Professional Documents
Culture Documents
Note: Symantec MSS provides two options for Check Point LEA log collection:
On-box, meaning send logs to the collector that is installed with the Log Collection Platform
(LCP)
Off-box, meaning send logs to a collector that is installed separately from the LCP
If you plan to connect Check Point LEA to the on-box log collector, continue with the procedures
in this guide. If instead you plan to connect to an off-box collector, be sure that you first install
the off-box agent and collector (see the Symantec MSS Installation Guide for Off-Box Agent for
LCP 2.5 for instructions), then use the instructions in Symantec Quick Start Guide for Check
Point LEA.
Multi-Domain Log In an MLM setup, the FW, MDS (multiple CMAs, but no CLM), and MLM (multiple
Module (MLM) CLMs only) are on separate boxes.
Note: If you have a CMA listening on TCP/18210 and a CLM listening on TCP/18184, ensure that
these ports are open to allow communication from the LCP.
To create a network object for the Symantec MSS Log Collection Platform
1. On the CMA, click the Network Objects icon.
2. In the Network Objects tree, click Nodes, and then right-click Node > Host.
3. In the Host Node window, on the General Properties tab, type the LCPs host name in the Name field, or its
IP address in either the IPv4 Address or IPv6 Address field.
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
4
4. If you opt to enter the host name, click Get Address, and then click OK. If this action fails to resolve the
host name, you can enter the IP address in the New Node Host, fix the DNS resolution, or add an entry to
the /etc/hosts file. The /etc/hosts file must contain the IP address of the LCP.
5. Click the floppy icon.
6. Click File > Save.
7. Press Ctrl-S.
4. In the OPSEC Application Properties dialog box, in the General tab, do the following:
a. In the Name field, specify a name for the OPSEC application (preferred name). This value is used for
LCP configuration.
b. In the Host field, select the IP address of the LCP.
Note: Several OPSEC applications can reside on a single host; therefore, be sure to
choose the Symantec MSS LCP host for which you created a network object in the
previous procedure.
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
5
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
6
6. Select installation targets Network Security and Threat Prevention, then click OK.
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
7
7. After successful policy installation, select Policy > Install Database and, when the dialog box appears,
click OK.
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
8
9. When trust is established, open the OPSEC Application, access its OPSEC Application Properties dialog
box, and click the LEA Permissions tab.
Note: Be sure to enable logging for all Firewall rules. Also, create an explicit deny rule below all of the
other rules and enable logging for it. For information on how to create and enable Firewall rules,
refer to the Check Point product documentation. Any rule that does not have logging enabled
will not be subject to security monitoring.
Configuration parameters
Table 1 Configuration parameters
Property Description
Protocol Protocol
The default value is OPSEC.
LEA OpSec Application Name of the OPSEC Application that is created in the Check Point SmartDashboard
Name Console.
LEA OpSec Application The password that was specified when you created the OPSEC Application.
Password
LEA Server IP Address If firewall logs are stored in the CMA, enter the CMA IP address. If the firewall logs are
stored in a separate CLM, enter the CLM IP address.
LEA Server Auth Port Authentication port on the Check Point LEA server on which the LEA application is
running.
The default value is 18184.
For Check Point Provider-1 installations with MDS/CMA/Log server all on one
computer, set this field to 18184 as the LEA server auth port.
For Distributed Provider-1 installations with MDS/CMA on one computer and the
MLM/CLM on a separate computer (where clear text communication is the only
option), set this field to 0 (zero) as the LEA server auth port.
LEA Server Auth Type Authentication type that the LCP uses is sslca.
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
9
Property Description
LEA Server Port Communications port for the LEA server.
For Check Point Provider-1 installations with MDS/CMA/Log server all on one
computer, set this field to 0 (zero) as the LEA server port.
For Distributed Provider-1 installations with MDS/CMA on one computer and the
MLM/CLM on a separate computer (where clear text communication is the only
option), set this field to 18184 as the LEA server port.
The default value is 0.
Cert Server IP Address IP address of the CMA.
LEA Server OpSec Entity Qualified name of the OPSEC management server, CMA, or CLM.
SIC Name Copy the name from the OPSEC Application on the Check Point SmartDashboard
Console.
For Check Point Provider-1 installations with MDS/CMA/LOG server all on one
computer, set this field to the SIC name of the CMA.
For Distributed Provider-1 installations with MDS/CMA on one computer and the
MLM/CLM on a separate computer (where clear text communication is the only
option), you must set this field to BLANK.
The default value is CN=cp_mgmt,O=(sic_name_of_lea_server).
OpSec SIC Name Secure Internal Communication (SIC) name of the OPSEC Application.
Copy the name from the OPSEC Application on the Check Point SmartDashboard
Console.
The default value is CN-(application_name),O=(sic_name_of_lea_server).
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.
Logging Configuration Instructions for Check Point LEA V2 (On-box)
10
SYMANTEC PROPRIETARY/CONFIDENTIAL
Copyright 2014 Symantec Corporation, All Rights Reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners. This document contains Symantec proprietary and Confidential Information and may not be
copied, further distributed, or otherwise disclosed in whole or in part, without the express written permission of Symantec.