Configuring the Checkpoint Collector for Checkpoint SmartCenter using Secure Platform and holding the logs locally on the Checkpoint SmartCenter server
These instructions are assuming you are not using Provider 1 with Checkpoint and that the SmartCenter server is storing logs locally. Check the path to the cpmad_opsec.conf file, if the path is /var/opt/CPsuite-R60/fw1/conf/cpmad_opsec.conf this is SmartCenter.
Use the attached SEC_for_CheckPoint_42.pdf file for the Checkpoint 4.2 and 4.3 collectors for information on configuration Checkpoint SmartCenter.
- Using the Global SmartDashboard:
Create a name for the OPSEC Application Object. This value will be used during the configuration of the collector.
Host value, specify the IP address of the SSIM collector computer.
For the Client Entities type, choose LEA.
Click on the Communications button and in the dialog box, enter a password for the Activation Key. This password will be used to generate an SSL certificate that is used during the collector configuration. After you have entered the password,
Click Initialize. should change to "Initialized no trust established". If not then Checkpoint SmartCenter is not setup correctly please work with your Checkpoint admin to configure Checkpoint SmartCenter.
- Log into Checkpoint as Expert and using vi modify the cpmad_opsec.conf and fwopsec.conf files. These should be only lines that are not remarked out in these files:
lea_server ip <IP Address of the SmartCenter server>
do not use 127.0.0.1 in this case
lea_server auth_port 18184
lea_server port 0
lea_server auth_type sslca
- Restart the server
SSIM Sensor Configuration
- Log into the SSIM Client UI go to System -> Product Configurations -> Checkpoint and create a configuration.
- Setup the Sensor using these values:
LEA OPSEC application name = OPSEC application name
LEA server IP-address = IP Address of the SmartCenter Server
LEA server Auth Port = 18184
LEA Server Auth Type = sslca
LEA Server Port = 0
LEA server OPSEC entity sic name - use the SIC name of the Global Name OPSEC Sic Name = The name that appeared next to the initialize button of the OPSEC application.
Read audit log = checked
Note: This techdoc was created for the Symantec Event Collector 4.3 for Check Point FireWall-1. If you are trying to configure the Symantec Event Collector 4.4 for Check Point LEA please refer to the Quick Reference for this collector.