configuration. The following rules require customizing and are disabled by default:
Backing Up Your Firewall Configuration
If you have a local installation of the Windows agent, you can customize Event Manager to back up your Check Point FireWall-1 firewall configurations. The default response script for the Backup Firewall Configuration (Customize) rule contains parameters that require configuration. You need to specify the source and destination paths for backup purposes and then enable the rule.
Auditing Your Firewall Configuration
If you have a local installation of the Windows agent, you can customize Event Manager to audit your Check Point FireWall-1 firewall configurations. The default response script for the Audit Firewall Configuration (Customize) rule contains parameters that require configuration. You need to specify the standard and test configuration files for auditing purposes, and then enable the rule. The standard configuration file is the configuration file used by the Management Server to configure firewalls. For example, the standard configuration file could be
You can also specify the audit schedule, which is 2:40 AM by default. Ensure the audit schedule is approximately 20 minutes later than the backup schedule to provide time to save the backup files before comparing them to the standard configuration file.
To specify the configuration files in the Audit Firewall Configuration (Customize) rule:
Defining Agent Host Objects
You must define a host object for each Windows agent computer that monitors events logged by a LEA server.
To define an agent host object:
Defining Policy Rules for Windows agent and Central Computer Communication through a Firewall
If you have a firewall between the Windows agent and the Security Manager central computer, define a security policy rule to enable a connection between the agent as a source object and the central computer as a destination object. The values used in the rules are:
To define the security policy rules for communication through a firewall:
Defining Hosts, Services, and Security Policy Rules for Monitoring Check Point Firewalls Through a Firewall
If you are using a Windows agent to monitor a LEA server on a firewall, you must define the source and destination hosts, services, and security policy rule to enable communication between each Windows agent and the firewall being monitored. In this security policy rule, the Windows agent is listed as a source object and the firewall is listed as a destination object. The values used in the rule are defined as follows:
To define the security policy rules for monitoring Check Point firewalls:
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact NetIQ Solutions Support (www.netiq.com/support).
Upgrading Does Not Maintain State
Due to significant changes required to support the new provider, some information is lost during the upgrade process. After upgrading, the new provider will start collecting records from the end of the logfile.
Setting and then Disabling Filters Changes Log Collection
If you set and enable a filter, then disable that filter, the provider will start collecting logs from the location of the last event collected instead of the end of the log.
Incorrect Text for Filter Removal Verification
When you delete a filter, a window prompts you to verify that action. The window incorrectly asks if you want to delete the server instead of the filter. Click Yes to delete the filter.
If you experience issues in your environment that are not addressed in the Known Issues section, refer to the following troubleshooting topics. If you need further assistance with any issue, please contact NetIQ Technical Support (www.netiq.com/support).
Check Point Module Configured But Agent Not Receiving Events
If after you install and configure the Check Point module Security Manager does not display Check Point events properly in the Control Center, a problem may exist with your configuration. Use the following steps to troubleshoot possible configuration issues:
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
© 2011 NetIQ Corporation. All rights reserved.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This product claims FIPS compliance by use of one or more of the Microsoft cryptographic components listed below. These components were certified by Microsoft and obtained FIPS certificates via the CMVP.
893 Windows Vista Enhanced Cryptographic Provider (RSAENH)
894 Windows Vista Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
989 Windows XP Enhanced Cryptographic Provider (RSAENH)
990 Windows XP Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
997 Microsoft Windows XP Kernel Mode Cryptographic Module (FIPS.SYS)
1000 Microsoft Windows Vista Kernel Mode Security Support Provider Interface (ksecdd.sys)
1001 Microsoft Windows Vista Cryptographic Primitives Library (bcrypt.dll)
1002 Windows Vista Enhanced Cryptographic Provider (RSAENH)
1003 Windows Vista Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
1006 Windows Server 2008 Code Integrity (ci.dll)
1007 Microsoft Windows Server 2008 Kernel Mode Security Support Provider Interface (ksecdd.sys)
1008 Microsoft Windows Server 2008
1009 Windows Server 2008 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
1010 Windows Server 2008 Enhanced Cryptographic Provider
1012 Windows Server 2003 Enhanced Cryptographic Provider (RSAENH)
This product may also claim FIPS compliance by use of one or more of the Open SSL cryptographic components listed below. These components were certified by the Open Source Software Institute and obtained the FIPS certificates as indicated.
918 - OpenSSL FIPS Object Module v1.1.2 - 02/29/2008 140-2 L1
1051 - OpenSSL FIPS Object Module v 1.2 - 11/17/2008 140-2 L1
1111 - OpenSSL FIPS Runtime Module v 1.2 - 4/03/2009 140-2 L1
Note: Windows FIPS algorithms used in this product may have only been tested when the FIPS mode bit was set. While the modules have valid certificates at the time of this product release, it is the user's responsibility to validate the current module status.