Configuring the On-Box Checkpoint Collector to Collect from Checkpoint Provder-1 with distributed MDS/CMA and MDS/MLM/CLM environment with Firewalls Logging to CLMs

Article:TECH85715  |  Created: 2007-01-22  |  Updated: 2011-11-15  |  Article URL http://www.symantec.com/docs/TECH85715
Article Type
Technical Solution


Issue





 


Environment



Note:  This techdoc was created for the Symantec Event Collector 4.3 for Check Point FireWall-1.  If you are trying to configure the Symantec Event Collector 4.4 for Check Point LEA please refer to the Quick Reference for this collector.


Solution



Setting up Checkpoint NG R55:

    Login in Expert mode by typing "expert" and enter the provider superuser password.
    Then, do the following:

    Quickly confirm the desired CLM is up and running by typing the following command:

    [Expert@mlm]# mdsstat

    Which should return a table similar to this:
    +--------------------------------------------------------------------------------------+
    | Processes status checking |
    +-----+-----------------+-----------------+-----------+----------+----------+----------+
    | Type| Name | IP address | FWM | FWD | CPD | CPCA |
    +-----+-----------------+-----------------+-----------+----------+----------+----------+
    | MDS | - | 192.168.0.70 | up 1196 | up 1195 | up 1194 | N/R |
    +-----+-----------------+-----------------+-----------+----------+----------+----------+
    | CMA | clm1 | 192.168.0.71 | up 2137 | up 2136 | up 2111 | down |
    +-----+-----------------+-----------------+-----------+----------+----------+----------+
    | Total customer add-ons checked: 1 1 up 0 down |
    | Tip: Run mdsstat -h for legend |
    +--------------------------------------------------------------------------------------+


    Type the following commands, pressing enter after each one:
    [Expert@mlm]# mdsenv clm1
    [Expert@mlm]# cd $FWDIR/conf
    [Expert@mlm]#vi cpmad_opsec.conf

    After you open the cpmad_opsec.conf file in vi, change the following cpmad_opsec.conf default lines:

    lea_server ip 127.0.0.1
    lea_server auth_port 18184
    lea_server auth_type local


    to these lines:

    lea_server ip 127.0.0.1
    lea_server auth_port 0
    lea_server auth_type local
    lea_server port 18184


    Save and exit the file and then edit fwospec.conf file. By default this file is all commented out and as long as that is also the case for your environment, then simply add the following uncommented two lines to the bottom of the file:

    type the following command and add the following lines, save and close the file:

    [Expert@mlm]#vi fwopsec.conf

    lea_server auth_port 0
    lea_server port 18184

    Then type":
    [Expert@mlm]# cprestart

    And the following lines should appear
    performing cpridstop ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpridstop"):
    /opt/CPmds-R62/customers/clm1/CPshrd-R62/tmp/.CPprofile.csh: No such file or directory.
    performing cpstop ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpstop" -fwflag -default):
    SmartView Monitor: Management stopped
    Cannot find pid of vpnd
    syslog_clean: sending SIGINT to process 3263VPN-1/FW-1 stopped
    SVN Foundation: failed to stop cpd
    SVN Foundation: cpWatchDog stopped
    SVN Foundation stopped
    performing vpn drv off ("/opt/CPmds-R62/customers/clm1/CPsuite-R62/fw1/bin/vpn" drv off):
    Unable to open '/dev/vpn0': No such file or directory
    Failed to stop VPN-1 module
    performing cpstart ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpstart"):
    cpstart: Power-Up self tests passed successfully
    cpstart: Product FloodGate-1 not configured , please use 'cpconfig' to configure it.

    cpstart: Starting product - SVN Foundation

    SVN Foundation: Starting cpWatchDog
    SVN Foundation: cpd already running
    SVN Foundation started


    cpstart: Starting product - VPN-1


    FireWall-1: Starting fwd
    [1] 3384
    FireWall-1: Starting fwm (SmartCenter Server)
    [2] 3385

    FireWall-1: This is a Log Server Station. No security policy will be loaded
    FireWall-1 started

    cpstart: Starting product - SmartView Monitor

    SmartView Monitor: Not active
    performing cpridstart ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpridstart"):
    /opt/CPmds-R62/customers/clm1/CPshrd-R62/tmp/.CPprofile.csh: No such file or directory.
    [Expert@mlm]#

  • Configure the Checkpoint Firewall-1 Collector on the Symantec Security Information Manager v4.5 appliance:
      From the SSIM Console => System tab, do the following:
      Create new product configuration for the checkpoint collector. Refer to pages 23 to 25 of the Checkpoint Collector guide to create this configuration.
  • Return to the Checkpoint MLM machine and type the following:

  • [Expert@mlm]# netstat -na | grep 18184
    which should return
    tcp        0      0 192.168.0.71:18184      0.0.0.0:*               LISTEN
    tcp        0      0 192.168.0.70:18184      0.0.0.0:*               LISTEN
    tcp        0      0 192.168.0.71:18184      192.168.0.90:36474      ESTABLISHED


    If you see the SSIM appliance IP has created an ESTABLISHED connection, then the chances are good that it's working. But, to be 100% certain, you'll need to check the checkpoint collector log to see if it is receiving new events from checkpoint.

    If it is still showing the COMM_IS_DEAD error, then you'll need to turn on OPSEC_DEBUG_LEVEL on the clm. The SSIM administrator and Provider-1 administrator will have to work togther to gather logs needed if the above steps do not work and you have to turn on debug.
    • In the SSIM console, please uncheck the Checkpoint Collector Sensor configuration and save it, then distribute it so that the collector will turn off. To confirm it has indeed turned off, ssh into the collection appliance and tail the checkpoint.log located here: /opt/Symantec/sesa/Agent/logs/checkpoint.log

      The entries should look something like this:

      INFO 2007-09-11 16:06:52,937 Collectors.3120.wGroup.[workinggroup0] workinggroup0 Starting working group for sensor "com.symantec.cas.ucf.sensors.Opsec.OpsecLeaSensor"...
      INFO 2007-09-11 16:06:52,937 Collectors.3120.wGroup.[workinggroup0] workinggroup0 0 events were deserialized
      DEBUG 2007-09-11 16:06:52,938 Collectors.3120.wGroup.[workinggroup0] workinggroup0 Sensor list is empty !
      WARN 2007-09-11 16:06:52,938 Collectors.3120.wGroup.[workinggroup0] workinggroup0 No valid sensors in workinggroup !
      INFO 2007-09-11 16:06:52,938 Collectors.3120.wGroup.[workinggroup0] workinggroup0 Working group is off
    • On the Provider-1 MLM follow these steps to turn on OPSEC debugging by running

      mdsenv clm2 (use the name of the MLM here)

      cd $FWDIR/log

      tail -f fwd.elg

      Ctrl-c

      fw debug fwd on TDERROR_ALL_ALL=5

      fw debug fwd on OPSEC_DEBUG_LEVEL=9


      Before proceeding, make a note of the exact time of the last record from the tail -f output received after the step above. 
    • Go back to the SSIM console, check the box for the Checkpoint Collector Sensor configuration and save it, then distribute it so that the collector will turn back on.
    • Go back to the MLM machine and run the following commands again:
      mdsenv clm2 (use the name of the MLM here)

      cd $FWDIR/log

      tail -f fwd.elg

      Ctrl-c

      fw debug fwd on TDERROR_ALL_ALL=5

      fw debug fwd on OPSEC_DEBUG_LEVEL=9


      Again, before proceeding, make a note of the exact time of the last record from the tail -f output received after the step above. 
       
    • Quickly go back to the SSIM console, uncheck the box for the Checkpoint Collector Sensor configuration and save it, then distribute it so that the collector will turn off again.
       
    • Go back to the MLM machine and run the following commands for the third time:

      mdsenv clm2

      cd $FWDIR/log

      tail -f fwd.elg

      Ctrl-c


      And, once again, make a note of the exact time of the last record from the tail -f output received after the step above.
    • Finally Turn off fwd debug by running the following commands from the MLM in expert mode and collect the fwd.elg log from troubleshooting:

      mdsenv clm2

      fw debug fwd on TDERROR_ALL_ALL=0

      fw debug fwd on OPSEC_DEBUG_LEVEL=0

    • Once you have verified that Checkpoint has been correctly configured then you will need to create the Sensor in the SSIM Client UI. It should look similar to the screenshot below. Fields with boxes will be filled with information you get from your checkpoint setup.






     


Legacy ID



2007102213020754


Article URL http://www.symantec.com/docs/TECH85715


Terms of use for this information are found in Legal Notices