Setting up Checkpoint NG R55:

Login in Expert mode by typing "expert" and enter the provider superuser password.
Then, do the following:

Quickly confirm the desired CLM is up and running by typing the following command:

[Expert@mlm]# mdsstat

Which should return a table similar to this:
+--------------------------------------------------------------------------------------+
| Processes status checking |
+-----+-----------------+-----------------+-----------+----------+----------+----------+
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
+-----+-----------------+-----------------+-----------+----------+----------+----------+
| MDS | - | 192.168.0.70 | up 1196 | up 1195 | up 1194 | N/R |
+-----+-----------------+-----------------+-----------+----------+----------+----------+
| CMA | clm1 | 192.168.0.71 | up 2137 | up 2136 | up 2111 | down |
+-----+-----------------+-----------------+-----------+----------+----------+----------+
| Total customer add-ons checked: 1 1 up 0 down |
| Tip: Run mdsstat -h for legend |
+--------------------------------------------------------------------------------------+

Type the following commands, pressing enter after each one:
[Expert@mlm]# mdsenv clm1
[Expert@mlm]# cd $FWDIR/conf
[Expert@mlm]#vi cpmad_opsec.conf

After you open the cpmad_opsec.conf file in vi, change the following cpmad_opsec.conf default lines:

lea_server ip 127.0.0.1
lea_server auth_port 18184
lea_server auth_type local


to these lines:

lea_server ip 127.0.0.1
lea_server auth_port 0
lea_server auth_type local
lea_server port 18184


Save and exit the file and then edit fwospec.conf file. By default this file is all commented out and as long as that is also the case for your environment, then simply add the following uncommented two lines to the bottom of the file:

type the following command and add the following lines, save and close the file:

[Expert@mlm]#vi fwopsec.conf

lea_server auth_port 0
lea_server port 18184

Then type":
[Expert@mlm]# cprestart

And the following lines should appear
performing cpridstop ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpridstop"):
/opt/CPmds-R62/customers/clm1/CPshrd-R62/tmp/.CPprofile.csh: No such file or directory.
performing cpstop ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpstop" -fwflag -default):
SmartView Monitor: Management stopped
Cannot find pid of vpnd
syslog_clean: sending SIGINT to process 3263VPN-1/FW-1 stopped
SVN Foundation: failed to stop cpd
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
performing vpn drv off ("/opt/CPmds-R62/customers/clm1/CPsuite-R62/fw1/bin/vpn" drv off):
Unable to open '/dev/vpn0': No such file or directory
Failed to stop VPN-1 module
performing cpstart ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpstart"):
cpstart: Power-Up self tests passed successfully
cpstart: Product FloodGate-1 not configured , please use 'cpconfig' to configure it.

cpstart: Starting product - SVN Foundation

SVN Foundation: Starting cpWatchDog
SVN Foundation: cpd already running
SVN Foundation started

cpstart: Starting product - VPN-1

FireWall-1: Starting fwd
[1] 3384
FireWall-1: Starting fwm (SmartCenter Server)
[2] 3385

FireWall-1: This is a Log Server Station. No security policy will be loaded
FireWall-1 started

cpstart: Starting product - SmartView Monitor

SmartView Monitor: Not active
performing cpridstart ("/opt/CPmds-R62/customers/clm1/CPshrd-R62/bin/cpridstart"):
/opt/CPmds-R62/customers/clm1/CPshrd-R62/tmp/.CPprofile.csh: No such file or directory.
[Expert@mlm]#

• Configure the Checkpoint Firewall-1 Collector on the Symantec Security Information Manager v4.5 appliance:
  From the SSIM Console => System tab, do the following:
  Create new product configuration for the checkpoint collector. Refer to pages 23 to 25 of the Checkpoint Collector guide to create this configuration.
• Return to the Checkpoint MLM machine and type the following:
• 
  [Expert@mlm]# netstat -na | grep 18184
  which should return
  tcp        0      0 192.168.0.71:18184      0.0.0.0:*               LISTEN
  tcp        0      0 192.168.0.70:18184      0.0.0.0:*               LISTEN
  tcp        0      0 192.168.0.71:18184      192.168.0.90:36474      ESTABLISHED
  
  
  If you see the SSIM appliance IP has created an ESTABLISHED connection, then the chances are good that it's working. But, to be 100% certain, you'll need to check the checkpoint collector log to see if it is receiving new events from checkpoint.
  
  If it is still showing the COMM_IS_DEAD error, then you'll need to turn on OPSEC_DEBUG_LEVEL on the clm. The SSIM administrator and Provider-1 administrator will have to work togther to gather logs needed if the above steps do not work and you have to turn on debug.
  
  • In the SSIM console, please uncheck the Checkpoint Collector Sensor configuration and save it, then distribute it so that the collector will turn off. To confirm it has indeed turned off, ssh into the collection appliance and tail the checkpoint.log located here: /opt/Symantec/sesa/Agent/logs/checkpoint.log
    
    The entries should look something like this:
    
    INFO 2007-09-11 16:06:52,937 Collectors.3120.wGroup.[workinggroup0] workinggroup0 Starting working group for sensor "com.symantec.cas.ucf.sensors.Opsec.OpsecLeaSensor"...
    INFO 2007-09-11 16:06:52,937 Collectors.3120.wGroup.[workinggroup0] workinggroup0 0 events were deserialized
    DEBUG 2007-09-11 16:06:52,938 Collectors.3120.wGroup.[workinggroup0] workinggroup0 Sensor list is empty !
    WARN 2007-09-11 16:06:52,938 Collectors.3120.wGroup.[workinggroup0] workinggroup0 No valid sensors in workinggroup !
    INFO 2007-09-11 16:06:52,938 Collectors.3120.wGroup.[workinggroup0] workinggroup0 Working group is off
  • On the Provider-1 MLM follow these steps to turn on OPSEC debugging by running
    
    mdsenv clm2 (use the name of the MLM here)
    
    cd $FWDIR/log
    
    tail -f fwd.elg
    
    Ctrl-c
    
    fw debug fwd on TDERROR_ALL_ALL=5
    
    fw debug fwd on OPSEC_DEBUG_LEVEL=9
    
    Before proceeding, make a note of the exact time of the last record from the tail -f output received after the step above. 
  • Go back to the SSIM console, check the box for the Checkpoint Collector Sensor configuration and save it, then distribute it so that the collector will turn back on.
  • Go back to the MLM machine and run the following commands again:
    mdsenv clm2 (use the name of the MLM here)
    
    cd $FWDIR/log
    
    tail -f fwd.elg
    
    Ctrl-c
    
    fw debug fwd on TDERROR_ALL_ALL=5
    
    fw debug fwd on OPSEC_DEBUG_LEVEL=9
    
    Again, before proceeding, make a note of the exact time of the last record from the tail -f output received after the step above. 
     
  • Quickly go back to the SSIM console, uncheck the box for the Checkpoint Collector Sensor configuration and save it, then distribute it so that the collector will turn off again.
     
  • Go back to the MLM machine and run the following commands for the third time:
    
    mdsenv clm2
    
    cd $FWDIR/log
    
    tail -f fwd.elg
    
    Ctrl-c
    
    And, once again, make a note of the exact time of the last record from the tail -f output received after the step above.
  • Finally Turn off fwd debug by running the following commands from the MLM in expert mode and collect the fwd.elg log from troubleshooting:
    
    mdsenv clm2
    
    fw debug fwd on TDERROR_ALL_ALL=0
    
    fw debug fwd on OPSEC_DEBUG_LEVEL=0
  
  
  • Once you have verified that Checkpoint has been correctly configured then you will need to create the Sensor in the SSIM Client UI. It should look similar to the screenshot below. Fields with boxes will be filled with information you get from your checkpoint setup.
  
  
  
  
  
  
   

Applies To

Note:  This techdoc was created for the Symantec Event Collector 4.3 for Check Point FireWall-1.  If you are trying to configure the Symantec Event Collector 4.4 for Check Point LEA please refer to the Quick Reference for this collector.