Enganchar checkpoint a envision

Solo disponible en BuenasTareas
  • Páginas : 13 (3049 palabras )
  • Descarga(s) : 0
  • Publicado : 29 de noviembre de 2011
Leer documento completo
Vista previa del texto
RSA enVision Event Source Check Point Security Suite, IPS-1 Configuration Instructions and Release Notes
Last Modified: Monday, October 31, 2011 Event Source (Device) Product Information Vendor Event Source (Device) Supported Versions Supported Platforms
Check Point Check Point Security Suite, IPS-1 R54 - R65, R70, R71, R75 Check Point Appliances, SecuredBy Check Point partner appliances, CheckPoint SecurePlatform running on Open Servers, and Check Point software running on supported Operating Systems like Windows, Red Hat and Solaris

enVision Product Information Version Event Source (Device) Type Collection Method Event Source (Device) Class.Subclass Content 2.0 Table Service
3.7 and later checkpointfw1, 3 Check Point LEA API Security.Firewall Firewall LEA Client Service

Thisdocument contains the following information for the Check Point Security Suite, and IPS-1 event source:
l

Configuration Instructions Release Notes for Content 2.0 Release Notes for Standard Content

l

l

Check Point Security Suite Configuration Instructions

Check Point Security Tightening
For the newer versions of the Check Point Security Suite, security to access Check PointManagement Console has been hardened. Note the following:
l

For version R61 and newer, you cannot use the no authentication method to connect to the console. You need to use auth_OPSEC or SSLCA as the authentication method. For version R71 and newer, you cannot use the no authentication nor the auth_OPSEC method to connect to the console. You need to use SSLCA as the authentication method.

lRSA recommends that customers use SSLCA as the authentication method whenever possible. If not, you may see errors in the checkpoint servername_opsec_output.log file such as connection reset by peer or unable to connect.

Copyright © 2011 EMC Corporation. All Rights Reserved.

RSA enVision Event Source

Check Point Configuration Overview
Note: The Check Point product has several featurepacks that run on numerous operating systems or platforms. The naming conventions, menu selections, and entry fields may vary slightly between versions. The basic flow for any of them is nearly identical. These configuration instructions are for NG and later running in a Windows environment. Note: By default, Check Point logs are sent from the Check Point event sources to the management server.Alternatively, logs can be sent to a centralized log module (CLM). In this document, the term "log server" refers to either the management server or a CLM, whichever you are using.
To configure the Check Point Management Server, you must complete these tasks:

I. Verify the Functionality of the Existing Check Point Security System II. Configure Check Point to Accept Connections III. ExchangeAuthentication Keys IV. Configure RSA enVision To change directories to the installation directory of your firewall, in a command prompt, do either of the following, depending on your operating system:
l l

On a Windows system, type cd %FWDIR% On a Linux or Unix system, type cd $FWDIR

2

Check Point Configuration Overview

RSA enVision Event Source

Verify the Functionality of the ExistingCheck Point Security System
Note: If an enforcement point sends logs to the management server, an enforcement point does not store the logs locally in the fw.log file. Therefore, an LEA connection between RSA enVision and the enforcement point does not see any messages, except for the messages that are stored locally.
To verify the functionality of the Check Point Security System:

1. Open theCheck Point SmartView Tracker, and ensure that the log server is receiving events. Important: Do not proceed until the Check Point log server is receiving events. If the log server does not display logs, RSA enVision will not receive any events. 2. To ensure that RSA enVision communicates with the Check Point management server, confirm that:
l

Event sources have been configured for all...
tracking img