OPSEC- How to Install

Splunk Add-on for Check Point OPSECLEA 2.1.1

Installation and Configuration Manual

Generated: 11/04/2014 6:30 am

Copyright (c) 2014 Splunk Inc. All Rights Reserved

Table of ContentsIntroduction..........................................................................................................1

About the Splunk Add-on for Check Point OPSEC LEA...........................1 New to Splunk...........................................................................................2 How this add-on fits into the Splunk picture..............................................5 How to get support and learn more about Splunk.....................................6

Before you deploy................................................................................................7 Deployment Architecture...........................................................................7 Prerequisites.............................................................................................9 Hardware requirements...........................................................................11 What data does the add-on collect?........................................................13Set up lea_loggrabber..............................................................................15 Set up forwarder......................................................................................17 Set up SSLCA authentication..................................................................17

Installation checklist..........................................................................................19 Installation Checklist...............................................................................19

Deploy the add-on..............................................................................................21 Install the Splunk Add-on for Check Point OPSEC LEA.........................21 Configure the LEA client.........................................................................26

Manage Connections.........................................................................................35 Manage connections...............................................................................35

Terminology.......................................................................................................38 Terminology............................................................................................38

Troubleshooting.................................................................................................40 Set debug logging level...........................................................................40 View debug logs......................................................................................40 Run lea-loggrabber manually..................................................................41 Basic Check Point debugging.................................................................41

i

Introduction

About the Splunk Add-on for Check Point OPSECLEA

The Splunk Add-on for Check Point OPSEC LEA lets you collect and analyzefirewall logs and audit logs from Check Point standalone FW-1 firewalls, standardMulti-Domain Security Management (Provider-1) environments, and Provider-1environments using the Multi-Domain Log Module (MLM).

The add-on uses the Check Point Log Export API (LEA) along with a customizedSplunk lea-loggrabber utility to poll your Check Point servers and collect logdata.

The Splunk Add-on for Check Point OPSEC LEA installation package, includesall of the files required to install and run the add-on on Linux (RHEL/CentOS 5.xor 6.x only) or Solaris SPARC (version 10 or later).

You can download the package from Splunk Apps, then install the add-onmanually on your Splunk Enterprise deployment. Or install the add-on from theApps menu inside Splunk Web.

Feature Summary

The Splunk Add-on for Check Point OPSEC LEA includes these features:

Facilitates near-real-time log data analysis to help detect anomalousbehavior and maintain regulatory standards compliance.

•

Includes a UI to simplify Check Point data collection configuration.• Monitors firewall administrative activity.• Displays event throughput metrics for monitoring connection and systemhealth.

•

Hides the complexity of data collection from multiple firewalls in a singletechnology add-on instance.

•

About Check Point logs

The Splunk Add-on for Check Point OPSEC LEA collects logs from Check PointR75.10, R75.4, R76, and R77 firewalls, including:

1

Data from standalone FW-1 firewalls.• Data from multiple (10 to 100) Provider-1 firewalls, concurrently.•

The Splunk Add-on for Check Point OPSEC LEA collects these log files:

Regular log files (*.log).• Account log files (*.alog).• Audit log files (*.adtlog).•

Data collection uses the OPSEC LEA protocol over SSL.

Note: Support for Check Point R70 log data is discontinued in version 2.0.4 ofthe Splunk Add-on for Check Point OPSEC LEA. For more information, seeSupported Check Point products and versions.

New to Splunk

If this is the first time you have used Splunk, then read on...this topic introducesthe most important Splunk concepts you need to understand when installing andusing Splunk apps.

Splunk and Splunk apps work together.

The key points to come away with are:

All Splunk apps run on the Splunk platform.• Understanding how Splunk works will greatly help you understand howSplunk apps work.

•

Installing and configuring the app is only part of the experience - you mightneed to prepare Splunk before installing your app.

•

Careful planning helps achieve a successful app deployment experience.•

Splunk basics

Splunk is a software platform that accepts data from many different sources,such as files or network streams. Splunk stores a unique copy of this data inwhat's called an index. Once the data is there, you can connect to Splunk withyour web browser and run searches across that data. You can even makereports or graphs on the data, right from within the browser.

2

You can extend Splunk's capability by installing apps. Splunk apps come withsearches, reports, and graphs about specific products that are common to mostIT departments. These searches, reports, and graphs reduce the amount of timeit takes to glean real value from installing and running the Splunk platform.

Before you can really understand how Splunk apps work, you should understandhow Splunk works. Fortunately, we've got you covered in that respect.

If you're new to Splunk, then the best place to learn more about it is in the SearchTutorial. It helps you learn what Splunk is and what it does, as well as what youneed to run it and get step-by-step walk-throughs on how to set it up, get datainto it, search with it, and create reports and dashboards on it.

Licensing

The next thing you want to learn about is Splunk's licensing model. Splunkcharges you based on the amount of data you index. The licensing introductionfrom the Admin Manual is a great place to start learning about how licenseswork. You can also find out the types of licenses that are available, how to install,remove, and manage them, and what happens when you go over your licensequota.

In the context of Splunk apps, the amount of licensing capacity you needdepends on how each app defines the individual data inputs that it uses. Splunkapps use inputs to tell Splunk what data it needs to collect for the app's purpose.Some apps, such as the Splunk App for Enterprise Security, collect a lot of data,which your license must cover in order for you to be able to search that datawithout interruption. When planning for your app, make sure you include enoughlicensing capacity.

Configuration

Much of Splunk's extensibility is in how configurable it is. You must configureSplunk before it can collect data and extract knowledge. All Splunk apps useconfiguration files to determine how to collect, transform, display, and providealerts for data. The Admin Manual shows you how to configure those files andincludes a reference topic for each configuration file that Splunk uses. In somecases, you can also use Splunk Web or the CLI to make changes to a Splunkapp's configuration.

Splunk also uses configuration files to configure itself. When Splunk initializes, itfinds all of the configuration files located in the Splunk directory and merges themto build a final "master" configuration, which it then runs on. When you install a

3

Splunk app on a Splunk instance, Splunk must determine which configurationfiles to use if it encounters a conflict. This is where configuration file precedencecomes in.

It's important to understand how precedence works. In many cases, if there is aconfiguration file conflict, Splunk gives priority to an app's configuration file. Insome situations, installing an app might inadvertently override a setting in aconfiguration file in the core platform, which might lead to undesired results indata collection. Be sure to read the previously mentioned topic thoroughly fordetails.

Splunk Search

Splunk provides the ability to look through all the data it indexes and createdashboards, reports, and even alerts. All Splunk apps rely on Splunk search, soit's a good idea to read the Search Manual's overview on search to learn howpowerful Splunk's search engine is (the Tutorial is also a good place to learnabout Splunk search.)

You should also have an understanding of Splunk's search language. Splunkapps use the search language extensively to put together search results andknowledge objects which drive their dashboards, reports, charts, and tables.

Finally, it's a good idea to familiarize yourself with the search commands in theSearch Reference Manual. That manual describes the commands that bothSplunk and your Splunk app can use.

Sources and source types

When Splunk indexes data, it does so from a source - an entity that providesdata for Splunk to extract, for example, Windows event logs, or *nix syslogs.Splunk tags incoming data with a "source" field as it gets indexed. The sourcetype is an indicator for the type of data, so that Splunk knows how to properlyformat and extract it as it comes in. It's also - conveniently enough - a way tocategorize data, as you can use Splunk search to display all data of a certainsource type.

Splunk apps use sources and source types to extract knowledge from the datathey index. Many views in an application depend on searches with specificsources and source types defined in them. Splunk apps sometimes use thesource types that come with Splunk, and sometimes they define their own.

4

Capacity planning and distributed Splunk

Another important factor to consider when using a Splunk app: Do you haveenough hardware to realistically support a deployment for the Splunk app you'reusing? Read our capacity planning documentation for a head-start on ensuringyou have the machinery in place to run your Splunk app deployment at peakperformance.

Learning about capacity planning is a perfect time to introduce another conceptwith which you should be familiar: distributed search. Nearly every Splunk appavailable can use distributed search, and many were developed with distributedsearch in mind. What this means is that you must working with multiple Splunkinstances at once - with each instance playing a specific role - to use the app toits full potential. Initially, you add indexers to increase indexing performance, thenyou add search heads to increase search performance. The DistributedDeployment Manual provides details on how to add more Splunk instances tokeep up with your app's performance demands.

What's next?

From this point, you are ready to plan your app deployment. Continue reading forinformation about how this app fits into the Splunk picture, platform and hardwarerequirements, and other deployment considerations.

How this add-on fits into the Splunk picture

The Splunk Add-on for Check Point OPSEC LEA is one of a variety of apps andadd-ons available in the Splunk ecosystem. All Splunk apps and add-ons run ontop of a Splunk Enterprise installation, so you must first install Splunk Enterprise,then install then install the Splunk Add-on for Check Point OPSEC LEA. Forinstallation instructions, see ""Install the Splunk Add-on for Check Point OPSECLEA" later in this manual.

The Splunk Add-on for Check Point OPSEC LEA is compatible with the CommonInformation Model (CIM) and can be integrated with the Splunk App forEnterprise Security (ES) and the Splunk App for PCI Complicance (PCI). Formore information, see:

Splunk App for Enterprise Security: Version 1.x, 2.x and latersupported. See Add a custom technology add-on to an app. Make sure toreview the Known Issues described in the ES Release Notes.

•

5

Splunk App for PCI Compliance: See Install technology add-ons. Makesure to review the Known Issues described in the PCI Release Notes.

•

For more information about Splunk apps and add-ons, see "What are apps andadd-ons?" in the Splunk Admin Manual.

How to get support and learn more about Splunk

Get Support

To get help with the Splunk Add-on for Check Point OPSEC LEA, send an emailto [email protected], or use the Splunk Support Portal to log a support case.

If your Splunk deployment is large or complex, contact the Splunk ProfessionalServices team to help you deploy the Splunk Add-on for Check Point OPSECLEA.

Learn more

This list includes a variety of resources available to help you learn more aboutSplunk and the Splunk Add-on for Check Point OPSEC LEA.

The core Splunk documentation• Splunk Answers• The #splunk IRC channel on EFNET:http://www.splunk.com/view/SP-CAAACDF

•

Download the Splunk Add-on for Check Point OPSEC LEA:http://apps.splunk.com/app/263

•

Documentation (OPSEC LEA specific):http://docs.splunk.com/Documentation/OPSEC-LEA

•

Questions and answers (OPSEC LEA specific):http://answers.splunk.com/tags/?q=opsec

•

General Splunk support: http://www.splunk.com/support•

6

Before you deploy

Deployment Architecture

The Splunk Add-on for Check Point OPSEC LEA is typically installed on a Splunklight or heavy (but not universal) forwarder and configured to pull data from aremote Checkpoint device. The add-on must also be installed on Splunk indexersand search head to provide index- and search-time knowledge.

For smaller scale environments, all of the Splunk components may be installedon the same hardware instance, running either a Linux (RHEL/CentOS 5.x or 6.x)or Solaris SPARC version 10 or later operating system. For supported CheckPoint products/versions and additional compatibility information, seePrerequisites.

How it works

The Splunk Add-on for Check Point OPSEC LEA communicates with the CheckPoint environment to retrieve log records, using the Check Point Log Export API(LEA). The lea-loggrabber utility implements the client side of the LEA protocol.The Splunk version of lea-loggrabber is derived from the commonly usedFW1-Loggrabber.

Collected Check Point log data is forwarded to Splunk indexers and, eventually,a search head for creating Splunk knowledge objects. The Splunk Add-on forCheck Point OPSEC LEA integrates with other apps and add-ons, including theSplunk App for Enterprise Security (ES). When the ES application is installed, itstraffic and access/audit dashboards are populated with Check Point log data.

This figure shows the Check Point and Splunk Add-on for Check Point OPSECLEA communication paths for configuration and for transferring log data, in astandard Multi-Domain Server (MDS) Provider-1 environment:

7

Callout description:

1

The Splunk Add-on for Check Point OPSEC LEA is installed on your Splunkforwarder, indexer, and search head, as applicable:

Forwarder Data acquisition: Authenticates communication betweenSplunk and Check Point environments and periodically polls CheckPoint log data, using lea-loggrabber. For optimum performance,Splunk recommends using a heavy forwarder (see Types offorwarders). Use the Splunk Add-on for Check Point OPSEC LEA UIto configure the Splunk/Check Point interface.

•

Indexer Indexes Check Point firewall and audit data.• Search head Provides search time knowledge for field extractionsand event types.

•

2 In some environments, it may be desirable to perform authentication usingthe CLI, instead of the UI.

3

Use the Check Point SmartDashboard to:

Create the Splunk Add-on for Check Point OPSEC LEA.• Create OPSEC application certificate.• Add firewall rules.• Verify that trust is established.• Install the database.•

4The Splunk Add-on for Check Point OPSEC LEA periodically polls the CheckPoint server, using the lea-loggrabber utility (LEA), to collect securityand audit log records.

8

5 Log data are transmitted to the Splunk Add-on for Check Point OPSEC LEAin response to lea-loggrabber requests.

Prerequisites

General system requirements for installing and running Splunk applications arecovered in the System Requirements section of the Splunk Enterprise InstallationManual.

Splunk Enterprise version

The Splunk Add-on for Check Point OPSEC LEA is dependent on the SplunkEnterprise platform, which must be installed and configured prior to installing theSplunk Add-on for Check Point OPSEC LEA.

The Splunk Add-on for Check Point OPSEC LEA version 2.1 requires SplunkEnterprise version 6.0.3 or later.

For detailed information on Splunk component and hardware requirements, seeHardware requirements.

Supported Check Point products and versions

The Splunk Add-on for Check Point OPSEC LEA supports these Check Pointproducts:

Standalone FireWall-1 NGX• Multi-Domain Security Management (Provider-1)• Provider-1 with Multi-Domain Log Module (MLM)•

Supported firewall Versions:

R75.10• R75.40• R76• R77•

Supported operating systems

These operating system requirements apply to the Splunk forwarder only. Thesearch head and indexer can be hosted on any platform.

9

Linux

RHEL/CentOS 5.x or 6.x. No other Linux variants.• Linux kernel version 2.6.x or later (x86_64).• Bash, version 3 or later. If you are using an earlier version of Bash, editthe lea-loggrabber.sh script to pass the application name instead ofusing the BASH_SOURCE environment variable. See "Set uplea_loggrabber".

•

GNU C library (glibc.i686 32-bit). Install using yum install glibc.i686• PAM shared libraries (pam.i686 32-bit). Install using yum installpam.i686.

•

Solaris

Solaris SPARC version 10 or later .•

Supported file systems

Platform File systems

Linux ext2/3/4, reiser3, XFS, NFS 3/4

Solaris NFS 3/4For more information on Splunk supported file systems, see "Supported filesystems" in the Splunk Enterprise Installation Manual.

Supported browsers

The Splunk Add-on for Check Point OPSEC LEA version 2.1 supports thesebrowsers:

Chrome (latest)• Safari (latest)• Firefox (latest) (version 10.x is not supported)• Internet Explorer 9 or later. Internet version 9 is not supported incompatibility mode.

•

Splunk licensing

Splunk licenses are based on the amount of data stored by your Splunk indexersper day. For detailed information, see "How Splunk licensing works."

10

Other prerequisites

For Check Point server authentication to work, the $HOME directory must bewritable by the Linux account that Splunk is running as.

•

Hardware requirements

Before installing the Splunk Add-on for Check Point OPSEC LEA, make sure thatyour underlying Splunk Enterprise deployment meets the requirements specifiedin "Introduction to capacity planning for Splunk Enterprise" in the SplunkEnterprise Capacity Planning Manual.

For details on Splunk component performance specifications and referencehardware requirements, see "Reference hardware" in the Splunk EnterpriseInstallation Manual.

For recommendations on scaling your Splunk Enterprise deployment for yourspecific performance requirements, see the "Performance questionnaire" in theSplunk Enterprise Installation Manual.

Note: Reference hardware recommendations refer only to the Splunk Enterprisedeployment on which your Splunk Add-on for Check Point OPSEC LEA runs.Depending on the throughput of your OPSEC LEA connections, additionalindexer capacity might be required. See Indexer requirements.

Splunk component requirements

Install the Splunk Add-on for Check Point OPSEC LEA on your Splunk forwarder,indexer, and search head, as applicable to your deployment. For a detailed viewof a standard Splunk Add-on for Check Point OPSEC LEA deployment, see"Deployment architecture".

Forwarder: The forwarder collects Check Point log data from the OPSECLEA connection, and sends it to your Splunk indexer(s). Use lightforwarders or heavy forwarders only. Do not use universal forwarders. Forbest performance, we recommend that you use a heavy forwarder. SeeTypes of forwarders. The forwarder also:

•

authenticates communication between Splunk and Check Pointenvironments;

‡

11

polls the Check Point environment for log data at default intervals of30 seconds, using lea-loggrabber;

‡

and provides a UI to configure the Splunk/Check Point interface.‡

Indexer: Indexers receive and index Check Point log data sent from theSplunk forwarder. Indexers provide index time settings for Check Pointfirewall and audit data. To avoid load conditions that can introducelatency, make sure that your Splunk Enterprise deployment includessufficient indexer capacity. See Indexer requirements.

•

Search head: The search head is where you perform search and analysisoperations on your Check Point log data. Search Heads provide searchtime knowledge for field extractions and event types.

•

Forwarders must be installed on Linux (RHEL/CentOS 5.x and 6.x) or SolarisSPARC (version 10 or later) hosts only. Search head and indexers can beinstalled on any Splunk Enterprise compatible operating system.

Note: Data collection on search heads or indexers is not recommended for largerdeployments.

For more information about Splunk components, see "Components of a SplunkEnterprise deployment" in the Splunk Enterprise Capacity Planning Manual.

Indexer requirements

It is important that your Splunk Add-on for Check Point OPSEC LEA deploymentincludes sufficient indexer capacity to handle the incoming load. An insufficientnumber of indexers can negatively impact performance and introduce latencyinto your system.

Follow these steps, and refer to the chart below, to determine your indexerrequirements:

1. Determine the average eps (events per second) of all combined OPSEC LEAconnections. You can run a Splunk search to find this. For example:

source=*my_connection* | stats count as eps by _time | stats avg(eps)You can run this search by sourcetype (sourcetype="opsec"), per source (asshown above), or pipe in all of your connections. To get a useful baselinesample, run the search across peak hours of the previous day, for severalconsecutive days.

12

2. If the total average eps from all combined OPSEC LEA connections exceeds13k eps, add one additional indexer to your deployment for each 13k epsincrement.

Total events per second(eps) Number of Indexers

< 13k eps 1

13k-26k eps 2

26k-39k eps 3

39k-52k eps 4

> 52k eps Add one indexer for each additional 13k epsincrement

Note: A single Splunk indexer can accept any number of OPSEC LEAconnections, so long as the rate of input does not exceed 13k eps for thatindexer.

For more information on Splunk indexers, see "How indexing works" in theManaging Indexers and Clusters manual.

Important: These indexer requirements are in addition to the processingrequirements of your Splunk Enterprise deployment on which this add-on runs.For more information on Splunk Enterprise requirements, see the CapacityPlanning manual.

What data does the add-on collect?

About log record collection

The Splunk Add-on for Check Point OPSEC LEA hides the complexity of CheckPoint log record collection. In addition to collecting firewall security logs and auditlogs, the add-on:

Performs log roll-over (switching).• Handles latency in extended networks.• Recovers from communication errors.•

The add-on implements the client side of the LEA protocol and eitherauto-detects environment configuration parameters, or provides for parameterconfiguration through the UI.

13

The lea-loggrabber utility polls the Check Point logs every thirty seconds, bydefault. The polling period is configurable. The Splunk client application tracksthe position of the last Check Point log it received. If for some reason it cannotretrieve logs from the server, it begins record collection where it last left off aftercommunication is restored.

What data is logged?

The Splunk Add-on for Check Point OPSEC LEA retrieves Check Point securityand account data. For more information, see Check Point? LEA (Log Export API)Specification (refer to LEA.pdf, p.20,25).

Splunk extracts key-value pairs from Check Point log records and creates thecorresponding index fields. Additionally, the following data items are provided:

fileid The file ID of the Check Point log file.• loc The position of the record in the log file.•

Sourcetype

The Splunk Technology Add-on for Check Point OPSEC LEA associates thefollowing sourcetypes with the key-value pairs:

opsec Firewall security data has the opsec sourcetype.• opsec_audit Audit/account data has the opsec_audit sourcetype.• (user-defined) You can define a custom sourcetype to associate with thekey value pair.

•

The desired sourcetype is selected, or specified, in the UI.

Note: Splunk recommends that you use the default audit log sourcetype name,opsec_audit. If you change the sourcetype, you must also edit the props.conffile in $SPLUNK_HOME/etc/apps/Splunk_TA_opsec/local to correctly set Splunkprocessing properties, such as field extractions and linebreaking.

For more information about sourcetype, see:

Splexicon > sourcetype• Getting Data In•

14

Filtering log data

You can specify the type of log data to collect by manually editing thefw1-loggrabber.conf file located in the$SPLUNK_HOME/etc/apps/splunk_TA_opseclea/bin directory.

Refer to the fw1-loggrabber manpage for detailed information about configuringlog data collection. In the CONFIGURATION FILE section, see theFW1_FILTER_RULE and AUDIT_FILTER_RULE property descriptions, whichrefer to examples in the FILTERING section.

Set up lea_loggrabber

For information on lea_loggrabber configuration, see fw1-loggrabber manpage.

Note: In the manpage CONFIGURATION FILE section (fw1-loggrabber.conf),the FW1_FILTER_RULE option does not work. See Known issues.

Warning: We strongly recommend that you do not modify fw1-loggrabberoptions in the fw1-loggrabber.conf file. Changing these options can causeREST conflicts.

Bash version

If you are using a version of Bash older than version 3, edit thelea-loggrabber.sh script to pass the application name instead of using theBASH_SOURCE environment variable.

1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea/bin.

2. Enter ./lea-loggrabber.sh "$@" --appname Splunk_TA_opseclea

Note: This applies to Linux environments only.

Specify audit log collection

The lea-loggrabber utility lets you collect audit logs by specifying the --auditlogparameter in the command line. While you can specify audit log collection bymanually editing the lea-loggrabber.sh script, we strongly recommend that youspecify audit log collection in the Splunk Add-on for Check Point OPSEC LEA UI.

15

FW-1 loggraber license agreement

/******************************************************************************//* fw1-loggrabber - (C)2005 Torsten Fellhauer, Xiaodong Lin *//******************************************************************************//* Version: 1.11.1 *//******************************************************************************//* *//* Copyright (c) 2005 Torsten Fellhauer, Xiaodong Lin *//* All rights reserved. *//* *//* Redistribution and use in source and binary forms, with or without *//* modification, are permitted provided that the following conditions *//* are met: *//* 1. Redistributions of source code must retain the above copyright *//* notice, this list of conditions and the following disclaimer. *//* 2. Redistributions in binary form must reproduce the above copyright *//* notice, this list of conditions and the following disclaimer inthe *//* documentation and/or other materials provided with thedistribution. *//* *//* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS AND *//* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *//* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE *//* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BELIABLE *//* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL *//* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTEGOODS *//* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *//* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,STRICT */

16

/* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANYWAY *//* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITYOF *//* SUCH DAMAGE. *//* *//******************************************************************************/

Set up forwarder

For most use cases, we recommend that you install the Splunk Add-on for CheckPoint OPSEC LEA on a Splunk forwarder. You can install the add-on on a lightforwarder or heavy forwarder, but not a universal forwarder.

If you install the Splunk Add-on for OPSEC LEA on a forwarder, make sure thatSplunk Web is enabled for running the configuration UI by setting thestartwebserver variable in the$SPLUNK_HOME/etc/apps/<forwarderType>/default/web.conf file.

startwebserver = 1

Note: To run the Splunk Add-on for Check Point OPSEC LEA, the forwardermust be installed on either a Linux (RHEL/CentOS 5.x or 6.x only) or SolarisSPARC (version 10 or later) operating system.

Set up SSLCA authentication

Check Point recommends SSLCA as the default authentication method.Changes to the fwopsec.conf and sic_policy.conf files are notrecommended, and are not supported during upgrade. Make sure thefwopsec.conf and sic_policy files have the default settings for LEA. Inparticular, ssl_opsec auth_type is not supported.

Note: The Splunk Add-on for OPSEC LEA version 1.1, required changes tothese files. If you installed version 1.1, you must restore the files to their defaultvalues, as follows:

1. SSH into the Management Server (or Provider-1 CMA) and enter expert mode:

mdsenv <CMA_IP_Address>

17

2. Confirm that the fwopsec.conf file has no entries related to LEA server.

3. Confirm that the sic_policy.conf file has the following default entries for #LEA:

#LEA:ANY ; ANY ; 18184 ; fwn1_opsec ; fwn1, local_ipcheck

4. If you have made changes to either file, restart the server or CMA:

cpstopcpstart

18

Installation checklist

Installation Checklist

Use this checklist to verify your installation process. Each item links to detailedinformation about how to perform the required step.

Preliminary steps

Verify that the system running your Splunk instance meets the minimumrequirements.

(Linux-only) Set up lea_loggrabber.

Set up forwarder(s), if applicable.

Set up SSLCA authentication.

Basic steps

Download and install Splunk.

Download and install the Splunk Add-on for Check Point OPSEC LEA for youroperating system.

Verify LEA settings. Create the Splunk OPSEC application, if necessary.

Create the OPSEC application certificate, adding SplunkLEA to the OPSECApplication list.

If there are firewalls between Splunk and the management server, add newfirewall rules.

Install the database.

Configure the LEA client via the Splunk Add-on for OPSECLEA UI or via command line

Connect to the Management Server (FW-1), or CMA or CLM (Provider-1).

19

Pull the certificate for SplunkLEA, creating the <opsecAppName>.p12 file.

Configure SIC details.

Verify that a trusted state is established for SplunkLEA.

Follow-up steps

Verify that splunk is indexing data.

If you need to debug a problem, set the debug logging level.

Set the log record checkpoint value for networks with large latency.

20

Deploy the add-on

Install the Splunk Add-on for Check Point OPSECLEA

These instructions show you how to install the Splunk Add-on for Check PointOPSEC LEA so that you can collect logs from Check Point FW-1 and Provider-1servers.

The configuration process for both servers is essentially the same. The onlydifference is that the SmartDashboard communicates with the ManagementServer that manages multiple FW-1 instances, while the CMA is an instance of amanagement server in the Provider-1 context. (Substitute Management Serverfor CMA, as applicable, in these procedures.)

These instructions assume familiarity with the Check Point environment. CheckPoint server and application deployment instructions are not included.

Note: Upgrade is not supported for the Splunk add-on for Check Point OPSECLEA version 1.1.

Step 1 - Install Splunk

Note: Skip this step if Splunk is already installed on your search head.

Install Splunk on a Linux-based search head as follows:

1. Download the applicable Splunk RPM/DEB package or tar file for your Linuxdistribution to a temporary directory. You can find the latest release on theSplunk download site: http://www.splunk.com/download.

2. Click the *nix distribution in the Installer column compatible with yourhardware and operating system to download Splunk. You may need to log in orcreate an account, if you don't already have one. Save the file to a temporarydirectory.

3. Untar the saved file to the /opt/splunk directory, which is your $SPLUNK_HOMEdirectory.

4. Add $SPLUNK_HOME/bin to your PATH environment variable.

21

5. To download and install the Splunk Add-on for Check Point OPSEC LEA usingSplunk Web, you must launch Splunk:

./splunk start

For a new installation, you must add the --accept-license argument to acceptthe license agreement:

./splunk start --accept-license

For information covering other installation use cases, see the step-by-stepinstallation instructions.

Step 2 - Install the Splunk Add-on for Check Point OPSEC LEA

Splunk provides separate installation packages (.tgz) for Linux and Solarisplatforms:

Linux: splunk-add-on-for-check-point-opsec-lea-linux_204.tgz• Solaris: splunk-add-on-for-check-point-opsec-lea-solaris_204.tgz•

For most use cases, we recommend that you install the appropriate package foryour platform on a Splunk forwarder (light forwarder or heavy forwarder only).While you can install the Splunk Add-on for Check Point OPSEC LEA on aWindows indexer/search head to collect data, the UI is supported on Linux andSolaris platforms only.

If you want to integrate the Splunk Add-on for Check Point OPSEC LEA with theSplunk App for Enterprise Security, follow the instructions in Add a customtechnology add-on to an app. We also recommend reviewing the known issueslisted in the Splunk App for Enterprise Security Release Notes prior toinstallation.

To install the Splunk Add-on for Check Point OPSEC LEA:

1. Download the appropriate installation package (.tgz) for your platform fromSplunk Apps:

Splunk Add-on for Check Point OPSEC LEA - Linux• Splunk Add-on for Check Point OPSEC LEA - Solaris•

2. Click Download and accept the terms and conditions of the Splunk licenseagreement.

22

3. Log in, if requested, and save the .tgz file to a temporary location.

4. Open Splunk Web.

Note: If you are using Internet Explorer, Splunk Web running locally,http://localhost:8000, must be added as a trusted site, or the UI might notwork as expected.

5. Click Apps > Manage Apps.

6. Click the Install app from file button.

7. Browse to the installation package (.tgx) that you downloaded to a temporarylocation, and click Upload. If you are upgrading from an earlier version of theadd-on, check the Upgrade app box. This overwrites the earlier version of theadd-on with the newer version.

Note: If you receive an "App name already exists" error when uploading theinstallation package, check the Upgrade app checkbox and repeat the uploadagain. In most cases, this will resolve the error.

8. Click Restart Splunk when prompted, or restart Splunk via the command line,as shown:

./splunk restart

Upgrade the Splunk Add-on for Check Point OPSEC LEA

If you are upgrading from an earlier version of the Splunk Add-on for Check PointOPSEC LEA, you must select the Upgrade app check box in the installationpackage upload window, prior to uploading the upgrade package (as shown inStep 7 of the "Install the Splunk add-on for Check Point LEA" instructions,above). This overwrites the old version of the add-on with the newer version.

Upgrade from version 1.1

If you are upgrading from the Splunk Add-on for Check Point OPSEC LEAversion 1.1, make the following directory updates before continuing to Step 3.

1. Stop Splunk.

2. Copy the $SPLUNK_HOME/etc/apps/splunk_app_opseclea/local and /certssub-directories as sub-directories of the $SPLUNK_HOME/etc/Splunk_TA_opseclea

23

directory.

3. Edit Splunk_TA_opseclea/local/inputs.conf, replacing all occurrences ofsplunk_app_opseclea with Splunk_TA_opseclea.

4. Move the entire $SPLUNK_HOME/etc/apps/splunk_app_opseclea directory to the$SPLUNK_HOME/etc/disabled-apps directory.

5. Restart Splunk.

6. Verify that the newly installed Splunk Add-on for Check Point OPSEC LEAworks as expected.

Step 3 - Create the OPSEC application

Create the Splunk OPSEC application, if it does not already exist.

1. Login to the Check Point SmartDashboard on the desired CMA.

2. Click the Servers and OPSEC Applications icon.

3. Create a new OPSEC application:

1. Right-click OPSEC Applications.

2. Select New OPSEC Application.

The OPSEC Application Properties dialog appears.

3. In the Name field, type "SplunkLEA". You can use any name butSplunkLEA is recommended by convention.

4. Click the Host field arrow and select the desired Management Serverfrom the list.

5. In the Client Entities window, select the LEA check box.

Step 4 - Create the OPSEC application certificate

Continuing in the SmartDashboard OPSEC Application Properties dialog ...

1. Click the Communication button, in the lower left, to access theCommunication dialog.

24

2. Enter a One-time password and confirm the password.

Important: Save the one-time password in a secure location for your reference.You will need this one-time password when you configure the LEA client.

3. Click Initialize.

4. When initialization completes, click Close. This generates a value in theOPSEC Application Properties DN window. This is the opsec_sic_name. Youwill need this opsec_sic_name when you configure the LEA client.

5. Click OK to finish creating the "SplunkLEA" application.

6. Confirm that the "SplunkLEA" application is now visible in the OPSECApplications/OPSEC Application list, in the left panel.

Step 5 - Add firewall rules

Note: This step is only necessary if there are firewalls between the Splunkinstance and the management server.

1. Continuing with the SmartDashboard application, click the Rules menu.

2. Select Add Rule followed by Top.

3. In the Service column, click the plus symbol and verify that the FW1_lea andFW1_ica_pull rule settings are correct. Action should be set to accept for bothrules.

Step 6 - Install the database

1. In SmartDashboard, click the Policy menu item.

2. Select Install Database.

3. In the Install Database dialog, select the check box for your ManagementServer.

4. Click OK

Check Point installs the database.

5. Click Close on successful database installation.

25

Configure the LEA client

You can configure the LEA client using the command line or the Splunk Add-onfor Check Point OPSEC LEA UI.

Note: The Splunk Add-on for Check Point OPSEC LEA is supported on Linux(RHEL/CentOS 5.x and 6.x only) and Solaris SPARC (version 10 or later). Theadd-on is not supported on Windows. See Prerequisites.

About Log Server IP and Management Server IP assignment

If you have a standard Check Point Provider-1 environment, you must configurean LEA client connection for each Customer Management Add-on (CMA)connected to the Multi-Domain Management Server (MDS). The CMA acts asboth Log Server (handling log file collection) and Management Server (issuingthe OPSEC application certificate). When you configure the LEA in the UI, youmust provide the CMA IP address, where requested, for both Log Server IP andManagement Server IP.

If your Provider-1 environment includes the optional Multi-Domain Log Module(MLM), you must configure an LEA client connection for each Customer LogModule (CLM) connected to the Multi-Domain Log Module (MLM). In this case,the CLM acts as the Log Server, while the the CMA acts as the ManagementServer. When you configure the LEA client in the UI, you must provide the CLMIP address, where requested, for the the Log Server IP, and the CMA IP, whererequested, for the Management Server IP.

Configure the LEA client using the UI

Step 1. Configure connection details

1. Go to Splunk Web at: http://localhost:8000/.

2. Select Apps > Splunk Add-on for Check Point OPSEC LEA(Linux/Solaris10).

The Manage Connections page opens.

3. Click New Connection.

The New Connection configuration window opens.

26

4. Type a Connection Name. This name must be unique for each connection.

5. Type the Log Server IP address.

For standard MDS (Multi-Domain Server) environments, the Log Server IPis the CMA IP address.

•

For environments using the optional MLM (Multi-Domain Log Module), theLog Server IP is the CLM IP address.

•

For standalone environments, the Log Server IP is the ManagementServer IP address.

•

6. Accept the default Port number, 18184, unless your local environment uses adifferent port.

7. In the Version menu, select the firewall version of your Check Pointdeployment.

8. Type the Destination Index or use the default name. This is the index towhich firewall security or firewall audit events are sent.

9. In the Host appears as field, accept the default host name, or enter the CheckPoint host (CMA name) to which you want to reroute security or audit events.

10. In the Collect menu, select the type of data you want to acquire (firewallevent data or firewall audit data).

Note: To collect both security and audit data requires separate connections.

11. (optional) Select the No-Resolve Mode check box. This specifies theloggrabber --no-resolve argument and prevents object name resolution. Formore information on object name resolution, see Splunk Answers.

12. (optional) Select the Online mode check box to enable Check Point'srealtime mode. This keeps a single Check Point process running, and preventsthe Check Point process from being closed when no new log data is available onthe Check Point server. This might help improve performance in cases wheredata flow is intermittent.

13. Accept the default log extraction Interval of 30 seconds, or enter a newinterval.

27

Note: The lea_loggrabber script runs at 30 second intervals by default. The scriptconnects to the Check Point environment, pulls the logs, and closes theconnection. After the connection is closed on the client, the connection mightremain open for some time in the TIME_WAIT state. (TIME_WAIT is a protectionmechanism in TCP that prevents data loss and corruption by allowing datatransmission to continue if necessary to complete data delivery.) To minimizeTIME_WAIT after the lea_loggrabber finishes, increase the Interval to a valuegreater than that returned by: cat /proc/sys/net/ipv4/tcp_fin_timeout(typically 60 seconds).

14. Click Next.

Step 2. Pull OPSEC application certificate

If you already have a certificate:

1. Click I already have a certificate.

2. In the Certificates menu, select your certificate.

If you don't have a certificate:

1. Select I need to get a new certificate.

2. Type the OPSEC App Name, for example SplunkLEA (from Step 3 - Create theSplunk OPSEC application).

3. Type the One-time Password (from Step 4 - Create the OPSEC applicationcertificate).

4. Type the Management Server IP address.

For standard MDS (Multi-Domain Server) environments, the ManagementServer IP is the CMA IP address.

•

For environments using the optional MLM (Multi-Domain Log Module), theManagement Server IP is the CMA IP address.

•

5. Click Next.

The certificate is stored in the <opsecAppName>.p12 file.

28

Note: If you receive an error message, this might be because you are attemptingto pull the same certificate for the same Connection Name, using an invalidpassword or IP address, or the connection to the server is down. For additionalerror details, see $SPLUNK_HOME/var/log/splunk/web_service.log.

Step 3. Configure SIC Details

1. Type the SIC Name from the SmartDashboard OPSEC ApplicationProperties dialog DN window (from Step 4 - Create the OPSEC applicationcertificate).

2. Type the Entity SIC Name of the stand-alone Check Point Manager, theProvider-1 Customer Log Module (CLM), or the Provider-1 CustomerManagement Add-on (CMA). (Consult your Check Point administrator.)

To acquire the Entity SIC Name:

1. Open GuiDBedit (the Check Point Database Tool).

2. Go to Tables > Network Objects > network object (at left).

A list of network objects opens (at right).

3. Click the network object (for example, opsec-fw1-r7540) in the list.

A list of object attributes appears (at bottom).

4. Scroll down the list to find the sic_name field (near the end of the list), orsearch for the sic_name field. The sic name will look similar to this:

CN=cn=cp_mgmt,o=opsec-p1-r7540-test-env-domain1_management_server..pj7ux4.

Note: The process for acquiring the entity SIC name is described in detailon Splunk Answers.

3. Click Submit.

4. Verify that Splunk is indexing your Check Point data, by executing a search onthe source type.

29

Configure the LEA client using the command line

You can configure the LEA client using the command line, as follows:

Step 1. Pull the OPSEC application certificate

1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin.

2. Run the pull-cert.sh script to pull the certificate from the ManagementServer.

./pull-cert.sh <CMA_IP> <OPSEC_app_name> <password><outputFileName.p12>For example:

./pull-cert.sh 10.160.27.253 SplunkLEA <password> newFile.p12Parameters:

-h = CMA IP address• -n = OPSEC Application name (for example, "SplunkLEA")• -p = One-time password (activation key) specified in Step 4 - Create theOPSEC application certificate.

•

Note: The password must not include any of the following specialcharacters: exclamation (!), accent circumflex (^), tilde (~), accent grave(`), quotation ("), and apostrophe (').

-o = Output file (*.p12) containing the application DN name as defined inthe Management Server. The default file name is opsec.p12 but you canuse any name, unique for each CMA.

•

The command returns an opsec_sic_name, for example:

[CN=SplunkLEA, O=opsec-p1-R7540-demo_Management_Server...3tvqd0]

Important: Save the opsec_sic_name because you will need to enter it when youedit the opsec.conf configuration file.

3. View the current directory to confirm that <outputFileName>.p12 has beencreated.

30

Step 2. Edit opsec.conf

1. Go to$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf.

Note: You might need to create the local/opsec.conf if it does not yet exist inyour $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22 directory:

mkdir localcd localtouch opsec.conf2. Append a new domain name (typically by cutting and pasting an existingdomain name). For example:

[r75.4test]

3. Enter the opsec_sic_name.

4. Enter the opsec_entity_sic_name from Check Point. For instructions on how toacquire the entity_sic_name, see Configure SIC Details, above.

5. Enter the opsec_sslca_file name, which is the generated .p12 file name.

This example shows a domain entry with all required fields:

[SplunkRESTName]collect_audit = 0fw_version = 75.40is_disabled = 0lea_server_auth_port = 18184lea_server_auth_type = sslcalea_server_ip = 10.160.27.249opsec_entity_sic_name =cn=cp_mgmt,o=opsec-p1-r7540-test-env-domain1_management_server..pj7ux4opsec_sic_name =CN=SplunkLEA,O=opsec-p1-R7540-test-env-domain1_Management_Server..pj7ux4opsec_sslca_file = ../certs/p1-r7540-test1.p12Important: The is_disabled parameter controls the connection state. Set theparameter value to 1 to disable the connection or 0 to enable the connection.This parameter also determines the connection state displayed in the UI, andmust agree with the disabled parameter value in the inputs.conf file, below.

6. Restart Splunk, using either the ./splunk restart command orhttp://<host>:<port>/en-US/debug/refresh in the browser address bar.

31

7. View the new opsec.conf domain configuration:

https://<host>:<managementPort>/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf

login: admin/<password>

find <yourNewDomain>

8. Copy .../opsec-tools/<filename>.p12 to the /certs directory.

9. Create the inputs.conf file in the$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/default directory.

10. In inputs.conf, add a scripted input stanza. For example:

[script:///home/admin/splunk6.0/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkRESTName]disabled = falseinterval = 30passAuth = adminsourcetype = opsec</code><code>SplunkRESTName</code> (this must match the name of the entry inthe <code>opsec.conf</code> file.Because the connection state displayed in the UI is determined by theopsec.conf connection state, the inputs.conf disabled state must match theopsec.conf is_disabled state, above.

Note: For information on setting the lea_loggrabber Interval to minimizeTIME_WAIT, see step 13 of Configure connection details above.

The script connects to the Check Point environment, pulls the logs, and closesthe connection. After the connection is closed on the client, the connection mightremain open for some time in the TIME_WAIT state. To minimize TIME_WAIT afterthe lea_loggrabber finishes, increase the Interval parameter to a value greaterthan that returned by: cat /proc/sys/net/ipv4/tcp_fin_timeout (typically 60seconds on Linux).

Note: You can modify opsec.conf to let you enable/disable the TCP Nagle,which in some cases might improve network efficiency. For instructions, see TCPNagle in the "Manage Connections" topic in this manual.

Note: You can modify opsec.conf to enable adjustment the client connectionbuffer size, which might help improve performance under high load conditions.For instructions, see Connection buffer size in the "Manage Connections" topic in

32

this manual.

Step 3. Verify that trust state is established

1. Open the Check Point SmartDashboard,

2. Click the Servers and OPSEC Applications icon.

3. Expand the OPSEC Applications and OPSEC Application lists.

4. Double-click the SplunkLEA application name.

5. Click the Communication button and verify that Trust state is now set toTrust established. (Older Check Point versions may only display the CustomerName.)

Additional configuration steps

Warning: We strongly recommend that you do not modify fw1-loggrabberoptions in the fw1-loggreabber.conf file. Changing options can cause RESTconflicts.

Set log record checkpoint value (optional)

In networks with a large latency and the possibility that the connection could belost before all log record data are committed to Splunk, loggrabber might need toretrieve lost records from the log position of the last checkpoint.

By default, the Splunk Add-on for Check Point OPSEC LEA commits log recordsafter every 10,000 records are received, so there are never more than 10,000records outstanding. You can change the default checkpoint value to match yournetwork latency by modifying the SPLUNK_REST_STATUS_COMMIT value in thefw1-loggrabber.conf file.

Filtering log data

You can specify the type of log data you want to collect by manually editing$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.

For detailed information about configuring log data collection, see thefw1-loggrabber manpage. In the CONFIGURATION FILE section, see theFW1_FILTER_RULE and AUDIT_FILTER_RULE property descriptions, whichrefer to examples in the FILTERING section.

33

About Management High Availability

The Splunk Add-on for Check Point OPSEC LEA does not support and has notbeen tested with Check Point Management High Availability (HA).

In case of failover:

If the log server is on a different machine than the Management server,such as in a Multi-Domain Management Server (Provider-1) environment,the add-on should work without user interaction.

•

If the log server is on the same machine as the Management server, thenyou must update the log server IP address for the LEA connection insidethe add-on with the new active Management server IP address. Forinstructions, see Configure the LEA Client using the UI above.

•

Important: The opsec_pull_cert script must be run against the currently activeManagement server. If not an opsec err=-86 appears.

Note: Depending on how far back the new active Management server wasout-of-sync, you might need to recreate the OPSEC application, or you mightexperience missing log entries. See Create the OPSEC application.

34

Manage Connections

Manage connections

The Splunk Add-on for Check Point OPSEC LEA includes features to help youmanage your Check Point connections.

Connection metrics: View data throughput in events per second (eps) foreach OPSEC LEA connection. View time of last connection.

•

Online mode: Check Point's real-time mode. Keeps the individual CheckPoint process running for a connection and prevents intermittent CheckPoint process restarts.

•

Network connection options in opsec.conf:•

Enable/disable TCP Nagle.‡ Adjust connection buffer size.‡

Connections display filter: Filters the display of connections on theManage Connections page by name, IP address, and firewall version.Useful for large environments, which might include hundreds of CheckPoint connections.

•

Monitor Connection Metrics

The Splunk Add-on for Check Point OPSEC LEA lets you monitor connectionmetrics for multiple OPSEC LEA connections simultaneously. Expand anyconnection panel on the Manage Connections page to view the event throughput(events per second) over that specific connection.

Monitoring connection throughput can help you identify system issues, andrespond proactively.

For example, unexpectedly low throughput could indicate a network bottleneck oran issue with your Check Point environment. Unexpectedly high throughputmight indicate that you need to add Splunk indexers to your deployment, to avoidload conditions that can cause system latency. See "Indexer requirements".

1. In Splunk Web, go to Apps > Splunk Add-on for Check Point OPSEC LEA

The Manage Connections page opens.

35

2. Click on the arrow at left of the connection you want to view.

The panel expands, showing event throughput in events per second (eps) overthe last 15 minutes and last 24 hours.

Online mode

The Splunk Add-on for OPSEC LEA lets you enable the Check Point Onlinemode. This keeps the individual Check Point process running for a connection,and prevents the process from being closed when no new log data is availableon the Check Point server. Online mode might improve performance in caseswhere data flow from Check Point is intermittent.

To enable Online mode, select the Online mode check box when you configurethe LEA client connection.

Caution: When migrating to version 2.1: Enabling Online mode immediately afterupgrade might cause gaps in your data. This occurs because online modecollects new incoming logs only. It does not perform log look back. Therefore anydata stored during the upgrade process is not pulled into Splunk. We recommendthat you do not enable online mode until after all log data generated during theupgrade period is indexed. See known issue (OPSEC-208).

Network connection options in opsec.conf

TCP Nagle

The Splunk Add-on for OPSEC LEA lets you disable the TCP Nagle, which insome cases can improve TCP/IP network efficiency by eliminating the negativeinteraction between Nagle's algorithm and Delayed ACK.


2. In opsec.conf, append the following key-value pair to the connection domain:

no_nagle=1

Connection buffer size

In some cases, increasing the connection buffer size might improve datathroughput. You can adjust the connection buffer size in opsec.conf, as follows:

36


2. In opsec.conf, append the following key-value pair to the connection domain:

conn_buf_size=<number_in_bytes>

Manage Indexer capacity

An insufficient number of indexers can negatively impact performance andintroduce latency into your system. To determine the indexer requirements ofyour Splunk Add-on for Check Point OPSEC LEA deployment, see "Indexerrequirements" in the Hardware requirements section of this manual.

37

Terminology

Terminology

CLM

Customer Log Module. The CLM is a log server for a single Customer. Throughthe CLM, an administrator can view events that occur on the firewall policy. EachCLM is contained in a Multi-Domain Log Module (MLM).

CMA

Customer Management Add-On. A Check Point FW-1 management serverwhere customer-specific security policies are defined.

Customer

A Customer is the unit that subscribes to a Check Point firewall.

FW-1

Firewall-1. A Check Point firewall instance that provides gateway security andidentity awareness.

LEA

Log Export API. LEA is the Check Point OPSEC API for accessing FW-1 firewalllog data. The Splunk Add-on for Check Point OPSEC LEA extends the opensource FW-1-loggrabber tool, using the LEA to collect raw log data.

MDS

Multi-Domain Server. The MDS stores Provider-1 system information, includingdetails of the Provider-1 deployment, its administrators, and Customermanagement information.

Multi-Domain Security Management

See Provider-1 (below).

38

MLM

Multi-Domain Log Module. A special Multi-Domain Server (MDS) that isdedicated to collecting and storing log data. The MLM is a container forCustomer Log Modules (CLMs).

OPSEC

Open Platform for Security. The Check Point OPSEC is an open managementframework for managing network security. The Splunk Add-on for Check PointOPSEC LEA uses the LEA to extend OPSEC and provide network securitymonitoring and visualization.

Provider-1

Provider-1 is Check Point's Multi-Domain Security Management product. Youcan use Provider-1 to segment security management of complex networkoperations (which might involve thousands of customers), into multiple separatevirtual domains, based on geography, business unit, security function, or otherlogical grouping.

Smart Domain Manager

The Smart Domain Manager is a GUI for managing a Provider-1 instance. Thiswas previously called the Multi Domain GUI (MDG).

SmartConsole

The SmartConsole (also called SmartDashboard) is a Windows-based GUIthat lets you create global policy rules for a firewall or groups of firewalls.

SmartDashboard

See SmartConsole (above).

39

Troubleshooting

Set debug logging level

To enable debugging, add debug directives to the following files, which arelocated in the $SPLUNK_HOME/etc/apps/splunk_TA_opseclea/bin directory.

pull_cert.sh

For pull-cert issues, add the following line to the pull_cert.sh script:

export TDERROR_ALL_ALL=5

Additionally, enable opsec_pull_cert debugging by adding the -d argument, asdescribed in How to use the opsec_pull_cert command.

lea-loggrabber.sh

For log collection issues, use the lea-loggrabber-debug.sh script from thecommand line; this is a debug variant of the lea-loggrabber.sh script.

View debug logs

Note: See What Splunk logs about itself for a general description of Splunk errorlogging.

UI messages

With debugging enabled, error messages are logged to the$SPLUNK_HOME/var/log/splunk/web_service.log file.

Note: Log entries for splunk_TA_opseclea display as <string>:nn,instead of listing the OPSEC LEA controller name. This is a knownbug.

Loggrabber messages

Splunk Add-on for Check Point OPSEC LEA loggrabber messages are logged tothe $SPLUNK_HOME/var/log/splunk/splunkd.log file.

40

Run lea-loggrabber manually

Warning: Use lea-loggrabber with caution. Some fw1-loggrabber options cancause REST conflicts.

Manually running lea-loggrabber can be a useful debugging tool.

Note: For Check Point server authentication to work, make sure yourenvironment $HOME directory is writable.

Set the SPLUNK_TOK environment variable to the authorization key:

SPLUNK_TOK=$<auth_key>export SPLUNK_TOK

1.

Run the lea-loggrabber-debug.sh debuggerscript:lea-loggrabber-debug.sh --configentity <entity_name>

2.

You can also add the debug level argument to the lea-loggrabber invocation inthe lea-loggrabber.sh script: --debug-level 3.

Basic Check Point debugging

You might find it helpful to review the Check Point Troubleshooting andDebugging Tools for Faster Resolution document to debug issues external to theSplunk LEA client.

Enabling and disabling Check Point debugging

To enable debugging on the Checkpoint Management Server, enter the followingcommands:

% fw debug fwm on TDERROR_ALL_ALL=51. % fw debug fwm on OPSEC_DEBUG_LEVEL=92. % fw debug fwd on TDERROR_ALL_ALL=53. % fw debug fwd on OPSEC_DEBUG_LEVEL=94.

To disable Check Point debugging, enter the following commands:

% fw debug fwm off TDERROR_ALL_ALL=11. % fw debug fwm off OPSEC_DEBUG_LEVEL=12. % fw debug fwd off TDERROR_ALL_ALL=13.

41

% fw debug fwd off OPSEC_DEBUG_LEVEL=14.

The Check Point debug logs are located in the $FWDIR/log/fwm.elg* and$FWDIR/log/fwd.elg* files.

42

Documents

OPSEC- How to Install