Beruflich Dokumente
Kultur Dokumente
LEA 2.1.1
Installation and Configuration Manual
Generated: 11/04/2014 6:30 am
Table of Contents
Introduction..........................................................................................................1
About the Splunk Add-on for Check Point OPSEC LEA...........................1
New to Splunk...........................................................................................2
How this add-on fits into the Splunk picture..............................................5
How to get support and learn more about Splunk.....................................6
Before you deploy................................................................................................7
Deployment Architecture...........................................................................7
Prerequisites.............................................................................................9
Hardware requirements...........................................................................11
What data does the add-on collect?........................................................13
Set up lea_loggrabber..............................................................................15
Set up forwarder......................................................................................17
Set up SSLCA authentication..................................................................17
Installation checklist..........................................................................................19
Installation Checklist...............................................................................19
Deploy the add-on..............................................................................................21
Install the Splunk Add-on for Check Point OPSEC LEA.........................21
Configure the LEA client.........................................................................26
Manage Connections.........................................................................................35
Manage connections...............................................................................35
Terminology.......................................................................................................38
Terminology............................................................................................38
Troubleshooting.................................................................................................40
Set debug logging level...........................................................................40
View debug logs......................................................................................40
Run lea-loggrabber manually..................................................................41
Basic Check Point debugging.................................................................41
Introduction
About the Splunk Add-on for Check Point OPSEC
LEA
The Splunk Add-on for Check Point OPSEC LEA lets you collect and analyze
firewall logs and audit logs from Check Point standalone FW-1 firewalls, standard
Multi-Domain Security Management (Provider-1) environments, and Provider-1
environments using the Multi-Domain Log Module (MLM).
The add-on uses the Check Point Log Export API (LEA) along with a customized
Splunk lea-loggrabber utility to poll your Check Point servers and collect log
data.
The Splunk Add-on for Check Point OPSEC LEA installation package, includes
all of the files required to install and run the add-on on Linux (RHEL/CentOS 5.x
or 6.x only) or Solaris SPARC (version 10 or later).
You can download the package from Splunk Apps, then install the add-on
manually on your Splunk Enterprise deployment. Or install the add-on from the
Apps menu inside Splunk Web.
Feature Summary
The Splunk Add-on for Check Point OPSEC LEA includes these features:
Facilitates near-real-time log data analysis to help detect anomalous
behavior and maintain regulatory standards compliance.
Includes a UI to simplify Check Point data collection configuration.
Monitors firewall administrative activity.
Displays event throughput metrics for monitoring connection and system
health.
Hides the complexity of data collection from multiple firewalls in a single
technology add-on instance.
New to Splunk
If this is the first time you have used Splunk, then read on...this topic introduces
the most important Splunk concepts you need to understand when installing and
using Splunk apps.
Splunk basics
Splunk is a software platform that accepts data from many different sources,
such as files or network streams. Splunk stores a unique copy of this data in
what's called an index. Once the data is there, you can connect to Splunk with
your web browser and run searches across that data. You can even make
reports or graphs on the data, right from within the browser.
You can extend Splunk's capability by installing apps. Splunk apps come with
searches, reports, and graphs about specific products that are common to most
IT departments. These searches, reports, and graphs reduce the amount of time
it takes to glean real value from installing and running the Splunk platform.
Before you can really understand how Splunk apps work, you should understand
how Splunk works. Fortunately, we've got you covered in that respect.
If you're new to Splunk, then the best place to learn more about it is in the Search
Tutorial. It helps you learn what Splunk is and what it does, as well as what you
need to run it and get step-by-step walk-throughs on how to set it up, get data
into it, search with it, and create reports and dashboards on it.
Licensing
The next thing you want to learn about is Splunk's licensing model. Splunk
charges you based on the amount of data you index. The licensing introduction
from the Admin Manual is a great place to start learning about how licenses
work. You can also find out the types of licenses that are available, how to install,
remove, and manage them, and what happens when you go over your license
quota.
In the context of Splunk apps, the amount of licensing capacity you need
depends on how each app defines the individual data inputs that it uses. Splunk
apps use inputs to tell Splunk what data it needs to collect for the app's purpose.
Some apps, such as the Splunk App for Enterprise Security, collect a lot of data,
which your license must cover in order for you to be able to search that data
without interruption. When planning for your app, make sure you include enough
licensing capacity.
Configuration
Much of Splunk's extensibility is in how configurable it is. You must configure
Splunk before it can collect data and extract knowledge. All Splunk apps use
configuration files to determine how to collect, transform, display, and provide
alerts for data. The Admin Manual shows you how to configure those files and
includes a reference topic for each configuration file that Splunk uses. In some
cases, you can also use Splunk Web or the CLI to make changes to a Splunk
app's configuration.
Splunk also uses configuration files to configure itself. When Splunk initializes, it
finds all of the configuration files located in the Splunk directory and merges them
to build a final "master" configuration, which it then runs on. When you install a
3
What's next?
From this point, you are ready to plan your app deployment. Continue reading for
information about how this app fits into the Splunk picture, platform and hardware
requirements, and other deployment considerations.
Splunk App for PCI Compliance: See Install technology add-ons. Make
sure to review the Known Issues described in the PCI Release Notes.
For more information about Splunk apps and add-ons, see "What are apps and
add-ons?" in the Splunk Admin Manual.
Learn more
This list includes a variety of resources available to help you learn more about
Splunk and the Splunk Add-on for Check Point OPSEC LEA.
The core Splunk documentation
Splunk Answers
The #splunk IRC channel on EFNET:
http://www.splunk.com/view/SP-CAAACDF
Download the Splunk Add-on for Check Point OPSEC LEA:
http://apps.splunk.com/app/263
Documentation (OPSEC LEA specific):
http://docs.splunk.com/Documentation/OPSEC-LEA
Questions and answers (OPSEC LEA specific):
http://answers.splunk.com/tags/?q=opsec
General Splunk support: http://www.splunk.com/support
How it works
The Splunk Add-on for Check Point OPSEC LEA communicates with the Check
Point environment to retrieve log records, using the Check Point Log Export API
(LEA). The lea-loggrabber utility implements the client side of the LEA protocol.
The Splunk version of lea-loggrabber is derived from the commonly used
FW1-Loggrabber.
Collected Check Point log data is forwarded to Splunk indexers and, eventually,
a search head for creating Splunk knowledge objects. The Splunk Add-on for
Check Point OPSEC LEA integrates with other apps and add-ons, including the
Splunk App for Enterprise Security (ES). When the ES application is installed, its
traffic and access/audit dashboards are populated with Check Point log data.
This figure shows the Check Point and Splunk Add-on for Check Point OPSEC
LEA communication paths for configuration and for transferring log data, in a
standard Multi-Domain Server (MDS) Provider-1 environment:
Callout description:
The Splunk Add-on for Check Point OPSEC LEA is installed on your Splunk
forwarder, indexer, and search head, as applicable:
The Splunk Add-on for Check Point OPSEC LEA periodically polls the Check
4 Point server, using the lea-loggrabber utility (LEA), to collect security
and audit log records.
8
Log data are transmitted to the Splunk Add-on for Check Point OPSEC LEA
in response to lea-loggrabber requests.
Prerequisites
General system requirements for installing and running Splunk applications are
covered in the System Requirements section of the Splunk Enterprise Installation
Manual.
Linux
RHEL/CentOS 5.x or 6.x. No other Linux variants.
Linux kernel version 2.6.x or later (x86_64).
Bash, version 3 or later. If you are using an earlier version of Bash, edit
the lea-loggrabber.sh script to pass the application name instead of
using the BASH_SOURCE environment variable. See "Set up
lea_loggrabber".
GNU C library (glibc.i686 32-bit). Install using yum install glibc.i686
PAM shared libraries (pam.i686 32-bit). Install using yum install
pam.i686.
Solaris
Solaris SPARC version 10 or later .
File systems
ext2/3/4, reiser3, XFS, NFS 3/4
Solaris
NFS 3/4
For more information on Splunk supported file systems, see "Supported file
systems" in the Splunk Enterprise Installation Manual.
Supported browsers
The Splunk Add-on for Check Point OPSEC LEA version 2.1 supports these
browsers:
Chrome (latest)
Safari (latest)
Firefox (latest) (version 10.x is not supported)
Internet Explorer 9 or later. Internet version 9 is not supported in
compatibility mode.
Splunk licensing
Splunk licenses are based on the amount of data stored by your Splunk indexers
per day. For detailed information, see "How Splunk licensing works."
10
Other prerequisites
For Check Point server authentication to work, the $HOME directory must be
writable by the Linux account that Splunk is running as.
Hardware requirements
Before installing the Splunk Add-on for Check Point OPSEC LEA, make sure that
your underlying Splunk Enterprise deployment meets the requirements specified
in "Introduction to capacity planning for Splunk Enterprise" in the Splunk
Enterprise Capacity Planning Manual.
For details on Splunk component performance specifications and reference
hardware requirements, see "Reference hardware" in the Splunk Enterprise
Installation Manual.
For recommendations on scaling your Splunk Enterprise deployment for your
specific performance requirements, see the "Performance questionnaire" in the
Splunk Enterprise Installation Manual.
Note: Reference hardware recommendations refer only to the Splunk Enterprise
deployment on which your Splunk Add-on for Check Point OPSEC LEA runs.
Depending on the throughput of your OPSEC LEA connections, additional
indexer capacity might be required. See Indexer requirements.
11
polls the Check Point environment for log data at default intervals of
30 seconds, using lea-loggrabber;
and provides a UI to configure the Splunk/Check Point interface.
Indexer: Indexers receive and index Check Point log data sent from the
Splunk forwarder. Indexers provide index time settings for Check Point
firewall and audit data. To avoid load conditions that can introduce
latency, make sure that your Splunk Enterprise deployment includes
sufficient indexer capacity. See Indexer requirements.
Search head: The search head is where you perform search and analysis
operations on your Check Point log data. Search Heads provide search
time knowledge for field extractions and event types.
Forwarders must be installed on Linux (RHEL/CentOS 5.x and 6.x) or Solaris
SPARC (version 10 or later) hosts only. Search head and indexers can be
installed on any Splunk Enterprise compatible operating system.
Note: Data collection on search heads or indexers is not recommended for larger
deployments.
For more information about Splunk components, see "Components of a Splunk
Enterprise deployment" in the Splunk Enterprise Capacity Planning Manual.
Indexer requirements
It is important that your Splunk Add-on for Check Point OPSEC LEA deployment
includes sufficient indexer capacity to handle the incoming load. An insufficient
number of indexers can negatively impact performance and introduce latency
into your system.
Follow these steps, and refer to the chart below, to determine your indexer
requirements:
1. Determine the average eps (events per second) of all combined OPSEC LEA
connections. You can run a Splunk search to find this. For example:
source=*my_connection* | stats count as eps by _time | stats avg(eps)
You can run this search by sourcetype (sourcetype="opsec"), per source (as
shown above), or pipe in all of your connections. To get a useful baseline
sample, run the search across peak hours of the previous day, for several
consecutive days.
12
2. If the total average eps from all combined OPSEC LEA connections exceeds
13k eps, add one additional indexer to your deployment for each 13k eps
increment.
Total events per second
(eps)
Number of Indexers
13k-26k eps
26k-39k eps
39k-52k eps
For more information on Splunk indexers, see "How indexing works" in the
Managing Indexers and Clusters manual.
Important: These indexer requirements are in addition to the processing
requirements of your Splunk Enterprise deployment on which this add-on runs.
For more information on Splunk Enterprise requirements, see the Capacity
Planning manual.
The lea-loggrabber utility polls the Check Point logs every thirty seconds, by
default. The polling period is configurable. The Splunk client application tracks
the position of the last Check Point log it received. If for some reason it cannot
retrieve logs from the server, it begins record collection where it last left off after
communication is restored.
Sourcetype
The Splunk Technology Add-on for Check Point OPSEC LEA associates the
following sourcetypes with the key-value pairs:
opsec Firewall security data has the opsec sourcetype.
opsec_audit Audit/account data has the opsec_audit sourcetype.
(user-defined) You can define a custom sourcetype to associate with the
key value pair.
The desired sourcetype is selected, or specified, in the UI.
Note: Splunk recommends that you use the default audit log sourcetype name,
opsec_audit. If you change the sourcetype, you must also edit the props.conf
file in $SPLUNK_HOME/etc/apps/Splunk_TA_opsec/local to correctly set Splunk
processing properties, such as field extractions and linebreaking.
For more information about sourcetype, see:
Splexicon > sourcetype
Getting Data In
14
Set up lea_loggrabber
For information on lea_loggrabber configuration, see fw1-loggrabber manpage.
Note: In the manpage CONFIGURATION FILE section (fw1-loggrabber.conf),
the FW1_FILTER_RULE option does not work. See Known issues.
Warning: We strongly recommend that you do not modify fw1-loggrabber
options in the fw1-loggrabber.conf file. Changing these options can cause
REST conflicts.
Bash version
If you are using a version of Bash older than version 3, edit the
lea-loggrabber.sh script to pass the application name instead of using the
BASH_SOURCE environment variable.
1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea/bin.
2. Enter ./lea-loggrabber.sh "$@" --appname Splunk_TA_opseclea
Note: This applies to Linux environments only.
15
16
Set up forwarder
For most use cases, we recommend that you install the Splunk Add-on for Check
Point OPSEC LEA on a Splunk forwarder. You can install the add-on on a light
forwarder or heavy forwarder, but not a universal forwarder.
If you install the Splunk Add-on for OPSEC LEA on a forwarder, make sure that
Splunk Web is enabled for running the configuration UI by setting the
startwebserver variable in the
$SPLUNK_HOME/etc/apps/<forwarderType>/default/web.conf file.
startwebserver = 1
Note: To run the Splunk Add-on for Check Point OPSEC LEA, the forwarder
must be installed on either a Linux (RHEL/CentOS 5.x or 6.x only) or Solaris
SPARC (version 10 or later) operating system.
17
2. Confirm that the fwopsec.conf file has no entries related to LEA server.
3. Confirm that the sic_policy.conf file has the following default entries for #LEA:
#LEA:
ANY ; ANY ; 18184 ; fwn1_opsec ; fwn1, local_ipcheck
4. If you have made changes to either file, restart the server or CMA:
cpstop
cpstart
18
Installation checklist
Installation Checklist
Use this checklist to verify your installation process. Each item links to detailed
information about how to perform the required step.
Preliminary steps
Verify that the system running your Splunk instance meets the minimum
requirements.
(Linux-only) Set up lea_loggrabber.
Set up forwarder(s), if applicable.
Set up SSLCA authentication.
Basic steps
Download and install Splunk.
Download and install the Splunk Add-on for Check Point OPSEC LEA for your
operating system.
Verify LEA settings. Create the Splunk OPSEC application, if necessary.
Create the OPSEC application certificate, adding SplunkLEA to the OPSEC
Application list.
If there are firewalls between Splunk and the management server, add new
firewall rules.
Install the database.
Configure the LEA client via the Splunk Add-on for OPSEC
LEA UI or via command line
Connect to the Management Server (FW-1), or CMA or CLM (Provider-1).
19
Follow-up steps
Verify that splunk is indexing data.
If you need to debug a problem, set the debug logging level.
Set the log record checkpoint value for networks with large latency.
20
5. To download and install the Splunk Add-on for Check Point OPSEC LEA using
Splunk Web, you must launch Splunk:
./splunk start
For a new installation, you must add the --accept-license argument to accept
the license agreement:
./splunk start --accept-license
For information covering other installation use cases, see the step-by-step
installation instructions.
Step 2 - Install the Splunk Add-on for Check Point OPSEC LEA
Splunk provides separate installation packages (.tgz) for Linux and Solaris
platforms:
Linux: splunk-add-on-for-check-point-opsec-lea-linux_204.tgz
Solaris: splunk-add-on-for-check-point-opsec-lea-solaris_204.tgz
For most use cases, we recommend that you install the appropriate package for
your platform on a Splunk forwarder (light forwarder or heavy forwarder only).
While you can install the Splunk Add-on for Check Point OPSEC LEA on a
Windows indexer/search head to collect data, the UI is supported on Linux and
Solaris platforms only.
If you want to integrate the Splunk Add-on for Check Point OPSEC LEA with the
Splunk App for Enterprise Security, follow the instructions in Add a custom
technology add-on to an app. We also recommend reviewing the known issues
listed in the Splunk App for Enterprise Security Release Notes prior to
installation.
To install the Splunk Add-on for Check Point OPSEC LEA:
1. Download the appropriate installation package (.tgz) for your platform from
Splunk Apps:
Splunk Add-on for Check Point OPSEC LEA - Linux
Splunk Add-on for Check Point OPSEC LEA - Solaris
2. Click Download and accept the terms and conditions of the Splunk license
agreement.
22
3. Log in, if requested, and save the .tgz file to a temporary location.
4. Open Splunk Web.
Note: If you are using Internet Explorer, Splunk Web running locally,
http://localhost:8000, must be added as a trusted site, or the UI might not
work as expected.
5. Click Apps > Manage Apps.
6. Click the Install app from file button.
7. Browse to the installation package (.tgx) that you downloaded to a temporary
location, and click Upload. If you are upgrading from an earlier version of the
add-on, check the Upgrade app box. This overwrites the earlier version of the
add-on with the newer version.
Note: If you receive an "App name already exists" error when uploading the
installation package, check the Upgrade app checkbox and repeat the upload
again. In most cases, this will resolve the error.
8. Click Restart Splunk when prompted, or restart Splunk via the command line,
as shown:
./splunk restart
directory.
3. Edit Splunk_TA_opseclea/local/inputs.conf, replacing all occurrences of
splunk_app_opseclea with Splunk_TA_opseclea.
4. Move the entire $SPLUNK_HOME/etc/apps/splunk_app_opseclea directory to the
$SPLUNK_HOME/etc/disabled-apps directory.
5. Restart Splunk.
6. Verify that the newly installed Splunk Add-on for Check Point OPSEC LEA
works as expected.
If you have a standard Check Point Provider-1 environment, you must configure
an LEA client connection for each Customer Management Add-on (CMA)
connected to the Multi-Domain Management Server (MDS). The CMA acts as
both Log Server (handling log file collection) and Management Server (issuing
the OPSEC application certificate). When you configure the LEA in the UI, you
must provide the CMA IP address, where requested, for both Log Server IP and
Management Server IP.
If your Provider-1 environment includes the optional Multi-Domain Log Module
(MLM), you must configure an LEA client connection for each Customer Log
Module (CLM) connected to the Multi-Domain Log Module (MLM). In this case,
the CLM acts as the Log Server, while the the CMA acts as the Management
Server. When you configure the LEA client in the UI, you must provide the CLM
IP address, where requested, for the the Log Server IP, and the CMA IP, where
requested, for the Management Server IP.
26
4. Type a Connection Name. This name must be unique for each connection.
5. Type the Log Server IP address.
For standard MDS (Multi-Domain Server) environments, the Log Server IP
is the CMA IP address.
For environments using the optional MLM (Multi-Domain Log Module), the
Log Server IP is the CLM IP address.
For standalone environments, the Log Server IP is the Management
Server IP address.
6. Accept the default Port number, 18184, unless your local environment uses a
different port.
7. In the Version menu, select the firewall version of your Check Point
deployment.
8. Type the Destination Index or use the default name. This is the index to
which firewall security or firewall audit events are sent.
9. In the Host appears as field, accept the default host name, or enter the Check
Point host (CMA name) to which you want to reroute security or audit events.
10. In the Collect menu, select the type of data you want to acquire (firewall
event data or firewall audit data).
Note: To collect both security and audit data requires separate connections.
11. (optional) Select the No-Resolve Mode check box. This specifies the
loggrabber --no-resolve argument and prevents object name resolution. For
more information on object name resolution, see Splunk Answers.
12. (optional) Select the Online mode check box to enable Check Point's
realtime mode. This keeps a single Check Point process running, and prevents
the Check Point process from being closed when no new log data is available on
the Check Point server. This might help improve performance in cases where
data flow is intermittent.
13. Accept the default log extraction Interval of 30 seconds, or enter a new
interval.
27
Note: The lea_loggrabber script runs at 30 second intervals by default. The script
connects to the Check Point environment, pulls the logs, and closes the
connection. After the connection is closed on the client, the connection might
remain open for some time in the TIME_WAIT state. (TIME_WAIT is a protection
mechanism in TCP that prevents data loss and corruption by allowing data
transmission to continue if necessary to complete data delivery.) To minimize
TIME_WAIT after the lea_loggrabber finishes, increase the Interval to a value
greater than that returned by: cat /proc/sys/net/ipv4/tcp_fin_timeout
(typically 60 seconds).
14. Click Next.
Step 2. Pull OPSEC application certificate
If you already have a certificate:
28
Note: If you receive an error message, this might be because you are attempting
to pull the same certificate for the same Connection Name, using an invalid
password or IP address, or the connection to the server is down. For additional
error details, see $SPLUNK_HOME/var/log/splunk/web_service.log.
Step 3. Configure SIC Details
1. Type the SIC Name from the SmartDashboard OPSEC Application
Properties dialog DN window (from Step 4 - Create the OPSEC application
certificate).
2. Type the Entity SIC Name of the stand-alone Check Point Manager, the
Provider-1 Customer Log Module (CLM), or the Provider-1 Customer
Management Add-on (CMA). (Consult your Check Point administrator.)
To acquire the Entity SIC Name:
1. Open GuiDBedit (the Check Point Database Tool).
2. Go to Tables > Network Objects > network object (at left).
A list of network objects opens (at right).
3. Click the network object (for example, opsec-fw1-r7540) in the list.
A list of object attributes appears (at bottom).
4. Scroll down the list to find the sic_name field (near the end of the list), or
search for the sic_name field. The sic name will look similar to this:
CN=cn=cp_mgmt,o=opsec-p1-r7540-test-env-domain1_management_server..pj7ux4.
Note: The process for acquiring the entity SIC name is described in detail
on Splunk Answers.
3. Click Submit.
4. Verify that Splunk is indexing your Check Point data, by executing a search on
the source type.
29
For example:
Parameters:
-h = CMA IP address
-n = OPSEC Application name (for example, "SplunkLEA")
-p = One-time password (activation key) specified in Step 4 - Create the
OPSEC application certificate.
Note: The password must not include any of the following special
characters: exclamation (!), accent circumflex (^), tilde (~), accent grave
(`), quotation ("), and apostrophe (').
-o = Output file (*.p12) containing the application DN name as defined in
the Management Server. The default file name is opsec.p12 but you can
use any name, unique for each CMA.
The command returns an opsec_sic_name, for example:
[CN=SplunkLEA, O=opsec-p1-R7540-demo_Management_Server...3tvqd0]
Important: Save the opsec_sic_name because you will need to enter it when you
edit the opsec.conf configuration file.
3. View the current directory to confirm that <outputFileName>.p12 has been
created.
30
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf.
Note: You might need to create the local/opsec.conf if it does not yet exist in
your $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22 directory:
mkdir local
cd local
touch opsec.conf
This parameter also determines the connection state displayed in the UI, and
must agree with the disabled parameter value in the inputs.conf file, below.
6. Restart Splunk, using either the ./splunk restart command or
http://<host>:<port>/en-US/debug/refresh in the browser address bar.
31
https://<host>:<managementPort>/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec
login: admin/<password>
find <yourNewDomain>
8. Copy .../opsec-tools/<filename>.p12 to the /certs directory.
9. Create the inputs.conf file in the
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/default
directory.
[script:///home/admin/splunk6.0/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggr
--configentity SplunkRESTName]
disabled = false
interval = 30
passAuth = admin
sourcetype = opsec</code>
<code>SplunkRESTName</code> (this must match the name of the entry in
the <code>opsec.conf</code> file.
The script connects to the Check Point environment, pulls the logs, and closes
the connection. After the connection is closed on the client, the connection might
remain open for some time in the TIME_WAIT state. To minimize TIME_WAIT after
the lea_loggrabber finishes, increase the Interval parameter to a value greater
than that returned by: cat /proc/sys/net/ipv4/tcp_fin_timeout (typically 60
seconds on Linux).
Note: You can modify opsec.conf to let you enable/disable the TCP Nagle,
which in some cases might improve network efficiency. For instructions, see TCP
Nagle in the "Manage Connections" topic in this manual.
Note: You can modify opsec.conf to enable adjustment the client connection
buffer size, which might help improve performance under high load conditions.
For instructions, see Connection buffer size in the "Manage Connections" topic in
32
this manual.
Step 3. Verify that trust state is established
1. Open the Check Point SmartDashboard,
2. Click the Servers and OPSEC Applications icon.
3. Expand the OPSEC Applications and OPSEC Application lists.
4. Double-click the SplunkLEA application name.
5. Click the Communication button and verify that Trust state is now set to
Trust established. (Older Check Point versions may only display the Customer
Name.)
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.
For detailed information about configuring log data collection, see the
fw1-loggrabber manpage. In the CONFIGURATION FILE section, see the
FW1_FILTER_RULE and AUDIT_FILTER_RULE property descriptions, which
refer to examples in the FILTERING section.
33
34
Manage Connections
Manage connections
The Splunk Add-on for Check Point OPSEC LEA includes features to help you
manage your Check Point connections.
Connection metrics: View data throughput in events per second (eps) for
each OPSEC LEA connection. View time of last connection.
Online mode: Check Point's real-time mode. Keeps the individual Check
Point process running for a connection and prevents intermittent Check
Point process restarts.
Network connection options in opsec.conf:
Enable/disable TCP Nagle.
Adjust connection buffer size.
Connections display filter: Filters the display of connections on the
Manage Connections page by name, IP address, and firewall version.
Useful for large environments, which might include hundreds of Check
Point connections.
Online mode
The Splunk Add-on for OPSEC LEA lets you enable the Check Point Online
mode. This keeps the individual Check Point process running for a connection,
and prevents the process from being closed when no new log data is available
on the Check Point server. Online mode might improve performance in cases
where data flow from Check Point is intermittent.
To enable Online mode, select the Online mode check box when you configure
the LEA client connection.
Caution: When migrating to version 2.1: Enabling Online mode immediately after
upgrade might cause gaps in your data. This occurs because online mode
collects new incoming logs only. It does not perform log look back. Therefore any
data stored during the upgrade process is not pulled into Splunk. We recommend
that you do not enable online mode until after all log data generated during the
upgrade period is indexed. See known issue (OPSEC-208).
1. Go to
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf.
2. In opsec.conf, append the following key-value pair to the connection domain:
conn_buf_size=<number_in_bytes>
37
Terminology
Terminology
CLM
Customer Log Module. The CLM is a log server for a single Customer. Through
the CLM, an administrator can view events that occur on the firewall policy. Each
CLM is contained in a Multi-Domain Log Module (MLM).
CMA
Customer Management Add-On. A Check Point FW-1 management server
where customer-specific security policies are defined.
Customer
A Customer is the unit that subscribes to a Check Point firewall.
FW-1
Firewall-1. A Check Point firewall instance that provides gateway security and
identity awareness.
LEA
Log Export API. LEA is the Check Point OPSEC API for accessing FW-1 firewall
log data. The Splunk Add-on for Check Point OPSEC LEA extends the open
source FW-1-loggrabber tool, using the LEA to collect raw log data.
MDS
Multi-Domain Server. The MDS stores Provider-1 system information, including
details of the Provider-1 deployment, its administrators, and Customer
management information.
MLM
Multi-Domain Log Module. A special Multi-Domain Server (MDS) that is
dedicated to collecting and storing log data. The MLM is a container for
Customer Log Modules (CLMs).
OPSEC
Open Platform for Security. The Check Point OPSEC is an open management
framework for managing network security. The Splunk Add-on for Check Point
OPSEC LEA uses the LEA to extend OPSEC and provide network security
monitoring and visualization.
Provider-1
Provider-1 is Check Point's Multi-Domain Security Management product. You
can use Provider-1 to segment security management of complex network
operations (which might involve thousands of customers), into multiple separate
virtual domains, based on geography, business unit, security function, or other
logical grouping.
SmartConsole
The SmartConsole (also called SmartDashboard) is a Windows-based GUI
that lets you create global policy rules for a firewall or groups of firewalls.
SmartDashboard
See SmartConsole (above).
39
Troubleshooting
Set debug logging level
To enable debugging, add debug directives to the following files, which are
located in the $SPLUNK_HOME/etc/apps/splunk_TA_opseclea/bin directory.
pull_cert.sh
For pull-cert issues, add the following line to the pull_cert.sh script:
export TDERROR_ALL_ALL=5
lea-loggrabber.sh
For log collection issues, use the lea-loggrabber-debug.sh script from the
command line; this is a debug variant of the lea-loggrabber.sh script.
UI messages
With debugging enabled, error messages are logged to the
$SPLUNK_HOME/var/log/splunk/web_service.log file.
Note: Log entries for splunk_TA_opseclea display as <string>:nn,
instead of listing the OPSEC LEA controller name. This is a known
bug.
Loggrabber messages
Splunk Add-on for Check Point OPSEC LEA loggrabber messages are logged to
the $SPLUNK_HOME/var/log/splunk/splunkd.log file.
40
2.
SPLUNK_TOK=$<auth_key>
export SPLUNK_TOK
Run the lea-loggrabber-debug.sh debugger
script:lea-loggrabber-debug.sh --configentity <entity_name>
You can also add the debug level argument to the lea-loggrabber invocation in
the lea-loggrabber.sh script: --debug-level 3.
42