Overview
Blumira’s modern cloud SIEM platform integrates with Check Point’s Next Generation Firewalls to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected. Additionally, enabling Blumira’s dynamic blocklist capabilities on your integrated next-generation firewall allows us to provide automated blocking of known threats.
Learn more about enabling Blumira’s blocklists to block malicious source IP addresses and domains for automated threat response.
Also see Checkpoint's custom intelligence feed setup instructions.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Above R77.30 or R80.10 with Jumbo Hotfix 56
If your Check Point is above R80.10 with the Jumbo Hotfix 56 then you can use the new simplified Syslog Exporter instead of setting up the LEA application. The LEA setup below still works for your newer Check Point, so you can use it if you would like to, but it requires much more setup.
On your Check Point Management Server CLI, run the following command after you have replaced <blumira_sensor> with the IP address of the Blumira sensor that you installed in "Before you begin".
cp_log_export add name Blumira target-server <blumira_sensor> target-port 514 protocol tcp format cef
This will read files from the log files on the Management Server, no filtering of the logs being shipped should be required.
References:
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#How%20does%20it%20Work
- https://community.checkpoint.com/t5/Logging-and-Reporting/R80-10-Syslog-Exporter/m-p/37042
- https://community.checkpoint.com/t5/Logging-and-Reporting/Exporting-Check-Point-logs-over-syslog-LogExporter-with-Log/td-p/38410
- https://community.checkpoint.com/t5/Management/R80-20-Log-Exporter-Feature/m-p/44430
Under R80.10 with Jumbo Hotfix 56
Prerequisite Check Point setup:
- Log in to the firewall management CLI (accessible from the firewall management web interface), as a user
admin
and type the following commands:-
expert
Type your expert password when prompted. grep auth_type $FWDIR/conf/fwopsec.conf
- If the grep output shows “lea_server auth_type sslca”, then you can skip to the SmartConsole steps.
echo 'lea_server auth_type sslca' >> $FWDIR/conf/fwopsec.conf
-
cpstop; cpstart
Note: This will cause some downtime, and your console may be disconnected.
-
- Run SmartConsole and complete these steps:
- In the Objects pull-down menu, navigate to
More object types → Server → OPSEC Application → New application...
- Choose a name for the LEA object (letters, digits, underscores, and hyphens are the only allowed characters).
- From the host pull-down menu, pick the host the sensor is running on. If it is not in there, click New next to the Host field to create a new host.
Note: After creating a new host, if it does not appear in the host pull-down menu, you may need to cancel out of the application dialog and start over at step 2a. - In the server entities section, leave all boxes unchecked.
- In the client entities, check LEA and leave all others unchecked.
- Click Communication.
- Choose a one-time password and enter it (twice).
- Leave the Trust state field unchanged.
- Click Initialize, then Close.
- Click OK to create the LEA object.
- Click Install Policy and click through the dialogs until the policy is successfully installed.
- In the Objects pull-down menu, navigate to
Blumira Check Point Module Setup
When you add the Check Point Module to a sensor in Blumira, you will need to provide the following information:
- IP Address of Check Point Management Server
- The LEA object name that you chose above
- The one-time password that you chose above
To add a module on an existing sensor and provide credentials:
- In Blumira, click Settings.
- Click Sensors.
- Click the sensor on which you want to add a module.
- On the detail page for the sensor, scroll down and click Add Module.
- In the Add New Module window, select the relevant module.
- Enter the credentials that you gathered in previous steps.
- (Optional) Type a name for this log deployment in the Log Source Name box.
Note: Use alphanumeric characters, periods, and hyphens. Spaces and underscores are not allowed. This name will appear in the "device_address" column in the results of your event data queries. If you add more modules to collect logs for other integrations, this name will help you to identify them. - Click Install.