Check Point

Overview

OPSEC LEA (Log Export API) allows InsightIDR to pull logs from a Check Point device based on the OPSEC SDK, instead of forwarding the logs from a port to InsightDR. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which will contain your logs. Your OPSEC LEA Client will then connect into 18184 and pull the logs.

Configuring OPSEC LEA

Check Point is one of the more difficult event sources to configure. It must be installed on a Windows collector and requires several complicated steps.

If needed, find the OPSEC SDK here.

The checkpoint-config folder is no longer created on the collector. You will need to manually create it, along with the "application" folder that is described in the Check Point Guide.

Please ensure port tcp/18184 is allowed on the firewall or the smart center conf file as it is disabled by default.

Set up Check Point

  1. Create an OPSEC LEA Object within the OPSEC LEA and Applications tab.
  2. From the dashboard go to Manage>Servers and OPSEC Applications.
  1. Click the New button.
  2. Choose OPSEC Application from the New drop-down menu.
  1. In the OPSEC Application Properties dialog, enter InsightIDR in the Name field.
  2. Under Application properties, leave the Vendor field as User defined.
  3. Tick LEA from the Client Entities list.
  4. In the Host Node dialog, enter InsightIDR-Collector in the Name field.
  1. Enter the IP address in the IP Address field.
  2. Click the OK button to save the host creation.

Set a Password for Collector Authentication

In the OPSEC configuration properties, click Communication. You need to set up a one-time password for the Collector to authenticate to Check Point.

  1. Enter your password in the One-time password field.
  2. Re-enter your password in the Confirm One-time password field.
  3. Click the Initialize button.
  4. Click the Close button.

Once you create your password, the Trust state field displays the trust state as Initialized but trust not established. It becomes established when communication has been established from the Collector to the Check Point firewall.

Identify the DN

The OPSEC Application is created. You may need to identify the DN of the object. To do this:

  1. Highlight the object.
  2. Click the Edit button.
  1. Take note of the DN.

Save the configuration and install database in case of Smartcenter or Provider1. If you are directly collecting from the firewall, you will need to add a rule in your rule base to allow the Collector to connect to the firewall over port tcp/18184

Exporting the certificate

The command line tools allow you to incorporate the OPSEC server certificate into InsightIDR allowing the two systems to communicate.

opsec_pull_cert.exe -h host -n name -p password [-o output file]

Referring to the previous command, substitute:

  • host with address of the Check Point server
  • name with file name used in the previous step (see the previous screen capture)
  • password with your password
  • output file with opsec.p12

Here is the command line with the appropriate parameters.

opsec_pull_cert.exe -h 10.100.100.101 -n file name used in previous step
-p MyOneTimePassword -o opsec.p12

After exporting the file, move it to the following directory on the Windows machine running the
InsightIDR Collector:

  • C:{InsightIDR Installed Directory}\checkpoint-config{Application Name}\

where Application Name matches the name argument from the opsec_pull_cert.exe command.

Restart the event source to load the certificate into the Collector.

Enabling the LEA server

Perform the following steps to enable the LEA server to allow the firewall to talk to the Collector.
This is disabled by default. You need to edit the fwopsec.conf file which resides in the
$FWDIR/conf directory on Linux, or which resides in the %FWDIR%\conf\ directory on Windows.

  1. Locate the following lines:
    #lea_server auth_port 18184
    #lea_server port 0

  2. Change the lines to read as follows (if the lines are missing, add them to the file):
    lea_server auth_port 18184
    lea_server auth_type ssl_opsec

OPESEC LEA Troubleshooting

Installing the Visual C++ Redistributable

If the event source fails with the error message Check Point LEA Engine terminated unexpectedly, extra files need to be installed on the machine running the Collector to support the Check Point event source.

These files can be downloaded here.

Important: Select the vcredist_x86.exe file even though the Collector is a 64-bit system. Install the additional DLLs and restart the computer. The Check Point event source should now be able to connect to the Check Point firewall.

Directly Invoking the Check Point Executable

If the Check Point event source continues to experience errors, invoke the executable responsible for connecting to Check Point directly. This executable will be found in one of the higher numbered
bundles under the felix-cache directory:

C:\{InsightIDR installed directory}\felix-cache\bundle{XX}\data\opsec\checkpoint-lea-win-exe.exe

where {XX} is a high numbered bundle in your felix-cache directory that has the opsec subdirectory inside of it. The executable needs to be invoked with a number of parameters to connect to the Check Point server:

C:\{InsightIDR installed directory}\felix-cache\bundle{XX} \data\opsec\checkpoint-lea-win-exe.exe "lea_server" "{application SIC name}" "{path to certificate file}" "{Check Point address}" "{Check Point port}" "sslca" "{server SIC name}" "1"

For example, substituting these:

  • {InsightIDR installed directory} with C:\Program Files\rapid7\InsightIDR
  • bundle{XX} with bundle45
  • {application SIC name} with CN=InsightIDR,O=fwmgmt.myorg.org.ab12cd
  • {path to certificate file} with C:\Program Files\rapid7\InsightIDR\checkpointconfig\InsightIDR\opsec.p12
  • {Check Point address} with 10.100.100.101
  • {Check Point port} with 18184
  • {server SIC name} with cn=cp_mgmt,o=fwmgmt.myorg.org.ab12cd

would result with the following command:


C:\Program Files\rapid7\InsightIDR\felixcache\bundle45\data\opsec\checkpoint-lea-win-exe.exe
"lea_server" "CN=InsightIDR,O=fwmgmt.myorg.org.ab12cd" "C:\Program Files\rapid7\InsightIDR\checkpoint-config\InsightIDR\opsec.p12" "10.100.100.101" "18184" "sslca" "cn=cp_ mgmt,o=fwmgmt.myorg.org.ab12cd" "1"

If the EXE returns with no errors, look for the opsec-debug.log file in the same folder as the Check Point executable. This file contains detailed diagnostics of the error.

If the file contains the following error::


[OpsecDebug]PM_session_init: given session O(CN=UseerInsight,O=fwmgmt.myorg.org.ab12cd;cn=cp_mgmt,oo=fwmgmt.myorg.org.ab12cd;18184;lea).
[OpsecDebug]PM_policy_query: input session O(CN=UseerInsight,O=fwmgmt.myorg.org.ab12cd;cn=cp_mgmt,oo=fwmgmt.myorg.org.ab12cd;18184;lea).
[OpsecDebug]PM_policy_query: rule found (ME;cn=cp_mgmt,oo=fwmgmt.myorg.org.ju2ahc;18184;lea;sslca(1/1)).
[OpsecDebug]PM_policy_query: finished successfully. 1st method = sslca
[OpsecDebug]PM_policy_choose: finished successfully. choose: DENY.
[OpsecDebug]policy_choose: choose failed.
[OpsecDebug]sic_client_negotiate_auth_method: policy choose failed.
[OpsecDebug]fwasync_mux_in: 360: handler returned with error
[OpsecDebug]sic_client_end_handler: for conn id = 360
[OpsecDebug]opsec_auth_client_connected: connect failed (119)

Update the fwopsec.conf file described on page 13 to use the auth_type ssl_ca, after which the
file will read:

lea_server auth_port 18184
lea_server auth_type ssl_ca

How to Configure Check Point in InsightIDR

  • From your dashboard, select Data Collection on the left hand menu
  • At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source
  • Select the Firewall icon from the Security Data section
  • Select your collector, and from the list of options, choose Check Point FireWall-1
  • Optionally choose to send unfiltered logs
  • Choose a timezone, or optionally choose a US timezone
  • Select OPSEC LEA as your collection method. You will need the following information:
    • IP Address
    • Port (of the authentication LEA server)
    • OPSEC Application Name
    • Application SIC Name
    • Server SIC Name

Troubleshooting and Common Errors

If the debug log contains the error:

[OpsecDebug]fw_VerifySigned: unsupported algorithm
[OpsecDebug]fwCRL_good_for_cert: signature verification failed: -3
[OpsecDebug]sslca_check_crlreq_make_answer: fetching crl failed
  1. Check to see if you are running R80 or greater on their Check Point.
  2. If so, according to Check Point support, R80 uses a sha256 hash on the certificate by default.
  3. To get the application to connect to R80 infrastructure, force cpca to issue sha1 certificates as shown in sk103840 (SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)).

Please see this link for more information.

This sk specifically deals with post-install or post-upgrade instruction, before any other configuration has been done. To change the cp_mgmt certificate anytime later, reference sk110559 ("Bad certificate - SIC error 301 for lea") error when fetching 3rd party OPSEC server certificates, which has instructions for SMS and MDS.

See this link for more information.

Ezenta has provided the following steps to configure an R80+ Check Point:

  1. Delete old OPSEC object in SmartConsole
  2. Change Internal CA on CP management to issue certificates with sha1 signature:
  3. In expert mode CLI: “cpca_client set_sign_hash sha1”
  4. Make new OPSEC object in SmartConsole (Follow Rapid7 guide)
  5. Create SIC (Get certificate) between CP Mgmt server and Rapid7 collector.
  6. Opsec_pull_cert.exe
  7. Change Internal CA on CP management back to issuing certificates with sha256 signature
  8. In expert mode CLI: “cpca_client set_sign_hash sha256”
  9. change fwopsec.conf to contain following:
lea_server auth_port  18185
lea_server auth_type  sslca
  1. Place Certificate on collector (Follow Rapid7 guide)
  2. Set the details on Rapid7 InsightIDR webUI.

Note: some issues can occur when using standard OPSEC port 18184; please use 18185 instead.

Error "terminated unexpectedly"

If you receive an error on the event sources page:

  1. Use the Check Point LEA executable to check the settings and produce an error log
  2. This must be run on the Collector itself (Windows based) , and requires DLL's for Visual Studio
    a. Install the Visual Studio redistributable vcredist_x86.exe on the Collector Server. The Microsoft link is here.
    b. NOTE: In some instance, the 32-bit version must be installed on 64-bit Operating System.
  3. Run the following command:
cd C:\Program Files\rapid7\UserInsight\felix-cache\bundle43\data
a. NOTE:  the Bundle name may NOT match above example on the customer installation 
  1. Run the following command, but substitute with the correct OPSEC SIC name etc. The Entity SIC names are case-sensitive.
opsec\checkpoint-lea-win-exe.exe "lea_server" "CN=User_Insight,O=fwmgmt.xxx.org.xxx" "C:\Program Files\rapid7\UserInsight\checkpoint-config\User_Insight\opsec.p12" "10.1.1.4" "18184" "sslca" "cn=cp_mgmt,o=fwmgmt.xxx.org.xxx" "1"
  1. Examine the OPSEC-DEBUG.log file produced from the above command
  2. Search for an error titled "SIC Error for lea: Client could not choose an authentication method for service lea"
  3. If this error is present, then edit the "fwopsec.conf" file and change the auth_type to "ssl_ca" and the following should appear below the auth_port entry, as per the example below:
  lea_server  auth_port    18184
  lea_server  auth_type    ssl_ca

Note: depending on the version of Check Point, you may need to specify the authtype as sslca without :

lea_server  auth_type    sslca
  1. You can determine if the auth_type setting worked by trying to telnet to the Check Point over port 18184. If you cannot telnet to port 18184, the auth_type setting used is wrong.

Collect Logs from a Separate Log Server

While it is possible to have the Check Point Management Station simultaneously be the Check Point Log Server, it is common for these two roles to be hosted on separate servers. If you have a separate server for the Log Server, you will also need the following information, which is from Check Point's Knowledge-base.

Solution

Follow these steps to connect an OPSEC LEA to a Log Server / Domain Log Server:

  1. Follow the documentation provided with OPSEC Software to establish LEA connection between OPSEC LEA and Security Management Server / Domain Management Server. This includes defining the OPEC LEA object, creating a SIC password and pulling the opsec.p12 file from the Security Management Server / Domain Management Server.
  2. In the SmartDashboard, go to Policy menu -> Install Database... and select the Log Server / Domain Log Server object.
  3. Edit the OPSEC LEA configuration on the OPSEC software to point the lea_server_ip to the IP address of the Log Server / Domain Log Server.
  4. Edit the OPSEC LEA configuration to reflect the CN of the Log Server / Domain Log Server:

Instead of:

lea_server opsec_entity_sic_name "CN=cp_mgmt,O=Management..xxxxx

It should show:

lea_server opsec_entity_sic_name "CN=<LOG_SERVER_NAME>,O=Management..xxxxx"
  1. Restart the OPSEC LEA connection.

Your event source configuration needs to look like the following, where the IP address is the address of the Log Server (not the management station) and the Server SIC Name is the name of the Log Server.

Check Point