To collect log data from Check Point devices, you must set up LEA servers to foster log collection under Management > Check Point Configuration.
Log Export API (LEA) is used to retrieve and export VPN-1/ FireWall-1 Log data. Check Point Management Interface (CPMI) is used to provide a secure interface to the Check Point management server's databases.
For more information about:
• LogLogic support of Check Point, see the LogLogic Check Point Management Station Log Configuration Guide.
• Check Point LEA servers and CPMI protocols, see your Check Point documentation.
Topics
• Managing Check Point Log Sources on page 50
• Adding an LEA Server on page 52
• Adding a Separate LEA Firewall on page 54
• Adding a Separate LEA Interface on page 55
Managing Check Point Log Sources
You define the LEA server and CPMI protocols using the LEA Servers tab. If the firewall or interface for the LEA server is on a different Check Point log source than the LEA server, you must specify it using the Firewalls or Interfaces tabs. The Firewalls and Interfaces tabs are accessible only after you add at least one LEA server to the Appliance.
The LEA Servers tab lists the LEA servers defined on the Appliance. Using this tab you can:
• Add new LEA servers
• Modify existing LEA servers
• Delete existing LEA servers
• View LEA, CPMI, and LEA server status
• Start or stop LEA servers
• Manually propagate LEA server definitions downstream (all new and updated LEA servers are automatically propagated after their properties are set)
The Firewalls and Interfaces tabs similarly let you add, modify, delete, and view firewalls and interfaces.
When modifying an LEA server, firewall, or interface, you have access to the same parameters and options. Using this tab, you can perform the following:
• To add a new LEA server to the Appliance, click Add New. The Add LEA Server tab appears. For more information, see Adding an LEA Server on page 52.
• To modify an existing LEA server on the Appliance, click the server's Name. Make the necessary changes using the Modify LEA Server screen and click Update.
• To remove an LEA server from the Appliance, check the server's checkbox and then click Remove.
• To start an LEA server, in its row click .
• To stop a running LEA server, in its row click .
• To refresh the LEA Servers tab, click Refresh.
• To manually propagate LEA server definitions to downstream syslog receivers, click .
LEA Server Definition Propagation
Definitions are automatically propagated whenever you add or update an LEA server. For example, you can propagate information from ST to LX, LX to LX, or LX to ST
Appliances. This icon appears only if you add at least one LEA server.
Before you can enable this feature, you must perform the following tasks:
• Allow access to TCP port 5514. Use Administration > Firewall Settings to configure your ports.
• Verify at least one Appliance in the Administration > Message Routing tab exists on your Appliance(s).
Adding an LEA Server
You can define an LEA Server on the Appliance from Management > Check Point >
LEA Servers. This lets you collect log data from that Check Point log source.
If the firewall or interface for this LEA server is on a separate Check Point log source, use the Firewalls or Interfaces tabs instead of the Add Firewalls & Interfaces section in step 7.
To Add an LEA Server:
1. Type the Name for the LEA server.
2. Select an Agent Mode to define how the LEA server starts. The default is Automatic, to ensure that the Check Point connection is established during system boot up.
3. Make sure that Enable Data Collection is set to Yes.
4. (Optional) Type a Description for the LEA server.
5. Establish Secure Internal Communication (SIC):
a. Check the Establish Secure Internal Communication checkbox.
b. Enter the Check Point server SIC IP address.
c. Enter the Activation Key for the OPSEC Application on the Check Point log source.
d. Enter the OPSEC Application Name for the application on the Check Point log source.
e. Set up the SSL connection to the LEA server:
f. Check the SSL Connection to LEA Server checkbox to enable it.
g. Type the LEA IP address for the LEA server.
h. Type the LEA Port number for the LEA server.
i. Type the LEA Server DN (domain name).
6. If the firewall and interface are on the same Check Point log source as the LEA server, configure them.
If they are on separate Check Point log sources, after adding this LEA server, use the Firewalls and Interfaces tabs instead.
a. Select the appropriate Add Firewalls & Interfaces radio button:
— CPMI Auto Discovery - Automatically detects any Check Point Management Interface (CPMI) log sources connected to your system.
— Manual Input - Lets you manually input each CPMI log source.
b. Type the CPMI IP address.
c. Type the CPMI Port number.
d. Type the Check Point User Name. You must create an Administrator account in your Check Point application before you can use that ID for the Check Point User Name field on the LogLogic Appliance.
e. Type the Check Point User Password. You must create an Administrator account in your Check Point application before you can use that password for the Check Point User Password field on the LogLogic Appliance.
f. Select SSL Connection to CPMI Server to enable the SSL connection to your CPMI server.
g. Type the CPMI Server DN (domain name).
7. Click Add to add the LEA server. The new server definition is automatically propagated to the downstream syslog receivers.
Adding a Separate LEA Firewall
The Add LEA Firewall tab lets you define a firewall to associate with an LEA server defined on the Appliance. This lets you collect firewall log data from that Check Point log source.
If the firewall is on a separate Check Point log source from the LEA server, use the Add LEA Firewall tab. If the firewall is on the same Check Point log source as the LEA server, you would have defined the firewall in the Add Firewalls & Interfaces section while adding the LEA server.
• To add a new LEA Firewall to the Appliance, click Add New. The Add LEA Firewall tab appears. For more information, see Adding an LEA Server on page 52 on page 63.
• To modify an existing LEA Firewall on the Appliance, click the firewall's Name.
Make the necessary changes using the Modify LEA Firewall screen and click Update.
• To remove Firewalls from the Appliance, check the firewall name's checkbox and then click Remove.
To Add a Firewall to the LEA Server:
1. Select an LEA Server from the drop-down menu to associate with the firewall.
2. Type a Name for the firewall.
3. Type a Description for the firewall.
4. Select the Yes radio button to Enable Data Collection.
5. Click
Add
to add the firewall.Adding a Separate LEA Interface
The Add LEA Interface tab lets you define an interface for an LEA server defined on the Appliance. This interface is the actual log source for the Check Point system, and the interface IP address appears as the origin in LEA messages.
Complete the configuration options listed below. If the interface is on a separate Check Point log source from the LEA server, use this Add LEA Interface tab. If the interface is on the same Check Point log source as the LEA server, you would have defined the interface in the Add Firewalls & Interfaces section while adding the LEA server.
• To add a new LEA Interface to the Appliance, click Add New. The Add LEA Interface tab appears.
• To modify an existing LEA Interface on the Appliance, click the firewall's Name.
Make the necessary changes using the Modify LEA Interface screen and click Update.
• To remove Interfaces from the Appliance, check the interface’s checkbox and then click Remove.
To add an Interface to the LEA Server:
1. Select an LEA Server to associate with the interface.
2. Select a firewall to associate with the interface.
3. Type a Name for the interface.
4. Type the Interface IP address.
5. Type the Interface IP mask.
6. For Enable, indicate whether to activate the interface. The default is Yes.
7. For Trusted, indicate whether to flag the interface as secure. The default is No.
8. For Log Origin, indicate whether the interface is the origin of the log message. The default is No. Typically the origin is the interface that is connected to the Check Point Management Station.
9. (Optional) Type a Description for the interface.
10. Click Add to add the interface.