This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2019-01-31 12:47 AM

OpSec Integration with QRader

Hello,

We need to configure Opsec in checkpoint to communicate with QRader.

The question is will this be a unidirectional communication with the QRader or bidirectional ? i read that the certificates are pulled from the checkpoint, in  that case are these certificates pulled from the management server or the Gateways ? So do i need to enable port access from QRader to  Management Server or the Gateways ?

Environment Details : VSX Cluster, Gaia R80.10 ,SmartConsole

Thanks

7 Replies
Alex-
MVP Silver
MVP Silver
‎2019-01-31 03:51 AM

The opsec is done with the management/log server, not the gateways. Create the OPSEC object, check LEA as service and define your QRadar host, then initialize SIC. 

Danny
MVP Platinum
MVP Platinum
‎2019-01-31 04:01 AM

See: https://community.checkpoint.com/message/8902-re-does-r8010-supports-opsec

LostBoY
Advisor
‎2019-01-31 07:15 AM
In response to Danny

Thanks...so after this i need to copy the content of Communication: DN field into QRader ?

Also, bidirectional ACL will be applied for Qrader -> Management Server IP on the required Port ?

0 Kudos
Daniel_Taney
Advisor
‎2019-01-31 07:16 AM

I remember this being unnecessarily more difficult than other OPSEC integrations I had performed. 

Here is a screenshot that may help you get started. The trick was obtaining the correct DN's for the QRadar OPSEC object and the SMS. 

The OPSEC DN is easy enough to obtain. Just edit the properties of the object and copy+paste the DN next to the Communication button.

The SMS was a little trickier unless someone knows I shortcut I don't. In R77, I think you used to be able to just see this by viewing the properties of the SMS and clicking the Communication button. This seems to be a bit different in R80. The quickest way I was able to find was to enable the ICA Portal. From the CLI of your SMS, run:

cpca_client set_mgmt_tool on

Then browse to http://<ip of your SMS>:18265

You should be able to find the DN of the SMS there. Once you have it, turn the ICA Portal back off: cpca_client set_mgmt_tool off

For some reason, I had to manually copy the certificate from my SMS to the QRadar server. I think this was because the two servers were on different LANs without the proper Firewall rules to allow the ICA communication. Assuming you have that, you should be able to skip the part about specifying a file name for the cert. 


Since the procedure is different from here, I found these steps in a different Check Mates thread on this topic. Hopefully, this should be accurate enough to finish the configuration!

Specify Certificate                            Checked

Certificate Authority IP                     IP of your management server

Pull Certificate Password                 the shared / trusted SIC secret you specified in OBSEC object

Enabled                                           Checked

Target Collector                                which QRADAR appliance do you want to reach out to the Log Server

Coalescing Events                           Checked

Store Event Payload                        Checked

Log Source Extension                     I left this blank

Select QRadar Groups                     Check the group you want. 

R80 CCSA / CCSE
0 Kudos
DeletedUser
Not applicable
‎2019-01-31 09:31 AM
In response to Daniel_Taney

Using GUIDBEdit is another option (sk61833😞 How to find the SIC DN name of Security Management for an OPSEC client configuration 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-01 12:21 PM

Any reason you're using LEA to export logs instead of Log Exporter?

Log Exporter guide

0 Kudos
DeletedUser
Not applicable
‎2019-02-01 01:22 PM
In response to PhoneBoy

it's definitely an option, here is QRadar's guide in the IBM Knowledge Center: Configure Check Point Log Exporter to forward LEEF events to QRadar by using syslog 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events