Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
viktor.doundako Respected Contributor.
Respected Contributor.
4297 views

Guidance and details on the new Check Point CEF gerating solution

Dear ArcSight customers,

In the ongoing effort to improve your experience with the Check Point products, Check Point is introducing a new, modern, Syslog-based log export infrastructure which will be integrated and certified with the standard ArcSight Syslog CEF ArcSight connector. Major features include TLS support, ArcSight-certified CEF formatting integration, and log filtering. The new Check Point Syslog feature will be supported on R77.30 and R80.10, and will replace all previously-released Check Point Syslog-based implementations.

We advise all customers interested in it to refer to the Check Point knowledge base article sk122323 for more information on capabilties and architecture. 

We are currently in the process of finalizing the CEF generation certification of the new Check Point solution and are planning ot complete it soon.

0 Likes
15 Replies
mrksr Super Contributor.
Super Contributor.

Re: Guidance and details on the new Check Point CEF gerating solution

The new Syslog CEF Connector for Check Point seems to be a good thing!

What I would like to know: Will it still be possible to connect to Check Point R80.10 by opsec connector? And will there be a 64bit opsec connector (or still only 32bit)?

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Guidance and details on the new Check Point CEF gerating solution

Hello,

1) Please see Checkpoint KB noted in initial post to get better "picture" on how it will work.
2) This will not be 64bit OPSEC SmartConnector (32bit version of SmartConnector framework is going EoL soon).

Regards,

Marijo

alexandros_n Honored Contributor.
Honored Contributor.

Re: Guidance and details on the new Check Point CEF gerating solution

All 32bit are out of support in sometime this year plus the only CP connector that currently support R80 is the syslog. Additionally this one will replace all (it is stated).

Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Guidance and details on the new Check Point CEF gerating solution

https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Check-Point-Syslog/tac-p/1637794/highlight/true#M1185 

 

Unsupported solution to this issue and can only be done by ppl how know their stuff 😉 
We tested this approach, however below is NOT a step by step guide

Works with 32bit connector >=7.7.0

 

- install 32 bit version of smartconnector to any server/laptop/etc. choose a linux host, so that you will get the 32bit lea binaries for linux, and not windows.
- select to install a checkpoint connector ... dont add details, just make a generic checkpoint lea connector
- find the binaries, that are used for the connection ( lea_client, certificate pull, etc), and

On the 64 bit destination connector(appliance):

- copy checkpoint binaries to a FRESH Smartconnector 
- copy agent.properties to the SC
- run "setup" for Smartconnector, you should be able to see Checkpoint ad_opesc now.

Hope that helps

P.S.: SHA2 support was added as Hotfix, and now is part of 7.7.0

Cheers

A

viktor.doundako Respected Contributor.
Respected Contributor.

Re: Guidance and details on the new Check Point CEF gerating solution

As previously announced, the 32bit connectors will be no longer avaialble from end of April'18: this applies to the ArcSight Check Point OPSEC NG connector too.

Please use the KB on the Check Point site to start your planning processes as necessary.,

0 Likes
Super Contributor.. klr01 Super Contributor..
Super Contributor..

Re: Guidance and details on the new Check Point CEF gerating solution

For an encrypted solution, is it safe to assume we would use the "SmartConnector for ArcSight CEF Encrypted Syslog (UDP)" connector? Or, are you updating the "SmartConnector for Check Point Syslog" connector to include encryption? I am referring to encryption of event flow between Check Point CLM and the connector. I know the current SmartConnector for Check Point Syslog connector provides for encryption if the connector is used as a forwarder. We need to encrypt the traffic coming from syslog to the ESM.

Also, it sounds like the new solution has not yet been certified yet by Micro Focus: "We are currently in the process of finalizing the CEF generation certification of the new Check Point solution and are planning ot complete it soon." Is that correct?

If the solution is not available now, when will it be?

Thank you for your help!

-Kathy

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Guidance and details on the new Check Point CEF gerating solution

Hello Kathy,

1) To use encryption use Syslog NG SmartConnector (7.8.0 framework), not the one you mentioned.
2) On the CheckPoint page go to "SIEM Specific instruction" and expand it by clicking on "Show / Hide the section". Here you have guidelines on how to configure the SmartConnector.
3) If you configure the CheckPoint part (also explained on the link) to output CEF Syslog encrypted then SmartConnector can parse this out-of-the-box, CEF is ArcSight Standard and works immediately (if the source send proper CEF Syslog format).

Regards,

Marijo

0 Likes
Super Contributor.. klr01 Super Contributor..
Super Contributor..

Re: Guidance and details on the new Check Point CEF gerating solution

Thank you, Marijo! We will give this a try. Much appreciated.

-Kathy

0 Likes
Super Contributor.. klr01 Super Contributor..
Super Contributor..

Re: Guidance and details on the new Check Point CEF gerating solution

What versions of TLS does the "SmartConnector for Syslog NG Daemon" support? The documentation does not indicate whether or not TLS 1.2 is supported.

Thanks again!

0 Likes
Respected Contributor.. Tobias Sundman Respected Contributor..
Respected Contributor..

Re: Guidance and details on the new Check Point CEF gerating solution

Hello,

Is this considered done, the CEF certification? We have tried Check Point r80.10 with the current version of Log Exporter (T30). The CEF mapping seems to differ a lot compared to the previous mapping of the Check Point log (OPSEC-based). So using our current content in ESM built based upon previous mappings are useless if migrating to the CEF-mapping.

What are you thought about this?

Regards,
Tobias

//Tobias
Super Contributor.. klr01 Super Contributor..
Super Contributor..

Re: Guidance and details on the new Check Point CEF gerating solution

I have the same concerns as well, Tobias.

0 Likes
olajuwon.o.ariy Contributor.
Contributor.

Re: Guidance and details on the new Check Point CEF gerating solution

I have same experience with R77.30. we just implement that and we are able to get arround the mapping except for firewall configuration changes. We are yet to resolve that.

But i think is a good way to go.

 

Thank you.

 

0 Likes
Trusted Contributor.. Stepan Trusted Contributor..
Trusted Contributor..

Re: Guidance and details on the new Check Point CEF gerating solution

Hello,

That's nice to see that standardization is ongoing across different vendors, which helps to simplify connector infrastructure. But here we have major issue with this checkpoint solution. As Log exporter is sending logs as are generated you have typically first main log which keeps just very basic info like IPS rule name an source IP and that’s it. After that you will receive several log updates where destination IP, port, requested URL, etc. is and on very end last update with bytes in/out. Issue here is that those increments not containing all previously known information like rule name. So you need to somehow aggregate/collect and craft new event based on all those logs which is very hard to achieve in ArcSight and on top of it such rules are obviously suspended by ESM due to high trigger volume. On top of it all current activate content is useless without another round of tuning. That’s pure pain to reinvent wheel. Are somebody form MF working on it with CP ?

Thanks

Stepan

Tags (2)
0 Likes
olajuwon.o.ariy Contributor.
Contributor.

Re: Guidance and details on the new Check Point CEF gerating solution

Hello Team,

We integrated checkpoint to Arcsight using Log exporter but the challenge we have now is that when user make any changes on the firewall, we dont see the event on Arcsight. I can see VPN, Application control and others but not when changes is created, modified or install policy.

Please which field mapping can I use to get this event when changes is done on checkpoint firewall.

Thank you.

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.