Highlighted
Established Member..
Established Member..
1147 views

CHECKPOINT SMARTCENTER SERVER INTEGRATION PROCEDURE

Disclaimer:

This post in no way overrides the original HP document

Treat it as a ready reckoner OR when you are stuck even after following the steps in the guide (as so many faced due to the heavy technical content of the document )


Method Used: OPSEC SSLCA (Easy & secure integration option for Checkpoint)


IMPORTANT CHECKS BEFORE PROCEEDING WITH INTEGRATION:

1. Supported Checkpoint NG Versions (of SmartCenter Server only; We are NOT concerned about Enforcement modules e.g: Firewalls as we can ONLY get the logs from the management server in the Checkpoint architecture). says HP has a good heart that they don't mind supporting obsolete versions. For more information check out

2. Steps for Provider-1 environment differ; So, do NOT follow the given procedure if you have Provider-1 environment and go to

3. Assumption: SmartCenter server itself acting as Log Server for your enforcement modules.  If you have a dedicated Log Server which is NOT residing along with SmartCenter server in a machine, then do NOT follow the given procedure. (In this case, the Log Server device is the one to which the SmartConnector should talk to. So, the procedure should be altered accordingly)

4. In a cluster environment, you can perform this task ONLY on PRIMARY SmartCenter Server.  Do NOT try it on SECONDARY Server for it behaves as Read Only.

STEPS FOR INTEGRATING SMARTCONNETOR WITH CHECKPOINT SMARTCENTER SERVER USING SSLCA AUTHENTICATION METHOD:

<CHECKPOINT ADMIN’S TASKS START HERE>

1. Ensure communication between SmartConnector (a.k.a. LEA Client) & the SmartCenter Server (a.k.a. LEA Server) on port 18184.  You must have at least one firewall between these two nodes.  Add a rule for this communication on the firewalls that come in between (Src: SmartConnector IP, Dest:SmartCenter IP, Service:TCP/18184) .

2. Check if the SmartCenter server is listening on port 18184.

$netstat -a | grep 18184

3. It should listen on port 18184 by default & the default authentication method supported is SSLCA. So NO need to edit any config file (especially don't play with fwopsec.conf) & absolutely NO need to give cpstop / cpstart in this scenario.

4. Go to SmartDashboard. If you have already created a HOST object for SmartConnector while executing Step 1, then skip Step 5 & go to Step 6.

5. Create a HOST object for SmartConnector with its IP address.

6. From the Manage menu, select OPSEC Applications. In the OPSEC Applications window, click New and select OPSEC Application

7. In the OPSEC Application Properties window, enter a Name for the object. Name it as Arc_Sight, the convention which I usually follow

8. Select the HOST object which we created for SmartConnector in the HOST field.

9. Select LEA from the Client Entities section.

10. Enable SIC (Note down the SIC activation key) & click initialize

11. Now go to the SmartCenter Server CLI:

$cpca_client lscert -kind SIC

From the output, note down the server SIC Name (i.e. Copy the line that has CN=Arc_Sight) & the SIC Entity Name (i.e. Copy the line that has CN=cp_mgmt). These two are needed during SmartConnector installation.


Note: You may have multiple entries with same CN name.  If that's the case all but one would already have been expired.  Just focus on the "Valid" CN entry.


Sample SIC keys:

Subject = CN=Arc_Sight,O=project.com.2nguo2

Status = Pending   Kind = SIC   Serial = 11931

Not_Before: N/A   Not_After: Mon Sep 17 14:48:40 2018

Note: Arc_Sight SIC key status must be Pending as you have not yet initiated trust from the SmartConnector

Subject = CN=cp_mgmt,O=project.hcl.com.2nguo2

Status = Valid   Kind = SIC   Serial = 56797   DP = 0

Not_Before: Tue Aug 30 14:45:14 2011   Not_After: Mon Aug 29 14:45:14 2016

Note: SmartCenter Management's SIC key status must be Valid.

From the above sample,

SIC Name:CN=Arc_Sight,O=project.com.2nguo2

SIC Entity Name:CN=cp_mgmt,O=project.com.2nguo2


Pass the SmartCenter Server IP address, SIC Activation Key, server SIC Name & SIC Entity Name to the ArcSight Admin.


<CHECKPOINT ADMIN’S TASKS END HERE>

<ARCSIGHT ADMIN’S TASKS START HERE>

12. Install SmartConnector Core software: that is, follow steps till "Add a connector" step. Quit the installation at that step & follow below procedure.

13. Pull Cert:

-> Goto C:\$ARCSIGHT_HOME\current\bin\agent\checkpoint\OPSECAD\win32

-> command: opsec_pull_cert -h <SmartCenter's IP> -n Arc_Sight -p <SIC Activation Key>

-> You would have got the opsec.p12 file in the same path which is the SIC Certificate. (At this point, you can also ask Checkpoint Admin to check the SIC status which would now show as "Trust Established" in Checkpoint Dashboard)

-> Copy the output file to the C:\$ARCSIGHT_HOME\current\user\agent\checkpoint directory

-> When configuring the connector, the filename is all that is required because the connector, by default, is looking in the directory specified above for the filename entered in the connector's parameter entry table, hence the full path is not required.

14. From $ARCSIGHT_HOME/current/bin, enter arcsight connectorsetup to return to the SmartConnector Configuration Wizard.  When queried whether to enter Wizard mode, click Yes.  Select "Checkpoint OPSEC NG" as the connector & "sslca" as authentication method.

15. Connection Parameters:

Enter the IP address of the SmartCenter Server, File name (i.e. opsec.p12), SIC Name & SIC Entity Name that we noted earlier. If you pass this stage without any error message, Congratulations


<ARCSIGHT ADMIN’S TASKS END HERE>

Labels (1)
11 Replies
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

If I am moving the checkpoint from an old appliance to a new appliance , do I need a new certificate or I can use same certificate

0 Likes
Highlighted
Absent Member.
Absent Member.

Why not to use the win32\pull cert utility in opsecng directory, instead of opsecad directory? I am facing an issue even after following all the steps mentioned in the document....any idea why not to use opsecng\win32\pull cert utility?

Name of the file is different, but the point i am asking is about the pull cert utility..

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Just one more information:

18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API;

18210/tcp: is used for a one time connection to pull the certificate.

Regards,

Daniel.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

HI all,

I think you missed one step.

If the Check Point connector will be running on CentOS (6.5, 6.6, 7.0 or 7.1) or RHEL OS (6.5 or 7.0), install the Pluggable Authentication Modules (PAM) package before installing the CheckPoint connector. Otherwise, you may get an error message when executing opsec_pull_cert on the LEA Client side. PAM is a system of libraries that handles the authentication tasks of applications and services. The library provides a stable API for applications to defer to for authentication tasks.

Cheers

Gayan

Mr
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

What happen if we use 18185 instead of 18184 ? is there any obligation ?

Cheers

Gayan

Mr
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

i m looking for integration of checkpoint server where check point servers are cluster. I see the below point 4. But could not understand the point if we do not try to do anything on secondary smartcenter server then how does it forward the logs when first smartcenter fails.

================

4. In a cluster environment, you can perform this task ONLY on PRIMARY SmartCenter Server.  Do NOT try it on SECONDARY Server for it behaves as Read Only.

================

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi all,

If i can telnet to log server (telnet cp-log-server 18184) and still im getting  Opsec error. rc=-1 err=-96 Connection error.. What could be the reason ?

Cheers

Gayan

Mr
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi Gayan,

Hope there is no connectivity issue between connector and device.

Please re-check the entity name given in checkpoint server and ensure you are using the same name while pulling the certificate.

Also use the correct folder path (opsecad for sslca method) in the connector while pulling the certificate.

Before pulling the certificate ask your check point admin to reset the password and do a cpstop & cpstart in checkpoint.

Regards,

Subhajit

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Subhajit,

I double checked the opsec app name, ip and sic pw. All are correct and I use opsecad method to pull the cert. So the method also correct to pull the cert. Its really hard to do cpstop and start since its production fw. is there any other solution ?

Cheers

Gayan

Mr
0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Hi Gayan,

We also had the same issue, so before pulling the certificate u should update the password in firewall and cpstop, start.

It would be the only solution i think.

Thanks, Akash.
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Akasa,

I found an error and it was wrong ip that given to pull cert.

Mr
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.