How do I configure Check Point NG to produce log files Firewall Suite can analyze?


This article applies to:

  • Firewall Suite

Question:

How do I configure Check Point NG to produce log files Firewall Suite can analyze?

Procedure:

To create logs that can be read by Firewall Suite, Check Point NG firewalls require additional configuration beyond that required by the Firewall-1 product from Check Point. The latest version of the Firewall Configuration Guide contains information for Check Point NG. You can obtain this document from the following page:

https://support.trustwave.com/Firewall-Suite/documentation.asp 

For your convenience the additional information is repeated below.

Instructions:

Perform the following steps at the end of the "OPSEC LEA (server-side configuration)".

Server-side configuration for Check Point NG

Check Point NG requires the following additional configuration for retrieval of log records via OPSEC LEA.

  1. Edit the file fwopsec.conf, found in %NG_INSTALL_DIR%/conf/. Delete the following lines.

      lea_server auth_port 18184 lea_server port 0

  2. Replace with the following lines, appended to the bottom of the file.

      lea_server auth_port 0 lea_server port 18184

  3. Stop the firewall by typing fwstop at a command prompt.

  4. Restart the firewall and load the changes by typing fwstop at a command prompt.

  5. In the Policy Editor at Manage | Network Objects | New | Workstation, define the Firewall Suite machine as a workstation.

  6. In the Policy Editor at Manage | OPSEC Applications | New | OPSEC Application, define the Firewall Suite as an OPSEC application. In the Hosts drop-down list, select the workstation you defined in the previous step.

Notes:

If you are using Check Point NG with a Feature Pack (FP) installed, additional configuration to the fwopsec.conf file needs to be made.

The following line must be added in addition to the changes above for the OPSEC LEA connection to work properly.

For an authenticated connection:

lea_server          auth_type          auth_opsec

For an unauthenticated connection:

lea_server          auth_type          none

 

This article was previously published as:
NETIQKB2395

Last Modified 4/13/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10271.aspx