CheckPoint Helper R7X-1

Summary:

This document explains three terms related to CheckPoint configurations: LEA or OPSEC Object, SIC OBJECT, and SIC Entity. It provides detailed steps on how to pull an OPSEC certificate from the management server, install a Checkpoint Connector in ArcSight, and troubleshoot SSH-connected Connector Appliance issues. The document includes specific instructions for filling out forms and confirming SSLCA communication with LEA or OPSEC objects.

Details:

The document provides an explanation of three terms related to CheckPoint configurations: LEA or OPSEC object, SIC OBJECT, and SIC Entity. 1. **LEA or OPSEC Object**: This refers to an object created by the customer's firewall admin to facilitate secure log retrieval. It has a long name similar to CN=arcsight,O=WESM.bowen.com.jh4xr7 and a short name which is what comes after "=" and before the first comma (e.g., arcsight). 2. **SIC OBJECT**: This term refers to the server running the SmartConnector CheckPoint software, in this case, CN=arcsight,O=WESM.bowen.com.jh4xr7. 3. **SIC Entity**: This term specifically denotes the CheckPoint Management station, which can be difficult to locate in versions r7x of CheckPoint. The short name for the SIC Entity in this example is cn=cp_mgmt,o=WESM.bowen.com.jh4xr7. The main difference between SIC OBJECT and SIC ENTITY is the text between "CN=" and the first comma. To pull an OPSEC certificate:

• Select a container from the dropdown menu.

• Click on the blue globe with a red lightning bolt icon.

• From the pull-down menu, select "Pull OPSEC Certificate."

• In the first line, enter the IP address of the CheckPoint Management Server.

• In the second line, input the short name for the CheckPoint host (e.g., arcsight).

• Use the short name as the application object name for the certificate pull.

• Click "Next."

• A page confirming a successful certificate pull will display the location of the saved certificate in a note.

To install a Checkpoint Connector in your ArcSight environment, follow these steps: 1. **Locate the Certificate Path**: Ensure you know the path to the certificate file used for SSLCA communication. For example, `/opt/arcsight/connector_2/current/user/agent/checkpoint/arcsight.opsec.p12` is crucial as it will be needed in subsequent steps. 2. **Install the Connector**: In the same container where you found the certificate path, click the big green plus sign and select "Checkpoint Connector" to install it. This step assumes that your Firewall administrator has already configured SSLCA communication on the management server or understands how to configure it based on provided guidance. 3. **Configure Connector Settings**:

• Select `sslca` as the format.

• Click "Next".

4. **Add Row for Configuration**: After clicking "add row", fill in the following five boxes in order:

• **IP address of the Management or Log server**: Use 18184 as the default value.

• **Certificate Full Name**: This is typically `CN=arcsight,O=WESM.bowen.com.jh4xr7`.

• **Management Server Full Name**: Should be something like `cn=cp_mgmt,o=WESM.bowen.com.jh4xr7`, where it begins with "CN=cp_mgmt".

5. **Next Steps**: After filling in the fields, click "next" to proceed to the registration screen for the connector. If you encounter a failure message, try these troubleshooting steps:

• Confirm that the certificate pull worked with the Firewall admin; they should see "communication confirmed" under the LEA Object.

• Ensure that if another POC (proof of concept) was done with SSLCA enabled, the SIC (system identification code) was reset before your cert pull. If not, re-evaluate the IP address used in previous POCs.

• Double-check that all copied and pasted information is correctly entered into the respective fields without any errors.

By following these steps and troubleshooting as necessary, you can successfully install and configure a Checkpoint Connector for ArcSight to enhance your security operations. To troubleshoot a potential issue with SSH-connected Connector Appliance, follow these steps: 1. **SSH into the Connector Appliance**: Access the device remotely using SSH to begin troubleshooting. 2. **Tail -F agent.log**: Use the 'tail -F' command on the agent log file for more detailed error information. This will help in identifying any ongoing issues or errors that might not be immediately visible otherwise. 3. **Ignore Initial Errors**: While it is important to address failures, especially if they occur repeatedly, start by focusing on gathering more information from the logs and system status before making a full assessment of the issue. 4. **Check Network Ports**: Verify that ports 18210 and 18184 are open and functioning properly between the Connector Appliance (Conn App) and the Management server. This ensures proper communication between these two critical components in your network infrastructure. 5. **Monitor for Issues**: If you continue to experience issues, keep a close eye on any error messages or system logs that might indicate what is going wrong. Be prepared to take quick action if necessary but do not let initial setbacks discourage you from fixing the problem eventually. 6. **Email Irock**: Reach out to your support team or specific contacts at companies like CheckPoint, BlueCoat, and SQL for more detailed assistance. They are knowledgeable about connector issues and can respond promptly. You might also consider reaching out directly via email if this is a preferred method of communication for you.