Monday, February 2, 2015

McAfee ESM and Checkpoint Data Source Configuration Guide

This a guest post courtesy of Naomi Rampersad
https://www.linkedin.com/pub/naomi-rampersad/2/2a7/359



LAB Environment Details:-

McAfee SIEM
Using McAfee ENMELM_VM4_250 (VM deployment containing all in one single ESM, Single Receiver – ELM).
Version = 9.4.0
Hostname = McAfee-ENMELM-VM4
IP address = 172.31.254.101/24 (shared by ESM/ELM and Receiver)
Gateway = 172.31.254.1
DNS = 8.8.8.8/4.4.4.4







Checkpoint – GAIA R77.20
MDM – 172.31.254.111
CMA-1 172.31.254.112
CMA-2 172.31.254.113
MLM - 172.31.254.115
CLM11 172.31.254.221
CLM22 172.31.254.222
Gw-1 172.31.254.118
Gw-2 172.31.254.119
Default Gateway - 172.31.254.1







Create an OPSEC Application on CMA-1
1. Log in to the Check Point user interface.
2. Expand the OPSEC Applications tree node and right-click on the OPSEC Application category.
3. Select “New OPSEC Application”.
4. Enter a name for the OPSEC Application. SIEM_East
5. Select a host from the “Host” field and select the network object that represents the McAfee Event
Receiver. If the object does not exist, create one by clicking the “New” button and entering the IP
of the Receiver. 172.31.254.101
6. Leave the “Vendor” field as the default selection “User Defined”.
7. Select the “LEA” checkbox in the “Client Entries” section
8. Click on the “Communication” button, located near the bottom of the dialog.
9. Enter and confirm your one-time password. abc123
10. Click the “Initialize” button. This will initialize the certificate and you will see the message
“Initialized but trust not established.”
11. Close the “Communication” dialog
12. Click “OK” on the OPSEC Application Process dialog.
13. Perform an Install DB on both CMA-1 and CLM11

NO CHANGES WERE MADE TO $FWDIR/CONF/FWOPSEC.CONF OR $CPDIR/CONF/SIC_POLICY.CONF FILES ANYWHERE (MDM/CMA or MLM/CLM)














On CMA-1




On CLM11






On McAfee ESM
Create the Check Point Data sources in a parent child relationship. Create the Primary CMA as the
Parent data source, and then add the CLM as a child to the Primary CMA data source
Data Source Creation
After successfully logging into the McAfee ESM console the data source will need to be added to a
McAfee Receiver in the ESM hierarchy.
1. Select the Receiver you are applying the data source setting to.
2. Select Receiver properties.
3. From the Receiver Properties listing, select “Data Sources”.
4. Select “Add Data Source”.
OR
1. Select the Receiver you are applying the data source setting to.
2. After selecting the Receiver, select the “Add Data Source” icon.
Parent Data Source Screen Settings
1. Data Source Vendor – Check Point
2. Data Source Model – Check Point (ASP)
3. Data Format – Default
4. Data Retrieval – Default
5. Name – user-defined name of the CMA. CMA-1_Managerment_Server
6. IP Address – The IP address of the CMA. 172.31.254.112
7. Event Collection Type – Select Audit and Log events.
8. Port – 18184 (Default)
Steps 9-12 are only needed if authentication and or encryption are being used.
9. Use Authentication – checked
10. Application Name – Name of the OPSEC Application Object created in CP. SIEM_East
11. Activation Key – SIC abc123
12. Use Encryption – checked
13. Options – Advanced settings leave default unless having connection issues. Auto detect
14. Connect – Tests the connection to the OPSEC LEA service and pulls the certificate. Should be successful

After Parent is successfully added create the child data sources CLM.
1. Select the parent data source from the Receiver Properties Data Sources screen
2. Select “Add Child Data Source”.
OR
3. Select the Parent data source from the device Tree.
4. Select the “Add Data Source” icon.
Child Data Source Screen Settings Log server / CLM
1. Name – user-defined name of the CLM. CLM11
2. IP Address – IP address of the CLM. 172.31.254.221
3. Device Type – Log Server / CLM
4. Event Collection Type – Select Audit and Log events.
5. Parent Report Console – The user-defined name of the CMA that the CLM is managed by.
Automatic Selection – CMA-1_Management_Server
6. Distinguished Name – DN of CLM. Found from grep sic_name $FWDIR/conf/objects_5_0.C on the CMA
7. Connect – Tests the connection. Should be successful




Add Checkpoint CMA-1 as a Parent Data Source









Receiving logs from the CMA







SSH to the MDM
Enter expert mode, set the mdsenv
Run “grep sic_name $FWDIR/conf/objects_5_0.C”
This will show all DNs. Find the correct one for the CLM









Add Checkpoint CLM11 as a Child Data Source

































Receiving logs from the CLM














COMPLETED THE SAME AS ABOVE FOR CMA-2 AND CLM22 AS DIFFERENT CHECKPOINT DATA SOURCES ON THE SAME RECEIVER



















Thanks very much to Naomi for this contribution post.
Hope you enjoyed it!