LogLogic Check Point Management Station Log Configuration Guide

(1)

LogLogic 

Check Point Management Station 

Log Configuration Guide

Document Release: September 2011 Part Number: LL600013-00ELS090000

(2)

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors.  In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All

warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

LogLogic, Inc.

(3)

Check Point Management Station Log Configuration Guide 3

The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Check Point Management Station (and Check Point SecurePlatform™) enables LogLogic Appliances to capture audit logs from machines running Check Point Management Station.

Once the logs are captured and parsed, you can generate reports and create alerts on Check Point Management Station’s operations. For more information on creating reports and alerts, see the

LogLogic User Guide and LogLogic Online Help.

Technical Support

LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480

EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support.  When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number Your company name and company address

Your machine type and release version

A description of the problem and the content of pertinent error messages (if any)

Documentation Support

Your feedback on LogLogic documentation is important to us. Send e-mail to

DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

(6)

Conventions

LogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects,

methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from

user responses, as in this example: username: system

home directory: home\app

A monospace italic font is used for placeholders, which are general names that you

replace with names specific to your site, as in this example: 

LogLogic_home_directory\upgrade\

Straight brackets signal options in command-line syntax. For example:

(7)

Chapter 1 – Configuring Check Point Management

Station and the LogLogic Appliance

This chapter describes LogLogic’s support for Check Point Management Station. LogLogic enables you to track log data from the Check Point Management Station device in real-time or on a scheduled basis.

Introduction to Check Point Management Station . . . 7

Prerequisites . . . 7

Configuring Check Point Management Station . . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 12

Introduction to Check Point Management Station

The Check Point SecurePlatform is designed to run Check Point’s VPN-1® gateways and SmartCenter™ management servers. Check Point devices enable you to protect your entire network and maintain security for your information resources.

Note: Log Export API (LEA) is used to retrieve and export VPN-1/ FireWall-1 log data. Check Point Management Interface (CPMI) is used to provide a secure interface to the Check Point management server's databases. For more information, see the LogLogic Administration Guide.

The LogLogic Appliance enables you to capture log data and report on critical points of your Check Point solutions deployed on SecurePlatform. LogLogic provides an additional level of support by enabling you to generate reports and run searches on data to improve your ability to manage your Check Point activity.

Check Point devices are supported by LogLogic Appliances. All Check Point log data captured by the LogLogic Appliance is parsed and made available to the LogLogic Agile Reporting engine. The Agile Reporting engine provides report templates that can be run as-is or modified to create customized reports targeting specific information.

Prerequisites

Prior to configuring the Check Point Management Station and LogLogic Appliance, ensure that you meet the following prerequisites:

(8)

Configuring Check Point Management Station

This section describes how to configure a Check Point Management Station to communicate with your LogLogic Appliance.

To configure Check Point Management Station:

1.Log in to Check Point Management Station.

2.On the Check Point SmartDashboard, create an object for the appliance

Figure 1 SmartDashboard - Host Node Window

3.Create a new OPSEC device using the same object from Step 1.

(9)

Check Point Management Station Log Configuration Guide 9 Figure 2 SmartDashboard - OPSEC Application Properties > General Tab

(10)

Figure 3 SmartDashboard - OPSEC Application Properties > CPMI Permissions Tab

5.On the General tab, click Communication to initialize SIC.

(11)

Check Point Management Station Log Configuration Guide 11 Figure 4 SmartDashboard - OPSEC Application Properties > Communication Window

6.Create a user account and connect it to the same profile created in Step 4.

(12)

Figure 5 Administration Properties > General Tab

Figure 6 Administrator Properties > Admin Auth Tab

Enabling the LogLogic Appliance to Capture Log Data

The following sections describe how to enable the LogLogic Appliance to capture Check Point log data.

(13)

Adding a Check Point LEA Device

To configure the LogLogic Appliance to recognize a new Check Point LEA server, you must add the device’s configuration information to the Appliance.

To configure the LogLogic Appliance for Check Point LEA servers:

1.Log in to the LogLogic Appliance.

2.From the navigation menu, select Management > Check Point Configuration.

3.Click Add New.

The Add LEA Server tab appears.

4.Type the Name for the LEA server.

Note: LogLogic recommends using a naming convention similar to Check Point’s naming conventions.

5.Select an Agent Mode to define how the LEA server starts. The default is Automatic, to ensure that the Check Point connection establishes during system boot up.

6.(Optional) Type a Description for the LEA server.

7.Make sure that Enable Data Collection is set to Yes.

8.Establish Secure Internal Communication (SIC):

a.Check the Establish Secure Internal Communication checkbox.

b.Enter the Check Point server SIC IP address.

c.Enter the Activation Key for the OPSEC Application on the Check Point log source.

d.Enter the OPSEC Application Name for the application on the Check Point log source.

The OPSEC Application Name is the OPSEC object name and the Activation Key is the SIC key. The OPSEC object name and SIC key were defined during the Check Point configuration procedure (see To configure Check Point Management Station: on page 8).

9.Set up the SSL connection to the LEA server:

a.Check the SSL Connection to LEA Server checkbox to enable it.

b.Type the LEA IP address for the LEA server.

c.Type the LEA Port number for the LEA server. The default port number is 18184.

d.Type the LEA Server DN (domain name).

10. If the firewall and interface are on the same Check Point log source as the LEA server, configure them.

If they are on separate Check Point log sources, after adding this LEA server, use the Firewall and

Interface tabs instead. For more information, see the LogLogic Administration Guide.

a.Select the appropriate Add Firewalls & Interfaces radio button:

 CPMI Auto Discovery - Automatically detects any Check Point Management

Interface (CPMI) log sources connected to your system.

 Manual Input - Lets you manually input each CPMI log source.

(14)

c.Type the CPMI Port number. The default port number is 18190.

d.Type the Check Point User Name. You must create an Administrator account in your Check Point application before you can use that ID for the Check Point User

Name field on the LogLogic Appliance.

e.Type the Check Point User Password. You must create an Administrator account in your Check Point application before you can use that password for the Check Point

User Password field on the LogLogic Appliance.

For more information on how to create the administrator user name and password within Check Point, see To configure Check Point Management Station: on page 8.

f. Select SSL Connection to CPMI Server to enable the SSL connection to your CPMI server.

g.Type the CPMI Server DN (domain name).

(15)

Check Point Management Station Log Configuration Guide 15 Figure 7 Adding a New LEA Server

Upon completion of the initialization, you will see a successful connection on both the LEA and the CPMI devices on the LEA Servers tab.

Figure 8 LEA Server Information with Connection Status

Note: You can start and stop the connection by clicking the button that appears to the right of the

(16)

Chapter 2 – How LogLogic Supports CheckPoint

This chapter describes LogLogic’s support for CheckPoint. LogLogic enables you to capture CheckPoint Firewall events in syslog format.

How LogLogic Captures CheckPoint Data . . . 16

LogLogic Real-Time Reports . . . 16

How LogLogic Captures CheckPoint Data

After the Check Point device is configured, the LogLogic Appliance will start receiving the logs against all the Check Point interfaces which are generating the logs, where they are processed, stored, and made available for reporting, alerting, and searching.

CheckPoint’s Open Platform for Security (OPSEC) provides a single framework for third-party products to integrate into all aspects of the secure virtual network through a combination of published application programming interfaces (APIs), industry-standard protocols and a

high-level scripting language. One of the APIs that comes under OPSEC is the LEA or Log Export API. The Log Export API enables applications to read the VPN-1/FireWall-1 log database. The LogLogic Appliance has achieved OPSEC certification and this certificate is provided to applications only after being tested to ensure compliance with the defined OPSEC standards. Hence, the LogLogic Appliance seamlessly integrates with the Check Point FireWall-1/VPN-1 software for Check Point firewall logs collection. The LogLogic Appliance can pull firewall rules information through the CPMI (Check Point Management Interface) and aggregate firewall log data through the OPSEC Log Expert API (LEA) interface.

Figure 9 Check Point and LogLogic Appliance Components

Once the data is captured and parsed, it can be used for generating reports.

LogLogic Real-Time Reports

LogLogic provides preconfigured Real-Time Reports for Check Point log data. The following Real-Time Reports are available:

Check Point Policies – Displays the Check Point Policies established

(17)

User Authentication – Reports the successful and failed user login and logout events. User Last Activity – Reports the last activity users performed within the Check Point

environment

VPN Access – Displays VPN connections that VPN devices either accepted or denied VPN Sessions – Displays data about VPN sessions created on VPN devices during a

specified time interval

Accepted Connections – Displays data about IP connections that were accepted by a device Active VPN Connections – Displays data about current active sessions on various VPN

devices

Application Distribution – Displays information about messages, grouped by application

ports, that were accepted by a device

Denied Connections – Displays data about IP connections that were denied by a device FTP Connections – Displays data FTP traffic through the selected firewall device VPN Top Lists – Displays data about top users and IP addresses and statistics

All Unparsed Events – Displays data for all events retrieved from the Check Point Firewall/

VPN log for a specified time interval

Security Events – Displays data for firewall security-related events classified as security

messages for a specified time interval

System Events – Displays data for system-related events retrieved from the Check Point

Firewall/VPN log for a specific time interval

VPN Events – Displays all Check Point Firewall/VPN events

Web Surfing Activity – Displays web information served during a specified time interval

You can create custom reports from the existing Real-Time Report templates.

To access LMI 5.x Real-Time Reports:

1.In the top navigation pane, click Reports

2.Click Access Control

(For Check Point Policies, click Reports > Policy Reports > Check Point Policies) The following Access Control Real-Time Reports are available:

User Access

User Authentication User Last Activity

3.Click Network Activity

The following Network Activity Real-Time Reports are available:

(18)

VPN Sessions Web Surfing Activity

4.Click Operational

The following Operational Real-Time Reports are available:

(19)

Chapter 3 – Troubleshooting and FAQ

This chapter contains troubleshooting regarding the configuration and/or use of log collection for CheckPoint. It also contains an FAQ, providing quick answers to common questions.

Troubleshooting . . . 19

Frequently Asked Questions (FAQ) . . . 19

Troubleshooting

Check Point events are not appearing on the LogLogic Appliance after capturing

the logs via the syslog listener.

The reason for this problem can be that the Check Point device might not be configured correctly. In LMI 4.x go to Administration > Check Point Devices. InLMI 5.x GUI, go to Management >

Check Point Configuration. On the LEA Servers tab, the LEA Status and CPMI status should be CONNECTED. Then check the Interfaces tab, and see which of the interfaces has the Trusted and Origin columns set as YES and Device Status set as ENABLED. That interface should appear in the Log Source Status page as the Check Point source of log collection. Also check that the Syslog Server (i.e., the LogLogic Appliance) has been defined. For more information see Configuring Check Point Management Station on page 8.

Frequently Asked Questions (FAQ)

How does the LogLogic Appliance collect logs from Check Point?

The LogLogic appliance collects the data from the CheckPoint server through syslog. On the Check Point server we can create an OPSEC application supporting LEA which enables us to configure the LogLogic Appliance with the Check Point server for log collection wherein the LEA appliacation sends the Check Point logs through syslog to the Appliance. The LogLogic Appliance collects the messages using the Syslog Listener. For more information, see How LogLogic Captures CheckPoint Data on page 16.

How do I configure Syslog on Check Point?

(20)

(21)

Appendix A – Event Reference

This appendix lists the LogLogic-supported Check Point events. The LogLogic Check Point event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message. All sample log messages were captured by LogLogic’s file pull utility.

LogLogic Support for Check Point Events

The following list describes the contents of each of the columns in the table below.

Event Type – Action taken in enforcing the Check Point security policy.

Agile/Search Reports – Defines if the Check Point event is available through the LogLogic

Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.

Event Category – All events belong to the Audit category

Reports Appears In – LogLogic-provided reports that the event appears in

Sample Log Message – Sample Check Point log messages converted into text (.txt) format.

(22)

Table 1 Check Point Management Station Events Event Type Agile/

Search Reports Event Category Reports Appears In

Sample Log Message

1 “action: accept” Agile Audit Accepted

Connections, Rules/Policies, Application distribution <38>Dec 17 17:36:32 10.2.1.1 %CP: time:14Mar2003 14:44:30;action:accept;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:209.46.4.193;s_port:67;dst:255.255.255.255;service:68;proto:17;rule: 6;packets:1;bytes:337; 2 “action: accept” and “resource: http://”

Agile Audit Accepted Connections, Rules/Policies, Application distribution, Web Surfing Activity <38>Jul 20 10:54:12 10.2.1.10 %CP: time:20Jul2004 11:39:20;action:accept;orig:10.2.1.10;i/f_dir:outbound;i/ f_name:daemon;service:21;proto:6;s_port:1187;src:209.46.4.251;rule:6;dst:10.0.0. 143;resource:ftp://10.0.0.143/qorusag ftp://10.0.0.143/ qorusagakfgfg;product:VPN-1 & FireWall-1;xlatesrc:209.46.4.251;xlatesport:1187;xlatedport:0;srcOutBytes:0;dstOut Bytes:0; 3 “action: accept “ and “resource: ftp://”

Agile Audit Accepted Connections, Rules/Policies, Application distribution, FTP Connections <38>Jul 20 10:54:12 10.2.1.10 %CP: time:20Jul2004 11:39:20;action:accept;orig:10.2.1.10;i/f_dir:outbound;i/ f_name:daemon;service:21;proto:6;s_port:1187;src:209.46.4.251;rule:6;dst:10.0.0. 143;resource:ftp://10.0.0.143/qorusag ftp://10.0.0.143/ qorusagakfgfg;product:VPN-1 & FireWall-1;xlatesrc:209.46.4.251;xlatesport:1187;xlatedport:0;srcOutBytes:0;dstOut Bytes:0;

4 “action: drop” Agile Audit Denied Connections, Rules/Policies <38>Dec 17 17:36:32 10.2.1.1 %CP: time:14Mar2003 17:37:59;action:drop;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:202.187.12.130;s_port:61153;dst:209.46.4.250;service:137;proto:17;r ule:4; 5 “action: drop” and “product: SmartDefense”

Agile Audit Security Events <38>Jun 30 10:34:05 172.16.1.1 %CP: time:30Jun2005 10:31:45;action:drop;orig:172.16.1.1;i/f_dir:inbound;direction:2;i/

f_name:eth-s3p1c2;product:SmartDefense;__policy_id_tag:product=VPN-1 & FireWall-1[db_tag={F914CCAD-7D6F-4DE4-B409-9476CA9DEA9E};mgmt=check point-mgmt;date=1119995290;policy_name=Main];TCP flags:FIN;Attack Info:TCP flags do not make sense;attack:Bad

packet;src:172.16.0.85;s_port:49434;dst:65.29.55.56;service:2203;proto:6;srcOutB ytes:0;dstOutBytes:0;infoex:__policy_id_tag-product=VPN-1 &

FireWall-1[db_tag={F914CCAD-7D6F-4DE4-B409-9476CA9DEA9E},mgmt=check point-mgmt,date=1119995290,policy_name=Main], TCP flags-FIN, Attack Info-TCP flags do not make sense;

6 “action: drop”

and “resource: ftp://”

Agile Audit Denied Connections, Rules/ Policies,FTP Connections <38>Jul 20 10:54:12 10.2.1.1 %CP: time:20Jul2004 11:39:20;action:drop;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:209.46.4.251;s_port:1187;dst:10.0.0.143;service:21;proto:6;rule:6;res ource:ftp://10.0.0.143/qorusag ftp://10.0.0.143/qorusagakfgfg; 7 “action: drop” and “resource: http://”

Agile Audit Denied Connections, Rules/Policies, Web Surfing Activity <38>Jul 20 10:54:06 10.2.1.10 %CP: time:20Jul2004 11:39:29;action:accept;orig:10.2.1.10;i/f_dir:outbound;direction:2;i/ f_name:eth0;product:VPN-1 & FireWall-1;src:209.46.4.253;s_port:16182;dst:10.2.1.25;service:80;proto:6;ll_rule:7; rule:4;resource:http://10.2.1.25:80/;

8 “action: reject” Agile Audit Denied

Connections, Rules/Policies

<38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/

f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:6;message_info:X11 is not allowed through service '* any'. To enable, create an earlier rule that explicitly allows X11.;packets:0;bytes:0;

9 “action: reject”

and “product: VPN-1& FireWall-1”

Agile Audit Security Events <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/

(23)

10 “action: reject”

and “product: SmartDefense”

Agile Audit Security Events <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:6;product:SmartDefense;attack:URL worm;packets:0;bytes:0; 11 “action: reject” and “resource: ftp://”

Agile Audit Denied Connections, Rules/Policies, FTP Connections <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:8;resource:ftp://10.0.0.200/qorusag ftp://10.0.0.200/qorusagakfgfg; 12 “action: reject” and “resource: http://”

Agile Audit Denied Connections, Rules/Policies, Web Surfing Activity <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:8;resource:resource:http://10.2.1.25:80/; 13 “action: reject” and “scheme::IKE”

Agile Audit User Access, User Authentication, User Last Activity, VPN Access, VPN Events <38>Aug 10 21:07:28 209.142.21.72 %CP: time:10Aug2005 21:09:08;action:reject;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;alert:alert;src:209.142.21.76;dst:209.142.21.72;user:logtes;reason ::Client Encryption: Unknown user;scheme::IKE;reject_category:SecureClient authentication failure;srcOutBytes:0;dstOutBytes:0;infoex:alert-alert, user-logtes, reason:-Client Encryption: Unknown user, scheme::IKE,

reject_category-SecureClient authentication failure;

14 “action:ctl” and

“sys_msgs:secur ity policy installed/ uninstalled”

Agile Audit Security Events <38>Dec 17 17:36:32 10.2.1.1 %CP: time:18Mar2003 17:42:17;action:ctl;orig:10.2.1.1;i/f_dir:0;i/

f_name:4;has_accounting:0;uuid:<00000000,00000000,00000000,00000000>;sys _msgs:security policy uninstalled;

15 “action:ctl” and

“sys_msgs:xxx”

Agile Audit System Events <38>Dec 17 17:36:32 209.46.4.251 %CP: time:20Mar2003 14:23:58;action:ctl;orig:209.46.4.251;i/f_dir:0;i/

f_name:4;has_accounting:0;uuid:<00000000,00000000,00000000,00000000>;sys _msgs:started sending log to localhost;

16 “action: keyinst” Agile Audit User Access,

User Authentication, User Last Activity, Active VPN Connections, VPN Events

<38>Aug 4 13:48:12 209.142.21.72 %CP: time: 4Aug2005 12:50:22;action:keyinst;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;src:209.142.21.72;dst:64.157.93.162;peer

gateway:Corporate;scheme::IKE;IKE::Informational Exchange Send Delete IPSEC-SA to Peer: 409d5da2; SPI:

accd87fa;CookieI:efaf2bde660ff67b;CookieR:b02f0f3df5f4e745;msgid:d333691b;c ommunity:loglogic;srcOutBytes:0;dstOutBytes:0;infoex:peer gateway-Corporate, scheme:-IKE, IKE:-Informational Exchange Send Delete IPSEC-SA to Peer: 409d5da2, SPI: accd87fa, CookieI-efaf2bde660ff67b, CookieR-b02f0f3df5f4e745, msgid-d333691b, community-loglogic;

17 “action: keyinst”

and “IKE:: Main Mode completion”

Agile Audit User Access, User Authentication, User Last Activity, Active VPN Connections, VPN Access, VPN Sessions, VPN Top Lists, VPN Events

<38>Aug 4 13:48:12 209.142.21.72 %CP: time: 4Aug2005 12:50:22;action:keyinst;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;src:209.142.21.72;dst:64.157.93.162;peer gateway:Corporate;scheme::IKE;IKE::Main Mode

completion.;CookieI:efaf2bde660ff67b;CookieR:b02f0f3df5f4e745;methods::AES-2 56 + SHA1, Pre shared

secrets;community:loglogic;srcOutBytes:0;dstOutBytes:0;infoex:peer gateway-Corporate, scheme:-IKE, IKE:-Main Mode completion.,

CookieI-efaf2bde660ff67b, CookieR-b02f0f3df5f4e745, methods:-AES-256 + SHA1, Pre shared secrets, community-loglogic;

Event Type Agile/ Search Reports Event Category Reports Appears In

(24)

18 “action: encrypt” Agile Audit Accepted Connections, User Access, User Authentication, User Last Activity, Active VPN Connections, VPN Events

<38>Aug 4 13:48:09 209.142.21.72 %CP: time: 4Aug2005 12:50:19;action:encrypt;orig:209.142.21.72;i/f_dir:inbound;i/

f_name:eth-s2p1c0;product:VPN-1 & FireWall-1;__policy_id_tag:product=VPN-1 & FireWall-1[db_tag={490048AE-050C-11DA-9207-D18E1548C2C2};mgmt=Elohim;d ate=1123176128;policy_name=Standard];ICMP:Echo Request;src:192.168.9.5;dst:172.16.0.16;proto:1;ICMP Type:8;ICMP Code:0;rule:internal;scheme::IKE;dstkeyid:0x202d75b0;methods::ESP: AES-256 + SHA1;peer gateway:Corporate;community:loglogic;srcOutBytes:0;dstOutBytes:0;infoex:__polic y_id_tag-product=VPN-1 & FireWall-1[db_tag={490048AE-050C-11DA-9207-D18E1548C2C2},mgmt=Elohim,d ate=1123176128,policy_name=Standard], ICMP-Echo Request, ICMP Type-8, ICMP Code-0, scheme:-IKE, dstkeyid-0x202d75b0, methods:-ESP: AES-256 + SHA1, peer gateway-Corporate, community-loglogic;

19 “action: decrypt” Agile Audit Accepted Connections, User Access, User Authentication, User Last Activity, Active VPN Connections, VPN Events <38>Aug 10 21:07:05 209.142.21.72 %CP: time:10Aug2005 21:08:45;action:decrypt;orig:209.142.21.72;i/f_dir:inbound;direction:2;i/

f_name:eth-s3p1c0;product:VPN-1 & FireWall-1;__policy_id_tag:product=VPN-1 & FireWall-1[db_tag={41F13884-0A1B-11DA-8613-D18E15485C5C};mgmt=Elohim;d ate=1123732314;policy_name=Standard];src:172.16.2.1;s_port:1589;dst:209.142.2 1.72;service:18234;proto:17;xlatedst:192.168.8.1;xlatesport:0;xlatedport:0;NAT_rul enum:internal;NAT_addtnl_rulenum:internal;rule:internal;message_info:Implied rule;scheme::IKE;srckeyid:0xb137e7b7;methods::ESP: 3DES + SHA1;peer gateway:209.142.21.76;vpn_user:logtest;srcOutBytes:0;dstOutBytes:0;infoex:__po licy_id_tag-product=VPN-1 &

FireWall-1[db_tag={41F13884-0A1B-11DA-8613-D18E15485C5C},mgmt=Elohim,d ate=1123732314,policy_name=Standard], NAT_rulenum-internal,

NAT_addtnl_rulenum-internal, scheme:-IKE, srckeyid-0xb137e7b7, methods:-ESP: 3DE

20 “action:

authcrypt”

Agile Audit User Access, User Authentication, User Last Activity, VPN Access, Active VPN Connections, VPN Sessions, VPN Top Lists, VPN Events <38>Aug 10 21:06:40 209.142.21.72 %CP: time:10Aug2005 21:08:20;action:authcrypt;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;src:209.142.21.76;dst:209.142.21.72;user:logtest;reason::Client Encryption: Authenticated by Internal

Password;scheme::IKE;methods::AES-256,IKE,SHA1;srcOutBytes:0;dstOutBytes: 0;infoex:user-logtest, reason:-Client Encryption: Authenticated by Internal Password, scheme:-IKE, methods:-AES-256,IKE,SHA1;

21 Create Object Agile CP Audit User Access,

User Last Activity

<109>Aug 19 08:24:07 10.116.28.209 %CP_AUDIT: time:20Aug2006 3:57:02;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartUpdate;ObjectName:the_contracts_flags; ObjectType:contracts_flags;ObjectTable:contracts;Operation:Create Object;Uid:{240F911C-B71F-47B7-B78B-3C16533BB29F};Administrator:SmartUpd ate;Machine:localhost;Subject:Object Manipulation;Operation Number:0;lea_ip:10.116.28.209;

22 Modify Object Agile CP Audit User Access,

User Last Activity

<109>Aug 19 08:35:22 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:08:16;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Standard;Object Type:firewall_policy;ObjectTable:fw_policies;Operation:Modify

Object;Uid:{1F52940A-B7E9-403B-8032-96C4131AEE9A};Administrator:Admin;Ma chine:LL210;FieldsChanges:Rule 2: added 'security_rule' - ;Source: Any ;Destination: Any ;VPN: Any ;Service: Any ;Action: accept;Install On: Any ; ;;Subject:Object Manipulation;Operation Number:1;lea_ip:10.116.28.209; Event Type Agile/

(25)

23 Rename Object Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser1;Object Type:user;ObjectTable:users;Operation:Rename

Object;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:Admin;M achine:LL210;FieldsChanges:Object name was changed from 'testuser' to 'testuser1' ;;Subject:Object Manipulation;Operation

Number:2;lea_ip:10.116.28.209;

24 Delete Object Agile CP Auditt User Access, User Last Activity

<109>Aug 20 06:20:33 10.116.28.209 %CP_AUDIT: time:21Aug2006 1:53:24;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Sec215;ObjectT ype:host_ckp;ObjectTable:network_objects;Operation:Delete Object;Uid:{F4E9274E-CD71-4901-B17B-5E98D1F0DE0E};Administrator:Admin;M achine:LL210;Subject:Object Manipulation;Operation Number:3;lea_ip:10.116.28.209;

25 Install Policy Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:Internal;ObjectName:California_GW;ObjectTyp e:firewall_application;ObjectTable:applications;Operation:Install

Policy;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:fwadmin; Machine:Client2;Subject:Policy Installation;Audit Status:Success;Additional Info:Security Policy : Standard;Operation Number:7;lea_ip:10.116.28.209;

26 Uninstall Policy Agile CP Audit User Access, User Last Activity

f_name:;has_accounting:0;product:Internal;ObjectName:California_GW;ObjectTyp e:firewall_application;ObjectTable:applications;Operation:Uninstall

Policy;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:fwadmin; Machine:Client2;Subject:Policy Installation;Audit Status:Success;Operation Number:8;lea_ip:10.116.28.209;

27 Log In Agile CP Audit User

Authentication, User Access, User Last Activity

f_name:;has_accounting:0;product:CPMI Client;Operation:Log

In;Administrator:Admin;Machine:localhost;Subject:Administrator Login;Additional Info:Authentication method: Internal Password;Operation

Number:10;lea_ip:10.116.28.209;

28 Log In Agile CP Audit User

Authentication, User Access, User Last Activity

f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log In;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Audit Status:Failure;Additional Info:Administrator failed to log in: Wrong Password;Operation Number:11;lea_ip:10.116.28.209;

29 Log Out Agile CP Audit User Access <109>Aug 19 07:18:36 10.116.28.209 %CP_AUDIT: time:20Aug2006

2:51:31;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log Out;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Operation Number:12;lea_ip:10.116.28.209; 30 Initialize SIC Certificate

Agile CP Audit User Access, User Last Activity

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:cpshared_applic ation_Sec215;ObjectType:cpshared_application;ObjectTable:applications;Operatio n:Initialize SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:13;lea_ip:10.116.28.209;

(26)

31 Push SIC

Certificate

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:cpshared_applic ation_Sec215;ObjectType:cpshared_application;ObjectTable:applications;Operatio n:Push SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:14;lea_ip:10.116.28.209;

32 Revoke SIC

Certificate

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:cpshared_applic ation_Sec215;ObjectType:cpshared_application;ObjectTable:applications;Operatio n:Revoke SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:15;lea_ip:10.116.28.209;

33 Initialize User Registration Key

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Initialize User Registration

Key;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:16;lea_ip:10.116.28.209;

34 Disable User

Registration Key

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Disable User Registration

Key;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:17;lea_ip:10.116.28.209;

35 Generate User

Certificate

<109>Aug 19 08:28:19 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:01:14;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Generate User Certificate;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:18;lea_ip:10.116.28.209; 36 Revoke User Certificate

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Revoke User

Certificate;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:19;lea_ip:10.116.28.209;

37 Force Log out Agile CP Audit User Access <109>Aug 20 09:38:19 10.116.28.209 %CP_AUDIT: time:21Aug2006

5:11:14;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/

f_name:;has_accounting:0;product:SmartView Monitor;Operation:Force Log Out;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Additional Info:Disconnect administrator 'Admin' using cpmi_client;Operation

Number:21;lea_ip:10.116.28.209;

38 Revert to Version Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Version 1;Operation:Revert to

Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;Operation Number:22;lea_ip:10.116.28.209;

39 Create Version Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Version 1;Operation:Create Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;Operation

Number:23;lea_ip:10.116.28.209; Event Type Agile/

(27)

40 Delete Version Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Version 1;Operation:Delete Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;Operation

Number:24;lea_ip:10.116.28.209;

41 Synchronize

Peer

f_name:;has_accounting:0;product:SmartCenter Server;ObjectName:SERVER B;Operation:Synchronize

Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Additional Info:Type: automatic, event: MgmtSync;Operation Number:24;lea_ip:10.116.28.209;

42 Synchronize

Peer

Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Failure;Additional Info:Type: automatic, event: SCS-SYNCH. Error: Synchronization is not allowed: No license. Peer's mode: standby, status: Lagging.;Operation Number:24;lea_ip:10.116.28.209;

43 Synchronize

Peer

Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Incomplete;Additional Info:Type: automatic, xxx.;Operation

Number:24;lea_ip:10.116.28.209;

44 Synchronize

Peer

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Secondary_Man agement;Operation:Synchronize

Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Additional Info:Type: manual. ICA DB initialization.;Operation Number:24;lea_ip:10.116.28.209;

45 Synchronize

Peer

<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:Internal;ObjectName:Primary_Management;Op eration:Synchronized By Peer;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Operation Number:25;lea_ip:10.116.28.209; 46 Synchronized by Peer

f_name:;has_accounting:0;product:Internal;ObjectName:Primary_Management;Op eration:Synchronized By Peer;Administrator:SmartCenter

Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Operation Number:25;lea_ip:10.116.28.209;

47 Change to Active Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Primary_Manag ement;Operation:Change to

Active;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Operation Number:26;lea_ip:10.116.28.209;

(28)

48 Change to

StandbyAgile

109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Primary_Manag ement;Operation:Change to Standby;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Operation Number:27;lea_ip:10.116.28.209; 49 Detect Active Server

f_name:;has_accounting:0;product:Internal;Operation:Detect Active

Server;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Additional Info:xxx;Operation

Number:28;lea_ip:10.116.28.209;

50 Detect Active Server

f_name:;has_accounting:0;product:Internal;Operation:Detect Active

Server;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Failure;Additional Info:Multiple active management servers detected: Secondary_Management Primary_Management;Operation Number:28;lea_ip:10.116.28.209;

51 File Stored Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartView Tracker;Operation:File Stored;Administrator:Admin;Machine:LL210;session_id:Eventia Analyzer Server;Subject:File Operation;Additional Info:sd_updates;Operation Number:32;lea_ip:10.116.28.209;

52 File Retrieved Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartView Tracker;Operation:File

Retrieved;Administrator:Admin;Machine:LL210;Subject:File Operation;Additional Info:sd_updates;Operation Number:33;lea_ip:10.116.28.209;

53 Install Module Agile CP Audit User Access, User Last Activity

<109>Jul 13 13:54:45 10.1.100.22 %CP_AUDIT: time:13Jul2007 13:54:43;action:accept;orig:10.1.100.22;i/f_dir:outbound;i/

f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:I nstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Success;Operation Number:34;lea_ip:10.116.28.215;

54 Install Module Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:I nstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Failure;Operation Number:34;lea_ip:10.116.28.215;

55 Uninstall Module Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:U ninstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Success;Operation Number:35;lea_ip:10.116.28.215;

56 Uninstall Module Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:U ninstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Failure;Operation Number:35;lea_ip:10.116.28.215; Event Type Agile/

(29)

57 Set Session

Description

f_name:;has_accounting:0;product:Eventia Analyzer Server;Operation:Set Session Description;Administrator:localhost;Machine:share-cpmodule1;session_id:Eventia Analyzer Server;Subject:Administrator Login;Additional Info:Eventia Analyzer Server;Operation Number:48;lea_ip:10.1.100.22;

58 Log Export Agile CP Audit User Access,

User Last Activity

f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log

Export;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Audit file 'fw.adtlog' was exported to "C:\log.txt";Operation

Number:49;lea_ip:10.116.28.209;

59 Log Switch Agile CP Audit User Access, User Last Activity

Switch;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Active log file was switched to 'xxx.log';Operation Number:50;lea_ip:10.116.28.209;

60 Log Purge Agile CP Audit User Access,

User Last Activity

Purge;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Active log file was purged;Operation Number:51;lea_ip:10.116.28.209;

61 License violation

detected

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:xxx;ObjectType: xxx;ObjectTable:xxx;Operation:License Violation

Detected;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:MDS Information;Audit Status:Success;Additional Info:xxx;Operation

Number:x;lea_ip:10.116.28.209;

62 Schedule Log

Export

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:xxx;ObjectType: xxx;ObjectTable:xxx;Operation:Schedule Log

Export;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:Loggin g;Audit Status:Success;Additional Info:xxx;Operation

Number:x;lea_ip:10.116.28.209;

63 Schedule Log

Export

f_name:;has_accounting:0;product:SmartDashboard;ObjectName:xxx;ObjectType: xxx;ObjectTable:xxx;Operation:Schedule Log

Export;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:Loggin g;Audit Status:Failure;Additional Info:xxx;Operation

Number:x;lea_ip:10.116.28.209; Event Type Agile/

LogLogic Check Point Management Station Log Configuration Guide

LogLogic 

Check Point Management Station 

Log Configuration Guide

Contents

Preface

About This Guide

Technical Support

Documentation Support

Conventions

Chapter 1 – Configuring Check Point Management

Station and the LogLogic Appliance

Introduction to Check Point Management Station

Prerequisites

Configuring Check Point Management Station

Enabling the LogLogic Appliance to Capture Log Data

Adding a Check Point LEA Device

Chapter 2 – How LogLogic Supports CheckPoint

How LogLogic Captures CheckPoint Data

LogLogic Real-Time Reports

Chapter 3 – Troubleshooting and FAQ

Troubleshooting

Check Point events are not appearing on the LogLogic Appliance after capturing

the logs via the syslog listener.

Frequently Asked Questions (FAQ)

How does the LogLogic Appliance collect logs from Check Point?

How do I configure Syslog on Check Point?

Appendix A – Event Reference

LogLogic Support for Check Point Events