Check Point
You can send Check Point Firewall data to InsightIDR in multiple ways: syslog, a log aggregator, or the traditional OPSEC LEA. Regardless of how you decide to configure it, InsightIDR will also support parsing JSON from Check Point.
Send to Syslog
For versions R80 and higher, you can use syslog to send data from Check Point to InsightIDR. This configuration is much simpler than OPSEC LEA and is the recommended way if you are on the latest version.
You must enable and configure your Check Point firewall to send syslog to a server. Follow instructions here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Multi-DomainSecurityManagement_AdminGuide/Topics-MDSG/Logging-and-Monitoring.htm
When configuring Syslog properties, make sure that you choose Syslog from the "Version" dropdown.

When you use syslog, InsightIDR will parse out the following logs types:
- Firewall
- VPN
- Ingress Authentication
- Web Proxy
- IDS
- Advanced Malware
How to Configure This Event Source in InsightIDR
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Select an attribution source.
- Configure your default domain and any Advanced Event Source Settings.
- Select Listen on Network Port as your Collection Method.
- Enter the Port you defined in your Check Point Smart Dashboard.
- Choose a protocol. Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
ArcSight Log Aggregator
InsightIDR now accepts logs from ArcSight in the CEF format. Read about CEF format here: https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Check Point FireWall-1 in the event sources search bar.
- In the Product Type filter, select Firewall.
- Select the Check Point FireWall-1 event source tile.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Select an attribution source.
- Configure inactivity timeout threshold in minutes.
- Select Log Aggregator and choose ArcSight. Specify the port of ArcSight and choose which protocol to use.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Select Save.
OPSEC LEA
OPSEC LEA (Log Export API) allows InsightIDR to pull logs from a Check Point device based on the OPSEC SDK, instead of forwarding the logs from a port to InsightDR. Read more about it here: https://www.fir3net.com/Firewalls/Check-Point/a-quick-guide-to-checkpoints-opsec-lea.html
By default, OPSEC LEA listens on port TCP/18184 on the device (OPSEC LEA Server) which will contain your logs. However, this is customizable. Your OPSEC LEA Client then connects into 18184 and pull the logs. You need to make sure port tcp/18184 is allowed on the firewall or the smart center conf file as it is disabled by default.
Check Point is one of the more difficult event sources to configure. It must be installed on a Windows collector and requires several complicated steps:
- Configure the InsightIDR Collector
- Configure OPSEC LEA
- Create an OPSEC LEA Application
- Set a one time password for Collector authentication
- Identify the DN
- Gather SIC DN
- Export the Certificate
- Enable the LEA Server
- Configure Check Point in InsightIDR
Read additional information here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323
1. Configure the InsightIDR Collector
Install the Visual C++ Redistributable application on your Windows Collector.
This cannot be installed on Linux or Mac
This application is required for the event source to work. These files can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=30679.
Important: Select the vcredist_x86.exe
file even though the Collector is a 64-bit system. Install the additional DLLs and restart the computer.
Configuring OPSEC LEA Client will then connect into 18184 and pull the logs.
2. Configure OPSEC LEA
- Get the OPSEC SDK here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63026.
- Download OPSEC SDK 6.0 for Windows and find the
OPSEC_SDK_6.0.WIN32.tar.gz
file. - Extract it.
- Find the
opsec_pull_cert.exe
and copy it anywhere onto your Collector host.
3. Create an OPSEC LEA Application
- Create an OPSEC LEA Object within the "OPSEC LEA" and "Applications" tab.
- From the dashboard go to New > More > Server.

For version R80, the path is slightly different.

- Then go to OPSEC Application > Application.
- Click OPSEC Application from the New drop-down menu.

- In the "OPSEC Application Properties" box, enter a memorable name for the application in the "Name" field for later configuration in InsightIDR.
- Under "Application Properties," leave the "Vendor" field as User defined.
- Select LEA from the "Client Entities" list.
- In the "Host Node" dialog, enter InsightIDR-Collector in the "Name" field.

- Enter the IP address in the "IP Address" field.
- Click the OK button to save the host creation.

4. Set a One Time Password for Collector Authentication
In the OPSEC configuration properties, click Communication. You need to set up a one-time password for the Collector to authenticate to Check Point.
- Enter your password in the "One-time password" field.
- Re-enter your password in the "Confirm One-time password" field.
- Click the Initialize button.
- Click the Close button.

Once you create your password, the "Trust state" field displays the trust state as "Initialized but trust not established." It becomes established when communication has been established from the Collector to the Check Point firewall.

5. Identify the DN
The OPSEC Application is created. You may need to identify the DN of the object. To do this:
- Go to Object Explorer > Servers > OPSEC Applications.
- Click the Edit button.

For version R80, the path is slightly different.

- Take note of the DN.

- Save the configuration by clicking the OK button.
- Add a rule in your rulebase to allow the InsightIDR collector to connect to the firewall or management station over the TCP port that you chose in earlier steps.
- Confirm that this rule has been saved before you export the certificate in the next section.
6. Gather SIC DN
In the "SmartDashboard," double click Network Object > Check Point. Select the CMA that you previously named. For example, CN=cp_mgmt,o=cma1..hipfr8.
.
7. Export the Certificate
- On your Collector, open a command prompt and browse to the the location you placed the
opsec_pull_cert.exe
file you copied onto the collector earlier. - Use the command line tools to incorporate the OPSEC server certificate into InsightIDR, allowing the two systems to communicate.
Use the following command to export the certificate: opsec_pull_cert.exe -h host -n name -p password [-o output file]
where:
host
is address of the Check Point server; this is usually your Check Point management stationname
is file name used in the previous step (the application name given to the OPSEC application)password
is your one time password- output file name is of
opsec.p12
For example, opsec_pull_cert.exe -h 10.100.100.101 -n file name used in previous step
-p MyOneTimePassword -o opsec.p12
- The "checkpoint-config folder" is no longer created on the collector. You MUST manually create it in the following place where your Collector is installed: Rapid7 > Collector > checkpoint-config.
- Note that the folder and applications name are case sensitive.
- Additionally, under
checkpoint-config
, create a folder for the application that you named the OPSEC application in earlier steps.- For example, if you named the folder "Rapid7," you would create a folder titled "Rapid7."

- Move the
opsec.p12
file to the directory just created:C:\{InsightIDR Installed Directory}\checkpoint-config\{Application Name}\
where Application Name matches the name argument from theopsec_pull_cert.exe
command.
8. Enable the LEA server
Perform the following steps to enable the LEA server to allow the firewall to talk to the Collector.
This is disabled by default. You need to edit the fwopsec.conf
file which resides in the
$FWDIR/conf
directory on Linux, or which resides in the %FWDIR%\conf\
directory on Windows.
- Locate the following lines:
#lea_server auth_port 18184
#lea_server port 0
- Change the lines to read as follows (if the lines are missing, add them to the file):
lea_server auth_port 18184
lea_server auth_type ssl_ca
NOTE: depending on the version of Check Point, you may need to specify the auth_type
as sslca
with no _:
. For example, lea_server auth_type sslca
9. Configure Check Point in InsightIDR with OPSEC LEA
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure your default domain settings for more information.
- Select **OPSEC LEA **as your collection method. You will need the following information:
- IP Address
- Port (of the authentication LEA server)
- OPSEC Application Name
- Application SIC Name
- Server SIC Name
- Click Save.
OPSEC LEA Troubleshooting
Installing the Visual C++ Redistributable
If the event source fails with the error message Check Point LEA Engine terminated unexpectedly, extra files need to be installed on the machine running the Collector to support the Check Point event source.
These files can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=30679.
Important: Select the vcredist_x86.exe
file even though the Collector is a 64-bit system. Install the additional DLLs and restart the computer. The Check Point event source should now be able to connect to the Check Point firewall.
Directly Invoking the Check Point Executable
If the Check Point event source continues to experience errors, invoke the executable responsible for connecting to Check Point directly. This executable will be found in one of the higher numbered bundles under the felix-cache directory:
C:\{InsightIDR installed directory}\felix-cache\bundle{XX}\data\opsec\checkpoint-lea-win-exe.exe
where is a high numbered bundle in your felix-cache directory that has the opsec subdirectory inside of it. The executable needs to be invoked with a number of parameters to connect to the Check Point server:
text
1C:\{InsightIDR installed directory}\felix-cache\bundle{XX} \data\opsec\checkpoint-lea-win-exe.exe "lea_server" "{application SIC name}" "{path to certificate file and file name}" "{Check Point address}" "{Check Point port}" "sslca" "{server SIC name}" "1"
For example, substituting these:
- with C:\Program Files\rapid7\InsightIDR
- bundle with bundle45
- with CN=InsightIDR,O=fwmgmt.myorg.org.ab12cd
- with C:\Program Files\rapid7\InsightIDR\checkpointconfig\InsightIDR\opsec.p12
- with 10.100.100.101
- with 18184
- with cn=cp_mgmt,o=fwmgmt.myorg.org.ab12cd
would result with the following command:
text
1C:\Program Files\rapid7\InsightIDR\felix-cache\bundle45\data\opsec\checkpoint-lea-win-exe.exe2"lea_server" "CN=InsightIDR,O=fwmgmt.myorg.org.ab12cd" "C:\Program Files\rapid7\InsightIDR\checkpoint-config\InsightIDR\opsec.p12" "10.100.100.101" "18184" "sslca" "cn=cp_ mgmt,o=fwmgmt.myorg.org.ab12cd" "1"
If the EXE returns with no errors, look for the opsec-debug.log file in the same folder as the Check Point executable. This file contains detailed diagnostics of the error.
If the file contains the following error::
text
12[OpsecDebug]PM_session_init: given session O(CN=UseerInsight,O=fwmgmt.myorg.org.ab12cd;cn=cp_mgmt,oo=fwmgmt.myorg.org.ab12cd;18184;lea).3[OpsecDebug]PM_policy_query: input session O(CN=UseerInsight,O=fwmgmt.myorg.org.ab12cd;cn=cp_mgmt,oo=fwmgmt.myorg.org.ab12cd;18184;lea).4[OpsecDebug]PM_policy_query: rule found (ME;cn=cp_mgmt,oo=fwmgmt.myorg.org.ju2ahc;18184;lea;sslca(1/1)).5[OpsecDebug]PM_policy_query: finished successfully. 1st method = sslca6[OpsecDebug]PM_policy_choose: finished successfully. choose: DENY.7[OpsecDebug]policy_choose: choose failed.8[OpsecDebug]sic_client_negotiate_auth_method: policy choose failed.9[OpsecDebug]fwasync_mux_in: 360: handler returned with error10[OpsecDebug]sic_client_end_handler: for conn id = 36011[OpsecDebug]opsec_auth_client_connected: connect failed (119)
Update the fwopsec.conf file described on page 13 to use the auth_type ssl_ca, after which the file will read:
lea_server auth_port 18184
lea_server auth_type ssl_ca
Other Common Errors
If the debug log contains the error:
text
1[OpsecDebug]fw_VerifySigned: unsupported algorithm2[OpsecDebug]fwCRL_good_for_cert: signature verification failed: -33[OpsecDebug]sslca_check_crlreq_make_answer: fetching crl failed
- Check to see if you are running R80 or greater on their Check Point.
- If so, according to Check Point support, R80 uses a sha256 hash on the certificate by default.
- To get the application to connect to R80 infrastructure, force cpca to issue sha1 certificates as shown in sk103840 (SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)).
Please see this link for more information: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103840.
This sk specifically deals with post-install or post-upgrade instruction, before any other configuration has been done. To change the cp_mgmt certificate anytime later, reference sk110559 ("Bad certificate - SIC error 301 for lea") error when fetching 3rd party OPSEC server certificates, which has instructions for SMS and MDS.
See this link for more information: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110559&partition=Advanced&product=Security.
You can also try the following steps to configure an R80+ Check Point:
- Delete old OPSEC object in SmartConsole
- Change Internal CA on CP management to issue certificates with sha1 signature:
- In expert mode CLI: “cpca_client set_sign_hash sha1”
- Make new OPSEC object in SmartConsole (Follow Rapid7 guide)
- Create SIC (Get certificate) between CP Mgmt server and Rapid7 collector.
- Opsec_pull_cert.exe
- Change Internal CA on CP management back to issuing certificates with sha256 signature
- In expert mode CLI: “cpca_client set_sign_hash sha256”
- change fwopsec.conf to contain following:
1lea_server auth_port 181852lea_server auth_type sslca
- Place Certificate on collector (Follow Rapid7 guide)
- Set the details on Rapid7 InsightIDR webUI.
Note: some issues can occur when using standard OPSEC port 18184; please use 18185 instead.
Error "terminated unexpectedly"
If you receive an error on the event sources page:
- Use the Check Point LEA executable to check the settings and produce an error log
- This must be run on the Collector itself (Windows based) and requires DLL's for Visual Studio
Install the Visual Studio redistributable vcredist_x86.exe on the Collector Server. The Microsoft link is here: http://www.microsoft.com/en-us/download/details.aspx?id=30679.
NOTE: In some instance, the 32-bit version must be installed on 64-bit Operating System.
- Run the following command:
cd C:\Program Files\rapid7\UserInsight\felix-cache\bundle43\data
- NOTE: the Bundle name may NOT match above example for your installation. It is often the very last bundle.
- Run the following command, but substitute with the correct OPSEC SIC name etc. The Entity SIC names are case-sensitive.
text
1opsec\checkpoint-lea-win-exe.exe "lea_server" "CN=User_Insight,O=fwmgmt.xxx.org.xxx" "C:\Program Files\rapid7\UserInsight\checkpoint-config\User_Insight\opsec.p12" "10.1.1.4" "18184" "sslca" "cn=cp_mgmt,o=fwmgmt.xxx.org.xxx" "1"
- Use the
cd
command to navigate to the folder where the file is (usually C:\Program Files\rapid7\InsightIDR\felix-cache\bundle45\data\opsec) and run the command from the above prompt. In the same folder, you should now be able to see and examine the opsec-debug.log file produced from the above command. - Search for an error titled "SIC Error for lea: Client could not choose an authentication method."
- If this error is present, then edit the "fwopsec.conf" file and change the auth_type to "ssl_ca" and the following should appear below the auth_port entry, as per the example below:
1lea_server auth_port 181842lea_server auth_type ssl_ca
NOTE: If you are using R77.20, you must specify the auth_type
as sslca
as lea_server auth_type sslca
8. You can determine if the auth_type setting worked by trying to telnet to the Check Point over port 18184. If you cannot telnet to port 18184, the auth_type setting used is wrong.
9. Correct the auth_type, and then stop and restart the Check Point server.
Collect Logs from a Separate Log Server
While it is possible to have the Check Point Management Station simultaneously be the Check Point Log Server, it is common for these two roles to be hosted on separate servers. If you have a separate server for the Log Server, you will also need the following information, which is from Check Point's Knowledge-base.
Solution
Follow these steps to connect an OPSEC LEA to a Log Server / Domain Log Server:
- Follow the documentation provided with OPSEC Software to establish LEA connection between OPSEC LEA and Security Management Server / Domain Management Server. This includes defining the OPEC LEA object, creating a SIC password and pulling the opsec.p12 file from the Security Management Server / Domain Management Server.
- In the SmartDashboard, go to Policy menu -> Install Database... and select the Log Server / Domain Log Server object.
- Edit the OPSEC LEA configuration on the OPSEC software to point the lea_server_ip to the IP address of the Log Server / Domain Log Server.
- Edit the OPSEC LEA configuration to reflect the CN of the Log Server / Domain Log Server:
Instead of
lea_server opsec_entity_sic_name "CN=cp_mgmt,O=Management..xxxxx
it should showlea_server opsec_entity_sic_name "CN=<LOG_SERVER_NAME>,O=Management..xxxxx"
- Restart the OPSEC LEA connection.
Your event source configuration needs to look like the following, where the IP address is the address of the Log Server (not the management station) and the Server SIC Name is the name of the Log Server.**

VPN Users - Confidential Logging Issue
If you are using Check Point as both a firewall and VPN, you may notice that the LEA configuration replaces log fields, such as machine name or user, with strings such as ***Confidential***
. This prevents InsightIDR from associating the VPN activity to users, which will limit the ability to dectect and investigate incidents.
To change this:
- Go to the "LEA" permissions.
- Change Permissions to Read Logs to Show all log fields.

When "Hide all confidential log fields" is enabled for a OPSEC LEA Server object, the Confidential Log Fields are:
- Source Machine Name
- User
- Source User Name
- User Display Name
- Source User Group
- Destination Machine Name
- Destination User Name
- User DN
- Sender
- DLP Recipients
- UserCheck Message to User
- User Group
- Source Machine Group
- Description
For Additional Help
Please see Check Point's troubleshooting guide for more information here.
You can also read through IBM QRadar's troubleshooting guide here: https://www-01.ibm.com/support/docview.wss?uid=swg22012801