Integrate Splunk with Checkpoint Server

For integrating Splunk with Checkpoint Log server we require the following pre-requisites to be installed/configured.

  • Working Splunk Setup
  • Splunk Add On For Checkpoint Opsec LEA Application Installed On Splunk
  • Pam libraries, GCC dependencies installed on the linux distro on which splunk in installed.
  • Working Checkpoint Management/Log Server and access to Smart Dashboard.
  • Working Communication between the Management/Log Server and Splunk Server

Lets start with installing the Splunk Add On For Checkpoint Opsec LEA Application on the Splunk server.

Download the application and s tore it in a location on your computer.

https://splunkbase.splunk.com/app/1454/

Login to splunk server web interface.

Capture1

Go to Apps section and click on Install app from file, browse to the file which we downloaded earlier and click open.

Capture2
Capture3

Once the application is installed Splunk service has to be restarted, click on Restart Splunk.

Capture4

Post restart you can see the application installed and you can proceed with integration of your management with Splunk.

Capture4

Post restart you can see the application installed and you can proceed with integration of your management with Splunk.

Capture5

Open Smartdashboard to Checkpoint Management Server.

Capture6

Once Dashboard is open Go to Manage–> Click On Servers And OPSEC Applications.

Capture25

Create a New OPSEC Application for the Splunk Server.

Capture7

Provide a Name to the Splunk Server application. Create a new host to represent the Splunk Server’s IP Address. Click On New.

Capture8

Provide a Name for the Splunk Server and also add the Splunk Server’s IP Address in the Host General Properties Page.

Capture9

Once the host is created it should show up in the Host Section of the OPSEC application. Select Client Entity as LEA.

Capture10

For creating trust between the Management Server and Splunk Server we need to initialize SIC. Click on Communication tab.

Give a SIC key, you need to remember this key which will be used when we pull the SIC certificate on the Splunk Server.

Capture11

Click On initialize. You should be able to see Trust State as initialized But Trust Not Established.

Capture12

We need to also copy the SIC DN name of the Checkpoint Management Server and The Splunk Server.

For this Double Click on the Checkpoint Management Server and from the general properties page click on Test SIC Status.

Capture13

In the SIC Status Page Copy the DN name entry and save it in notepad or other edi tor this will be used later.

Capture14

Open the Splunk OPSEC Application and In the Communication Section you can see the DN for the Splunk LEA Server. Copy this and save it, this will also be used later.

Capture15

Post this Install Database on the Management Server Go To File–> Policy–> Install Database.

Select the management server and click Ok. Once Done you should be able to see below message.

Capture16
Capture26

Now we need to pull the certificate from Checkpoint management server on the Splunk Server.

Before this we need to install 2 dependencies which are crucial for getting the certificate from the management server.

Login to the Linux distro on which you have installed Splunk and install the following dependencies.

glibc.i686

pam.i686

libgcc.x86_64

pam.x86_64

Since my Splunk was installed on CentOS, below is the procedure to install these dependencies.

yum install glibc.i686

yum install pam.i686

The second command “yum install pam.i686” will not work directly. You need to install Pam 64 bit libraries and then install the 32 bit libraries. Add the below command and then run the same command again for installing these dependencies.

yum upgrade libgcc.x86_64 pam.x86_64

yum install pam.i686

Once these dependencies are install go to /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin direc tory.

You should be able to see pull-cert.sh script.

Run the command to generate the certificate.

./pull-cert.sh

Capture24

Once done we need to configure the connection on Splunk Server. Click on the New Connection tab on the Checkpoint OPSEC LEA page.

Capture17

Provide the Connection name, IP Address, Port Number and Click Next.

Important: Though not displayed in below screenshot. You may want to enable checkboxes for No-Resolve Mode and Online Mode. This will make sure your searches run faster and you have almost real-time data.

Capture18

Select the Certificate From the drop down this will be the same Certificate which we generated earlier. Click Next.

Capture19

Provide the SIC name and the Management SIC Name which we had copied earlier. The SIC Name is the SIC DN of the Splunk Lea created in Dashboard and Entity SIC Name is the SIC DN of the Management Server.

Capture20

Click Next for completing the configuration. Post this you should be able to see the connection in the list.

Capture21

For verifying the events are getting fetched you can go to Search & Reporting and check the number of events fetched.

Capture22

You can also filter the events by providing a keyword as shown below.

Capture23

Please feel free to add any comments or suggestion you may have.

Author: Tausif Khaleel

NOTE: You may see many Check Point fields as confidential in Splunk search. To fix this issue please follow the steps below.

  1. Open Smart Dashboard. Go to OPEC Splunk object. Then click on LEA Permissions.
    Here you need to Change “Permission to read logs” to Show all log fields. By default this is set to “Hide all confidential log fields”.
  2. Install Database and Push policy
  3. reboot Check Point management server.

Views: 80

Discover the best Infosec Products to secure your business.

Creates a Cyber strategy for Infrastructure and helps them to grow and overcome challenges.