Check Point

You can send Check Point Firewall data to InsightIDR in multiple ways: syslog, a log aggregator, or the traditional OPSEC LEA. Regardless of how you decide to configure it, InsightIDR will also support parsing JSON from Check Point.

Send to Syslog

For versions R80 and higher, you can use syslog to send data from Check Point to InsightIDR. This configuration is much simpler than OPSEC LEA and is the recommended way if you are on the latest version.

You must enable and configure your Check Point firewall to send syslog to a server. Follow instructions here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_AdminGuide/Topics-MDSG/Logging-and-Monitoring.htm

When configuring Syslog properties, make sure that you choose Syslog from the "Version" dropdown.

When you use syslog, InsightIDR will parse out the following logs types:

• Firewall
• VPN
• Ingress Authentication
• Web Proxy
• IDS
• Advanced Malware

How to Configure This Event Source in InsightIDR

1. From your dashboard, select Data Collection on the left hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
4. Choose your collector and event source. You can also name your event source if you want.
5. Choose the timezone that matches the location of your event source logs.
6. Optionally choose to send unparsed logs.
7. Select an attribution source.
8. Configure your default domain and any Advanced Event Source Settings.
9. Select Listen on Network Port as your Collection Method.
10. Enter the Port you defined in your Check Point Smart Dashboard.
11. Choose a protocol. Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
12. Click Save.

ArcSight Log Aggregator

InsightIDR now accepts logs from ArcSight in the CEF format. Read about CEF format here: https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557

How to Configure This Event Source in InsightIDR

1. From your dashboard, select Data Collection on the left hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
4. Choose your collector and event source. You can also name your event source if you want.
5. Choose the timezone that matches the location of your event source logs.
6. Optionally choose to send unfiltered logs.
7. Select an attribution source.
8. Configure inactivity timeout threshold in minutes.
9. Select Log Aggregator and choose ArcSight. Specify the port of ArcSight and choose which protocol to use.
   • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
10. Select Save.

Attribution source options

Check Point product logs can contain information about hosts and accounts. When setting up Check Point as an event source, you will have the ability to specify the following attribution options:

1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

2. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

3. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

4. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

OPSEC LEA

OPSEC LEA (Log Export API) allows InsightIDR to pull logs from a Check Point device based on the OPSEC SDK, instead of forwarding the logs from a port to InsightDR. Read more about it here: https://www.fir3net.com/Firewalls/Check-Point/a-quick-guide-to-checkpoints-opsec-lea.html

By default, OPSEC LEA listens on port TCP/18184 on the device (OPSEC LEA Server) which will contain your logs. However, this is customizable. Your OPSEC LEA Client then connects into 18184 and pull the logs. You need to make sure port tcp/18184 is allowed on the firewall or the smart center conf file as it is disabled by default.

Check Point is one of the more difficult event sources to configure. It must be installed on a Windows collector and requires several complicated steps:

1. Configure the InsightIDR Collector
2. Configure OPSEC LEA
3. Create an OPSEC LEA Application
4. Set a one time password for Collector authentication
5. Identify the DN
6. Gather SIC DN
7. Export the Certificate
8. Enable the LEA Server
9. Configure Check Point in InsightIDR

Read additional information here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

1. Configure the InsightIDR Collector

This application is required for the event source to work. These files can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=30679.

Important: Select the vcredist_x86.exe file even though the Collector is a 64-bit system. Install the additional DLLs and restart the computer.

2. Configure OPSEC LEA

1. Get the OPSEC SDK here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63026.
2. Download OPSEC SDK 6.0 for Windows and find the OPSEC_SDK_6.0.WIN32.tar.gz file.
3. Extract it.
4. Find the opsec_pull_cert.exe and copy it anywhere onto your Collector host.

3. Create an OPSEC LEA Application

1. Create an OPSEC LEA Object within the "OPSEC LEA" and "Applications" tab.
2. From the dashboard go to New > More > Server.

For version R80, the path is slightly different.

3. Then go to OPSEC Application > Application.
4. Click OPSEC Application from the New drop-down menu.

5. In the "OPSEC Application Properties" box, enter a memorable name for the application in the "Name" field for later configuration in InsightIDR.
6. Under "Application Properties," leave the "Vendor" field as User defined.
7. Select LEA from the "Client Entities" list.
8. In the "Host Node" dialog, enter InsightIDR-Collector in the "Name" field.

9. Enter the IP address in the "IP Address" field.
10. Click the OK button to save the host creation.

4. Set a One Time Password for Collector Authentication

In the OPSEC configuration properties, click Communication. You need to set up a one-time password for the Collector to authenticate to Check Point.

1. Enter your password in the "One-time password" field.
2. Re-enter your password in the "Confirm One-time password" field.
3. Click the Initialize button.
4. Click the Close button.

Once you create your password, the "Trust state" field displays the trust state as "Initialized but trust not established." It becomes established when communication has been established from the Collector to the Check Point firewall.

5. Identify the DN

The OPSEC Application is created. You may need to identify the DN of the object. To do this:

1. Go to Object Explorer > Servers > OPSEC Applications.
2. Click the Edit button.

For version R80, the path is slightly different.

3. Take note of the DN.

4. Save the configuration by clicking the OK button.
5. Add a rule in your rulebase to allow the InsightIDR collector to connect to the firewall or management station over the TCP port that you chose in earlier steps.
6. Confirm that this rule has been saved before you export the certificate in the next section.

6. Gather SIC DN

In the "SmartDashboard," double click Network Object > Check Point. Select the CMA that you previously named. For example, CN=cp_mgmt,o=cma1..hipfr8..

7. Export the Certificate

1. On your Collector, open a command prompt and browse to the the location you placed the opsec_pull_cert.exe file you copied onto the collector earlier.
2. Use the command line tools to incorporate the OPSEC server certificate into InsightIDR, allowing the two systems to communicate.

Use the following command to export the certificate: opsec_pull_cert.exe -h host -n name -p password [-o output file] where:

• host is address of the Check Point server; this is usually your Check Point management station
• name is file name used in the previous step (the application name given to the OPSEC application)
• password is your one time password
• output file name is of opsec.p12

For example, opsec_pull_cert.exe -h 10.100.100.101 -n file name used in previous step -p MyOneTimePassword -o opsec.p12

3. The "checkpoint-config folder" is no longer created on the collector. You MUST manually create it in the following place where your Collector is installed: Rapid7 > Collector > checkpoint-config.
   • Note that the folder and applications name are case sensitive.
4. Additionally, under checkpoint-config, create a folder for the application that you named the OPSEC application in earlier steps.
   • For example, if you named the folder "Rapid7," you would create a folder titled "Rapid7."

5. Move the opsec.p12 file to the directory just created: C:\{InsightIDR Installed Directory}\checkpoint-config\{Application Name}\ where Application Name matches the name argument from the opsec_pull_cert.exe command.

8. Enable the LEA server

Perform the following steps to enable the LEA server to allow the firewall to talk to the Collector. This is disabled by default. You need to edit the fwopsec.conf file which resides in the $FWDIR/conf directory on Linux, or which resides in the %FWDIR%\conf\ directory on Windows.

1. Locate the following lines: #lea_server auth_port 18184#lea_server port 0
2. Change the lines to read as follows (if the lines are missing, add them to the file): lea_server auth_port 18184lea_server auth_type ssl_ca

NOTE: depending on the version of Check Point, you may need to specify the auth_type as sslca with no _:. For example, lea_server auth_type sslca

9. Configure Check Point in InsightIDR with OPSEC LEA

1. From your dashboard, select Data Collection on the left hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
4. Choose your collector and event source. You can also name your event source if you want.
5. Choose the timezone that matches the location of your event source logs.
6. Optionally choose to send unfiltered logs.
7. Configure your default domain settings for more information.
8. Select **OPSEC LEA **as your collection method. You will need the following information:
   • IP Address
   • Port (of the authentication LEA server)
   • OPSEC Application Name
   • Application SIC Name
   • Server SIC Name
9. Click Save.

Installing the Visual C++ Redistributable

If the event source fails with the error message Check Point LEA Engine terminated unexpectedly, extra files need to be installed on the machine running the Collector to support the Check Point event source.

These files can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=30679.

Important: Select the vcredist_x86.exe file even though the Collector is a 64-bit system. Install the additional DLLs and restart the computer. The Check Point event source should now be able to connect to the Check Point firewall.

Directly Invoking the Check Point Executable

If the Check Point event source continues to experience errors, invoke the executable responsible for connecting to Check Point directly. This executable will be found in one of the higher numbered bundles under the felix-cache directory:

C:\{InsightIDR installed directory}\felix-cache\bundle{XX}\data\opsec\checkpoint-lea-win-exe.exe

where is a high numbered bundle in your felix-cache directory that has the opsec subdirectory inside of it. The executable needs to be invoked with a number of parameters to connect to the Check Point server:

text
1
C:\{InsightIDR installed directory}\felix-cache\bundle{XX} \data\opsec\checkpoint-lea-win-exe.exe "lea_server" "{application SIC name}" "{path to certificate file and file name}" "{Check Point address}" "{Check Point port}" "sslca" "{server SIC name}" "1"

For example, substituting these:

• with C:\Program Files\rapid7\InsightIDR
• bundle with bundle45
• with CN=InsightIDR,O=fwmgmt.myorg.org.ab12cd
• with C:\Program Files\rapid7\InsightIDR\checkpointconfig\InsightIDR\opsec.p12
• with 10.100.100.101
• with 18184
• with cn=cp_mgmt,o=fwmgmt.myorg.org.ab12cd

would result with the following command:

text
1
C:\Program Files\rapid7\InsightIDR\felix-cache\bundle45\data\opsec\checkpoint-lea-win-exe.exe
2
"lea_server" "CN=InsightIDR,O=fwmgmt.myorg.org.ab12cd" "C:\Program Files\rapid7\InsightIDR\checkpoint-config\InsightIDR\opsec.p12" "10.100.100.101" "18184" "sslca" "cn=cp_ mgmt,o=fwmgmt.myorg.org.ab12cd" "1"

If the EXE returns with no errors, look for the opsec-debug.log file in the same folder as the Check Point executable. This file contains detailed diagnostics of the error.

If the file contains the following error::

text
1

2
[OpsecDebug]PM_session_init: given session O(CN=UseerInsight,O=fwmgmt.myorg.org.ab12cd;cn=cp_mgmt,oo=fwmgmt.myorg.org.ab12cd;18184;lea).
3
[OpsecDebug]PM_policy_query: input session O(CN=UseerInsight,O=fwmgmt.myorg.org.ab12cd;cn=cp_mgmt,oo=fwmgmt.myorg.org.ab12cd;18184;lea).
4
[OpsecDebug]PM_policy_query: rule found (ME;cn=cp_mgmt,oo=fwmgmt.myorg.org.ju2ahc;18184;lea;sslca(1/1)).
5
[OpsecDebug]PM_policy_query: finished successfully. 1st method = sslca
6
[OpsecDebug]PM_policy_choose: finished successfully. choose: DENY.
7
[OpsecDebug]policy_choose: choose failed.
8
[OpsecDebug]sic_client_negotiate_auth_method: policy choose failed.
9
[OpsecDebug]fwasync_mux_in: 360: handler returned with error
10
[OpsecDebug]sic_client_end_handler: for conn id = 360
11
[OpsecDebug]opsec_auth_client_connected: connect failed (119)

Update the fwopsec.conf file described on page 13 to use the auth_type ssl_ca, after which the file will read:

lea_server auth_port 18184lea_server auth_type ssl_ca

If the debug log contains the error:

text
1
[OpsecDebug]fw_VerifySigned: unsupported algorithm
2
[OpsecDebug]fwCRL_good_for_cert: signature verification failed: -3
3
[OpsecDebug]sslca_check_crlreq_make_answer: fetching crl failed

1. Check to see if you are running R80 or greater on their Check Point.
2. If so, according to Check Point support, R80 uses a sha256 hash on the certificate by default.
3. To get the application to connect to R80 infrastructure, force cpca to issue sha1 certificates as shown in sk103840 (SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)).

Please see this link for more information: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103840.

This sk specifically deals with post-install or post-upgrade instruction, before any other configuration has been done. To change the cp_mgmt certificate anytime later, reference sk110559 ("Bad certificate - SIC error 301 for lea") error when fetching 3rd party OPSEC server certificates, which has instructions for SMS and MDS.

See this link for more information: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110559&partition=Advanced&product=Security.

You can also try the following steps to configure an R80+ Check Point:

1. Delete old OPSEC object in SmartConsole
2. Change Internal CA on CP management to issue certificates with sha1 signature:
3. In expert mode CLI: “cpca_client set_sign_hash sha1”
4. Make new OPSEC object in SmartConsole (Follow Rapid7 guide)
5. Create SIC (Get certificate) between CP Mgmt server and Rapid7 collector.
6. Opsec_pull_cert.exe
7. Change Internal CA on CP management back to issuing certificates with sha256 signature
8. In expert mode CLI: “cpca_client set_sign_hash sha256”
9. change fwopsec.conf to contain following:

 
1
lea_server auth_port  18185
2
lea_server auth_type  sslca

10. Place Certificate on collector (Follow Rapid7 guide)
11. Set the details on Rapid7 InsightIDR webUI.

Note: some issues can occur when using standard OPSEC port 18184; please use 18185 instead.

Error "terminated unexpectedly"

If you receive an error on the event sources page:

1. Use the Check Point LEA executable to check the settings and produce an error log
2. This must be run on the Collector itself (Windows based) and requires DLL's for Visual Studio

Install the Visual Studio redistributable vcredist_x86.exe on the Collector Server. The Microsoft link is here: http://www.microsoft.com/en-us/download/details.aspx?id=30679.

NOTE: In some instance, the 32-bit version must be installed on 64-bit Operating System.

3. Run the following command: cd C:\Program Files\rapid7\UserInsight\felix-cache\bundle43\data
   • NOTE: the Bundle name may NOT match above example for your installation. It is often the very last bundle.
4. Run the following command, but substitute with the correct OPSEC SIC name etc. The Entity SIC names are case-sensitive.

text
1
opsec\checkpoint-lea-win-exe.exe "lea_server" "CN=User_Insight,O=fwmgmt.xxx.org.xxx" "C:\Program Files\rapid7\UserInsight\checkpoint-config\User_Insight\opsec.p12" "10.1.1.4" "18184" "sslca" "cn=cp_mgmt,o=fwmgmt.xxx.org.xxx" "1"

5. Use the cd command to navigate to the folder where the file is (usually C:\Program Files\rapid7\InsightIDR\felix-cache\bundle45\data\opsec) and run the command from the above prompt. In the same folder, you should now be able to see and examine the opsec-debug.log file produced from the above command.
6. Search for an error titled "SIC Error for lea: Client could not choose an authentication method."
7. If this error is present, then edit the "fwopsec.conf" file and change the auth_type to "ssl_ca" and the following should appear below the auth_port entry, as per the example below:

 
1
  lea_server  auth_port    18184
2
  lea_server  auth_type    ssl_ca

NOTE: If you are using R77.20, you must specify the auth_type as sslca as lea_server auth_type sslca 8. You can determine if the auth_type setting worked by trying to telnet to the Check Point over port 18184. If you cannot telnet to port 18184, the auth_type setting used is wrong. 9. Correct the auth_type, and then stop and restart the Check Point server.

Collect Logs from a Separate Log Server

While it is possible to have the Check Point Management Station simultaneously be the Check Point Log Server, it is common for these two roles to be hosted on separate servers. If you have a separate server for the Log Server, you will also need the following information, which is from Check Point's Knowledge-base.

Solution

Follow these steps to connect an OPSEC LEA to a Log Server / Domain Log Server:

1. Follow the documentation provided with OPSEC Software to establish LEA connection between OPSEC LEA and Security Management Server / Domain Management Server. This includes defining the OPEC LEA object, creating a SIC password and pulling the opsec.p12 file from the Security Management Server / Domain Management Server.
2. In the SmartDashboard, go to Policy menu -> Install Database... and select the Log Server / Domain Log Server object.
3. Edit the OPSEC LEA configuration on the OPSEC software to point the lea_server_ip to the IP address of the Log Server / Domain Log Server.
4. Edit the OPSEC LEA configuration to reflect the CN of the Log Server / Domain Log Server: Instead of lea_server opsec_entity_sic_name "CN=cp_mgmt,O=Management..xxxxx it should show lea_server opsec_entity_sic_name "CN=<LOG_SERVER_NAME>,O=Management..xxxxx"
5. Restart the OPSEC LEA connection.

Your event source configuration needs to look like the following, where the IP address is the address of the Log Server (not the management station) and the Server SIC Name is the name of the Log Server.**

VPN Users - Confidential Logging Issue

If you are using Check Point as both a firewall and VPN, you may notice that the LEA configuration replaces log fields, such as machine name or user, with strings such as ***Confidential***. This prevents InsightIDR from associating the VPN activity to users, which will limit the ability to dectect and investigate incidents.

To change this:

1. Go to the "LEA" permissions.
2. Change Permissions to Read Logs to Show all log fields.

When "Hide all confidential log fields" is enabled for a OPSEC LEA Server object, the Confidential Log Fields are:

• Source Machine Name
• User
• Source User Name
• User Display Name
• Source User Group
• Destination Machine Name
• Destination User Name
• User DN
• Sender
• DLP Recipients
• UserCheck Message to User
• User Group
• Source Machine Group
• Description

For Additional Help

Please see Check Point's troubleshooting guide for more information here.

You can also read through IBM QRadar's troubleshooting guide here: https://www-01.ibm.com/support/docview.wss?uid=swg22012801