Symantec Event Collector For Check Point VPN-1/Firewall
Contents
1. m Ifyou are using Check Point VPN 1 FireWall 1 FP3 open the Check Point SmartDashboard Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 25 Before installing 2 Doone of the following m Ensure that you have an implied policy rule that lets all traffic that originates from the firewall computer pass To do this display the Global Properties window Verify that the Accept outgoing packets originating from gateway check box is checked By default this option is enabled m Create an explicit rule that lets traffic pass from the Symantec Event Collector for Check Point to the SESA Manager 3 Ifyou create an explicit rule ensure that Tracking is set to None for the rule To prevent recursive log messages traffic between the Symantec Event Collector for Check Point and its SESA Manager must not be logged to the Check Point Log Server that the Symantec Event Collector for Check Point is monitoring This includes the machine on which the Symantec Event Collector for Check Point is installed as well as any firewall in the network path to the SESA Manager If such traffic were logged each Check Point log message would cause the Symantec Event Collector for Check Point to log a SESA event which in turn would cause a Check Point log message Configuring the LEA port for use by the Symantec Event Collector for Check Point You should configure the LEA port so that the Symantec Event Collector for Check Point can a2. If you want to uninstall the Symantec Event Collector for Check Point VPN 1 FireWall 1 you uninstall both the Symantec Event Collector for Check Point software and Symantec Event Manager for Firewall software The uninstall process reverses the order of the install process so that you uninstall the Symantec Event Collector for Check Point first Uninstalling the Symantec Event Collector for Check Point You uninstall the Symantec Event Collector for Check Point using the Microsoft Windows Add Remove Programs feature After you uninstall the Symantec Event Collector for Check Point VPN 1 FireWall 1 service is removed from the Windows Services window service control manager To uninstall the Symantec Event Collector for Check Point 1 On the Check Point Log Server on the Windows taskbar click Start gt Settings gt Control Panel In the Control Panel window double click Add Remove Programs In the Add Remove Programs dialog box click Symantec Event Collector for Check Point VPN 1 FireWall 1 then click Remove 4 When you are prompted to remove Symantec Event Collector for Check Point VPN 1 FireWall 1 from your computer click Yes Symantec Event Collector for Check Point VPN 1 FireWall 1 is removed from the Add Remove Programs dialog box indicating that the Symantec Event Collector for Check Point is removed 40 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Uninstalling Uninstalling Symantec
3. Server See SESA Manager computer prerequisites on page 23 and Check Point Log Server prerequisites on page 24 On the SESA Manager install the Symantec Event Collector for Check Point SESA integration components These extend SESA functionality to use the Symantec Event Collector for Check Point event data by providing the Firewall Event Family reports and Check Point specific reports that let you view and manage Check Point events in SESA See Installing Symantec Event Manager for Firewall SESA integration components on page 27 See Installing Symantec Event Collector for Check Point SESA integration components on page 27 On the Check Point Log Server which is usually the Check Point Management Server install the following components m Java Runtime Environment JRE version 1 3 1_02 The JRE is required to install SESA Agent component of the Symantec Event Manager for Firewall See Installing the Java Runtime Environment on page 29 m Symantec Event Manager for Firewall The Symantec Event Manager for Firewall includes the SESA Agent that forwards events to the SESA Manager See Installing the Symantec Event Manager for Firewall and SESA Agent on page 30 m Symantec Event Collector for Check Point VPN 1 FireWall 1 The Symantec Event Collector for Check Point collects events from the Check Point log files and formats them for SESA See Installing Symantec Event Collector
4. U S GOVERNMENT RESTRICTED RIGHTS RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C E R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 United States of America 6 EXPORT REGULATION Export re export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries Export or re export of Software to any entity on the Denied Parties List and other lists promulgated by various agencies of the United States Federal Government is strictly
5. Accepted sebulba domain udp Service usage Kilobytes by user lag a Informational Connection Accepted jsebulba domain udp Most active Web users last 24 hour Informational Connection Accepted sebulba domain udp bP 5 Symantec Security Gateways N 35 07 Informational Connection Accepted sebulba domain udp v iB Symantec Event Collector for Check 8 35 07 Informational Connection Accepted sebulba domain udp int events A i 1 Informational Connection Accepted sebulba domain udp E All Check Point alerts d i Informational Connection Accepted sebulba domain udp REE ERRER Total rows 8 736 Viewing 1 26 Customizing firewall event reports In addition to the reports in the Firewall Event Family and the Symantec Event Collector for Check Point VPN 1 FireWall 1 folder you can create customized event reports that display data that is of interest to your organization For example to create a report that shows all connection attempts for a specific address you can display the All Firewall Events report and add a filter that focuses the report on the address that you are interested in For more information see the section on creating custom reports in the Symantec Enterprise Security Architecture Administrators Guide 44 Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 Configurin
6. Collector for Check Point collects and sends data to SESA Check Point VPN 1 FireWall 1 Check Point Log Server Symantec Event Manager for Firewall Symantec Event Collector for Check Point SESA Foundation prerequisite DataStore Directory p Check Point firewall event report in SESA Console Symantec Event Collector for Check Point VPN 1 FireWall 1 How the Symantec Event Collector for Check Point works How the Symantec Event Collector for Check Point retrieves data The Symantec Event Collector for Check Point VPN 1 FireWall 1 uses two services to forward firewall event information to the SESA Manager the Symantec Event Collector for Check Point itself and the SESA Agent Both services run on the Check Point Log Server which is the machine to which your Check Point firewalls forward events In many cases the Check Point Log Server is also the Check Point Management Server The Symantec Event Collector for Check Point waits for new log messages that arrive by way of Check Point s Log Export API LEA The LEA enables the Symantec Event Collector for Check Point to receive log data generated by Check Point s VPN 1 FireWall 1 product Because the Check Point Log Server can collect log messages from one or many Check Point security gateways firewall log messages forwarded to SESA by the Symantec Event Collector for Check Point can originate from many end machines The SESA Agent securely logs
7. Event Collector for Check Point VPN 1 FireWall 1 About the Symantec Event Collector for Check Point 10 About Symantec Enterprise Security Architecture 10 Symantec Event Collector for Check Point component 11 How the Symantec Event Collector for Check Point Works 12 How the Symantec Event Collector for Check Point retrieves data 14 How the Symantec Event Collector for Check Point processes data 14 How firewall events are mapped from Check Point 15 Events processed by the Symantec Event Collector for Check Point 15 What the Symantec Event Collector for Check Point CD contains 17 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 About installation lt scs scsescsesssesssessseoedesssesedesssesedeiesesesessoescesscesacosessdesessssieseaeaeas 20 System prerequisites and set UP woes 22 Before installing sunsiste nS SSNS 23 SESA Manager computer prerequisites 23 Check Point Log Server prerequisites ssasssssssissnsniossssi 24 SESA Data Store asasasaqaaqaquaqqaaacqaaqaqccaqawqwyakuyaquyankusy 26 Installing the SESA integration components a 26 Installing Symantec Event Manager for Firewall SESA integration COMPONENTS scesseseeescesseeseesseeseeeseeeseesseesecnseesseesecesesseceseessees
8. Event Manager for Firewall You uninstall Symantec Event Manager for Firewall using the Microsoft Windows Add Remove Programs feature Uninstalling Symantec Event Manager for Firewall also removes the SESA Agent if no other products on the Check Point Log Server are using it After you uninstall the SESA AgentStart service is removed from the Windows Services window service control manager To uninstall Symantec Event Manager for Firewall 1 On the Check Point Log Server on the Windows taskbar click Start gt Settings gt Control Panel In the Control Panel window double click Add Remove Programs In the Add Remove Programs dialog box click Symantec Event Manager for Firewall then click Remove 4 When you are prompted to remove Symantec Event Manager for Firewall from your computer click Yes Symantec Event Manager for Firewall is removed from the Add Remove Programs dialog box indicating that the Event Manager is removed Chapter 3 Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 This chapter includes the following topics m Viewing reports installed for the Symantec Event Collector for Check Point m Customizing firewall event reports m Configuring Check Point for Symantec Event Collector for Check Point logging m Customizing the SESA Agent configuration 42 Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 Viewing reports installed for the Symantec Event Collector f
9. Point If you do not see ProdID 3030 reinstall the Symantec Event Collector for Check Point VPN 1 FireWall 1 SESA integration components Confirming Symantec Event Collector for Check Point operation You can confirm Symantec Event Collector for Check Point operation by checking that the proper services are running and that there are no error messages in the application log file To confirm Symantec Event Collector for Check Point operation 1 On the Check Point Log Server select Start gt Settings gt Control Panel gt Administrative Tools gt Services In the Services window verify that the following services are running m Symantec Event Collector for Check Point VPN 1 FireWall 1 m SESA AgentStart Service If these services are not running uninstall and reinstall the Symantec Event Manager for Firewall and Symantec Event Collector for Check Point VPN 1 FireWall 1 Close the Services window Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 39 Uninstalling 4 Select Event Viewer 5 In the Event Viewer examine the Windows Application Log for failure events from the Symantec Event Collector for Check Point VPN 1 FireWall 1 If you see only success events the Symantec Event Collector for Check Point is working properly and the problem probably exists elsewhere If you see failure events contact Symantec support 6 Close the Event Viewer and the Administrative Tools windows Uninstalling
10. a Check Point alert When the Check Point software issues a log message as an alert the Symantec Event Collector for Check Point prioritizes it as a warning and includes the alert type in the Alert Type field In the SESA Console you can filter reports that are based on these events 5 Additional logging options are available for various features in the Log and Alert tab of the Global Properties window Customizing the SESA Agent configuration The SESA Agent uses default logging parameters that are appropriate for most event collection circumstances However in extreme situations the Symantec Event Collector for Check Point can overrun the SESA Agent s ability to flush event to the SESA Manager The recommendations in this section provide for maximum event throughput from the Symantec Event Collector for Check Point to the SESA Manager They allow the SESA Agent to queue up as many firewall events as possible You adjust SESA Agent parameters from the Configuration view tab of the SESA Console For more information see the section on configuring products in the Symantec Enterprise Security Architecture Administrators Guide 46 Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 Customizing the SESA Agent configuration For the best performance and reliability use the Configurations view tab of the SESA Console to change the configuration parameters for the SESA Agent as described in Table 3 2 To customize
11. integration To use the Symantec Event Collector for Check Point VPN 1 FireWall 1 you install components on the following computers m The SESA Manager to which the Check Point firewall events are forwarded Note SESA Foundation Pack 1 1 must be installed on the SESA Manager before you begin installing the Symantec Event Collector for Check Point m The Check Point Log Server that collects Check Point VPN 1 FireWall 1 log messages Figure 2 1 shows the components that you install and where you install them Figure 2 1 Symantec Event Collector for Check Point components prerequisite Check Point Management Server SESA Directory SmartCenter Server eel prerequisite Windows 2000 prerequisite Symantec Event Manager for Firewall Check Point Log Server prerequisite components Symantec Event SESA integration Collector for Check Point Java Runtime m Environment prerequisite Symantec lt gt Event Manager for Firewall m m m m m eee eee I Symantec Event Collector for Check Point components This figure assumes that the Check Point Log Server is installed on the Check Point Management Server Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 21 About installation Complete the installation in the following order 1 Ensure connectivity between the SESA Manager and the Check Point Log
12. 003 22 35 Informational Connection Accepted sebulba domain udp enied connections By firewall Apr 8 2003 22 35 1 Informational Connection Accepted sebulba domain udp Denied connections By source ada API 8 2003 22 35 Informational Connection Dropped sebulba https Denied connections By service Apr 8 2003 22 35 1 Informational Connection Accepted sebulba https _ All authentication failures Apr 8 2003 22 1 Informational Connection Accepted _sebulba _ domain udp Apr 8 2003 22 1 Informational Connection Accepted sebulba dornain udp Firewall connection statistics a 7 n i Apr 8 2003 22 Informational Connection Accepted sebulba domain udp Firewall traffic Megabytes last 30 dd a a Fi Il traffic Kilob fi T Apr 8 2003 22 Informational Connection Accepted sebulba domain udp ewe ds al obytes by firewal Apr 8 2003 22 Informational Connection Accepted jsebulba domain udp Firewall frame Kilobytes by source 1 Apr 8 2003 22 Informational Connection Accepted jsebulba domain udp Firewall traffic Kilobytes by service W Apr 8 2003 22 Informational Connection Accepted sebulba domain udp prs Informational Connection Accepted sebulba domain udp E FTP details Apr 8 2003 22 Informational Connection Accepted sebulba domain ud Ez Web details Apr 8 2003 22 Informational Connection Accepted sebulba domain udp Web site volume last 24 hours W Informational Connection
13. EFULLY BEFORE USING THE SOFTWARE THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY OR LOADING THE SOFTWARE YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK ON THE I DO NOT AGREE NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE 1 LICENSE The software and documentation that accompanies this license The software and documentation that accompanies this license collectively the Software is the proprietary property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software you will have certain rights to use the Software after your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to you Except as may be modified by an applicable Symantec license certificate license coupon or license key each a License Module that accompanies precedes or follows this license your rights and obligations with respect to the use of this Software are as follows YOU MAY A use that number of copies of the Software as have been licensed to you by Symantec under a License Module for Your internal business purposes Your License Module shall constitute proof of Your ri
14. SA services on the network SESA Console The SESA Console is a Java based user interface that provides the graphical user interface to retrieve events and create configurations It runs in a Web browser with a secure connection Symantec Event Collector for Check Point components Symantec Event Collector for Check Point VPN 1 FireWall 1 installs shared and product specific components to send Check Point firewall events to SESA These components are located on the Symantec Event Manager for Firewall and Symantec Event Collector for Check Point VPN 1 FireWall 1 CD ROMs You install the following components in separate procedures m Symantec Event Manager for Firewall SESA integration components You install these components on every SESA Manager to which you will forward Check Point events They extend SESA functionality to provide the Firewall Event Family of reports m Symantec Event Collector for Check Point VPN 1 FireWall 1 SESA integration components You install these components on every SESA Manager to which you will forward Check Point events They extend SESA functionality to provide the Check Point specific reports 12 Symantec Event Collector for Check Point VPN 1 FireWall 1 How the Symantec Event Collector for Check Point works m Symantec Event Manager for Firewall You install Symantec Event Manager for Firewall on the Check Point Log Server which is the machine that receives log files from the Check Point fi
15. Symantec Event Collector for Check Point VPN 1 FireWall 1 Integration Guide Supported Platforms Microsoft Windows 2000 gt symantec Symantec Event Collector for Check Point VPN 1 FireWall 1 Integration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Documentation version 1 0 Copyright notice Copyright 1998 2003 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec the Symantec logo and Norton AntiVirus are U S registered trademarks of Symantec Corporation LiveUpdate LiveUpdate Administration Utility Symantec AntiVirus and Symantec Security Response are trademarks of Symantec Corporation Other brand
16. and Applications and click Services In the right pane select the Symantec Event Collector for Check Point VPN 1 FireWall 1 service On the toolbar click Start or Stop Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 35 Verifying the installation Verifying the installation After installation you can verify that the appropriate components are installed and working properly Verify the installation To verify the installation do the following m Verify that the appropriate services have started m Verify that the reports and products you installed for Symantec Event Manager for Firewall and Symantec Event Collector for Check Point are displayed in the SESA Console m Examine the Symantec Event Collector for Check Point and SESA Agent logs as necessary To verify that the appropriate services have started 1 On the Check Point Log Server select Start gt Settings gt Control Panel gt Administrative Tools gt Services 2 In the Services window verify that the following services are running m Symantec Event Collector for Check Point VPN 1 FireWall 1 m SESA AgentStart Service To verify that the reports and products you installed are displayed in the SESA Console 1 On the SESA Manager computer on the Windows taskbar click Start gt Programs gt Symantec Enterprise Security gt SESA Console Note If you are not working directly on the SESA Manager computer to connect to the SESA Consol
17. authorize SecuRemote User Security Informational A SecuRemote log on has taken place Logon Authcrypt or Warning User Security Informational A user has authenticated Authentication or Warning User Security Warning A user has failed to authenticate Authentication Failure Connection Security Informational A connection has ended The event fields carry the Statistics statistics for the connection Accounting events carry details regarding the duration of a connection and the amount of data transferred during the connection What the Symantec Event Collector for Check Point CD contains When you install Symantec Event Collector for Check Point you use two CD ROMs m Symantec Event Manager for Firewall m Symantec Event Collector for Check Point VPN 1 FireWall 1 The contents of the Symantec Event Manager for Firewall CD are described in the Symantec Event Manager for Firewall Integration Guide 18 Symantec Event Collector for Check Point VPN 1 FireWall 1 What the Symantec Event Collector for Check Point CD contains Table 1 5 lists the contents of the Symantec Event Collector for Check Point VPN 1 FireWall 1 CD Table 1 5 Symantec Event Collector for Check Point CD contents top level m cdstart exe displays the installation menu to start the Symantec Event Collector for Check Point or SESA integration component installations m setup exe runs the Symantec Event Collector for Ch
18. box read the License Agreement and do one of the following m If you accept the license terms click I accept the terms in the license agreement Then click Next m Ifyou do not accept the license terms click I do not accept the terms in the license agreement This cancels the installation process Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 31 Installing on the Check Point Log Server 5 Inthe Custom Setup dialog box click the icon beside Event Collector for Symantec Security Gateways i Symantec Event Manager for Firewall InstallShield Wizard Custom Setup Select the program features you want installed Installshield es e Eee eee 6 In the drop down list next to This feature will not be available click the red X 7 Click Next If a SESA Agent is not already installed on your system the SESA Agent Install Information dialog box is displayed If you do not see this dialog box proceed to step 11 ie Symantec Event Manager for Firewall InstallShield Wizard SESA Agent Install Information a 32 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Installing on the Check Point Log Server 10 11 12 13 In the SESA Agent Install Information dialog box do the following Path to install SESA m Ifyou accept the default installation location Agent to leave this unchanged m Ifyou want to change the location where the SESA Agent i
19. ccess LEA unauthenticated and unencrypted at port 18184 This is the default LEA port but not the default authentication mechanism Configuring the LEA port in this way lets any host connect to the LEA server and read log data Create a policy rule to prevent access from any source other than the local machine To configure the LEA port for use by the Symantec Event Collector for Check Point 1 Navigate to the directory containing the fwopsec conf file This file is usually in the following location C WINNT FW1 NG conf fwopsec conf 2 Open the fwopsec conf file in the WordPad editor do not use Notepad 26 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Installing the SESA integration components 3 Type the following lines into the file lea_server port 18184 lea_server auth_port 0 This reverses the values for port and auth_port that are in the original file 4 Save fwopsec conf Ignore the lose format warning when saving SESA DataStore After you install the Symantec Event Collector for Check Point and the SESA integration components Check Point can begin to forward firewall events to SESA The amount of disk space you will need to accommodate the event data depends on how many devices are logging events how verbose they are and how long you want to keep the event data We recommend a minimum of 128 GB free space to ensure that events are properly logged Installing the SESA integration compo
20. cts any Symantec software on the media for which you have not received a permission in a License Module F use the Software to collect data from a type of technology other than when using a Symantec Event Manager product that corresponds to that type of technology i e antivirus firewall IDS etc nor G use the Software in any manner not authorized by this license 2 CONTENT UPDATES Certain Symantec software products utilize content that is updated from time to time antivirus products utilize updated virus definitions content filtering products utilize updated URL lists some firewall products utilize updated firewall rules vulnerability assessment products utilize updated vulnerability data etc collectively these are referred to as Content Updates You may obtain Content Updates for any period for which you have purchased upgrade insurance for the product entered into a maintenance agreement that includes Content Updates or otherwise separately acquired the right to obtain Content Updates This license does not otherwise permit you to obtain and use Content Updates 3 LIMITED WARRANTY Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty 60 days from the date of delivery of the Software to you Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the
21. e in a browser window type the URL of the SESA Manager 2 Logon to the SESA Console using a SESA user account with sufficient rights to view SESA configurations The SESA user must belong to a role that has rights to the SESA enabled Symantec Event Collector for Check Point VPN 1 FireWall 1 product 3 On the Event view tab expand your domain and then expand SESA DataStore gt Firewall Event Family 4 Under Firewall Event Family verify that the Symantec Security Gateway folder is listed 36 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Verifying the installation 5 Verify that the Symantec Event Collector for Check Point VPN 1 FireWall 1 folder is listed and contains the following reports m All Check Point events m All Check Point alerts if created in Check Point On the Configurations view tab expand your domain Verify that the following items are listed m Symantec Security Gateways m Symantec Event Collector for Check Point VPN 1 FireWall 1 For more information on reports and views see the Symantec Enterprise Security Architecture Administrators Guide To examine the Symantec Event Collector for Check Point and SESA Agent logs 1 On the computer on which the Symantec Event Collector for Check Point is installed navigate to the SESA Agent log The default location is C Program Files Symantec SESA Agent sesa agent log 2 Ensure that the log contains the following entry SESA Agent B
22. eck Point installation When you insert the CD a menu option is available to execute setup exe it should not be necessary to run setup exe separately m autorun inf auto start program to run cdstart when the CD ROM is inserted into a Microsoft Windows system m Support files for Symantec Event Collector for Check Point installation Datal cab launcher settings JREGENT dll JWINUTIL dll Symantec Event Collector for Check Point VPN 1FireWall 1 msi libjsunutil so m setup jar integration component installer program AgtInst m SESA Agent installation files techpubs m SEC_CP_RelNote PDF m SEC_CP PDF Symantec Event Collector for Check Point VPN 1 FireWall 1 Integration Guide lib m Support files for the SESA integration component installation Chapter Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 This chapter includes the following topics About installation System prerequisites and set up Before installing Installing the SESA integration components Installing on the Check Point Log Server Starting and stopping the Symantec Event Collector for Check Point service Verifying the installation Troubleshooting the Symantec Event Collector for Check Point installation Uninstalling 20 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 About installation About installation SESA Manager prerequisite SESA DataStore SESA
23. eeeseesees 27 Installing Symantec Event Collector for Check Point SESA integration COMPONENTS seesseseesseesseeseesscesseeseeeseesseeaeceseesseeseceseesecesecsseeseeeaeenses 27 Installing on the Check Point Log Server cccseeeseeseeesesestenssesseeeseaees 29 Installing the Java Runtime Environment a 29 Installing the Symantec Event Manager for Firewall and SESA Agent 30 Installing Symantec Event Collector for Check Point 33 Starting and stopping the Symantec Event Collector for Check Point Service sissessssssssssssssesssiesssessbesesesssesesesssesesasevevesavestvestsestse 34 Verifying the installation c cccsesesesesevesevesevesevesevesevevevevevesevevenevevesevevevessvevevensys 35 8 Contents Troubleshooting the Symantec Event Collector for Check Point installation sensnm 37 Checking the SESA Manager address and port 37 Determining whether the SESA Agent is receiving Check Pomttrewallesentg iu aa asas iinn 38 Confirming Symantec Event Collector for Check Point operation 38 Uumstallin usuyasa nu akaqa R 39 Uninstalling the Symantec Event Collector for Check Point 39 Uninstalling Symantec Event Manager for Firewall 40 Chapter 3 Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 Viewing reports installed for the Symantec Event Collector for C CPO Saa akawa TE TO T 42 Custo
24. essages in memory for later delivery up to a default maximum of 2 MB Once memory is full the Agent queues to disk This queue size can be changed by using the SESA Console to edit the maximum queue size value as described in Customizing the SESA Agent configuration on page 45 How firewall events are mapped from Check Point In the SESA environment events that arrive from a SESA Agent are generally understood to be events generated by the system on which the SESA Agent is installed Because the Symantec Event Collector for Check Point resides on a Check Point Log Server that may receive events from multiple Check Point firewall systems the event data is structured to uniquely identify each system The Symantec Event Collector for Check Point VPN 1 FireWall 1 events are logged as if they originated with the machine that logged the message to the Check Point Log Server Events processed by the Symantec Event Collector for Check Point All SESA events are a discrete instance of a class of similar events An Event ID field indicates the exact instance The Symantec Event Collector for Check Point derives discrete event IDs and classifications by examining the contents of key fields The Symantec Event Collector for Check Point assigns one of the following categories to each firewall event Table 1 2 Symantec Event Collector for Check Point log message categories Security Messages that come from a firewall are assigned to the Securi
25. firewall events to a SESA Manager on behalf of the Symantec Event Collector for Check Point When you install the Symantec Event Manager for Firewall you furnish a small set of initial parameters for the SESA Agent for example the SESA Manager s IP address After you install the SESA Agent you can change its default parameters using the SESA Console How the Symantec Event Collector for Check Point processes data The Symantec Event Collector for Check Point VPN 1 FireWall 1 is a service that you install on the Check Point Log Server along with a SESA Agent The Symantec Event Collector for Check Point links to the SESA Agent by way of the SESA Agent Application Library applib This lets the SESA Agent securely log the firewall events that it receives to a SESA Manager on behalf of the Symantec Event Collector for Check Point The Symantec Event Collector for Check Point receives Check Point log messages through Check Point s Log Export API LEA The LEA enables the Symantec Event Collector for Check Point to receive real time log data generated by Check Point VPN 1 FireWall 1 When product data or the SESA Agent is unavailable the Symantec Event Collector for Check Point sends error messages to the application event log on the Microsoft Windows system Symantec Event Collector for Check Point VPN 1 FireWall 1 15 How the Symantec Event Collector for Check Point works When the SESA Manager is unavailable the SESA Agent queues m
26. for Check Point on page 33 22 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 System prerequisites and set up System prerequisites and set up The system prerequisites for installing the Symantec Event Collector for Check Point are the same as those for installing the Check Point Log Server and the SESA Manager Table 2 1 and Table 2 2 list the basic prerequisites Table 2 1 Hardware prerequisites Check Point Log Server Intel Pentium class system SESA Manager Pentium 800 MHz or higher 1 GHz or higher recommended Table 2 2 Software prerequisites Check Point Log Server Microsoft Windows 2000 Check Point VPN 1 FireWall 1 NG Feature Pack 2 or Feature Pack 3 Check Point Log Server component SESA Manager Windows 2000 Server Advanced Server with Service Pack 2 and the latest Microsoft security patches SESA Foundation Pack 1 1 The Check Point Log Server component can be installed on the Check Point management server or on another computer For details of the prerequisites for Check Point see your Check Point documentation For details of the prerequisites for the SESA Manager see the Symantec Enterprise Security Architecture Installation Guide Note that the SESA DataStore computer installed during the installation of the SESA Foundation Pack must have enough hard disk space to accommodate the additional firewall security events that the Symantec Event Collector for Check Point wil
27. g Check Point for Symantec Event Collector for Check Point logging Configuring Check Point for Symantec Event Collector for Check Point logging No configuration of the Symantec Event Collector for Check Point VPN 1 FireWall 1 is necessary By default most events that are logged to the Check Point Log Server are captured by the Symantec Event Collector for Check Point and logged to the SESA Manager Use the Check Point Policy Editor if you are running Check Point FP2 or Check Point SmartDashboard if you are running Check Point FP3 to control what data is logged by the firewalls to the Check Point Log Server For more information see your Check Point documentation Configuring Check Point policies There are two steps to configuring Check Point policies for use in logging events to the Symantec Event Collector for Check Point m Inthe SESA Console determine the data that you want to see in your SESA reports m In Check Point configure policies that generate that data For example if you want to see a pie chart of traffic by service configure Check Point to log connections using the services you are interested in To see a graph depicting denied connections configure Check Point to log denied connections Remember that the statistics involved numbers percentages frequencies and so forth are based on what is actually logged To determine what you want Check Point to log 1 In the SESA Console on the Events view tab
28. ght to make such copies If no License Module accompanies precedes or ollows this license you may make one copy of the Software you are authorized to use on a single machine B make one copy of the Software for archival purposes or copy the Software onto the hard disk of your computer and retain the original or archival purposes C use each licensed copy of the Software on a single central processing unit and D after written consent from Symantec transfer the Software on a permanent basis to another person or entity provided that you retain no copies of the Software and the transferee agrees to the terms of this license YOU MAY NOT A copy the printed documentation which accompanies the Software B sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software C use a previous version or copy of the Software after you have received a disk replacement set or an upgraded version Upon upgrading the Software all copies of the prior version must be destroyed D use a later version of the Software than is provided herewith unless you have purchased corresponding maintenance and or upgrade insurance or have otherwise separately acquired the right to use such later version E use if you received the software distributed on media containing multiple Symantec produ
29. hard drive C Program Files Symantec SESA Agent In a text editor open the Configprovider cfg file Verify that the following options contain the correct settings for the SESA Manager to which you want to send Check Point firewall events mgmtServer IP address of the SESA Manager mgmtPort Port that you choose for secure data Default 443 If these values are incorrect you can edit them to provide the correct values You should not edit these settings if the sesa agent log file indicates a successful bootstrap of the SESA Agent See Verifying the installation on page 35 38 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Troubleshooting the Symantec Event Collector for Check Point installation Determining whether the SESA Agent is receiving Check Point firewall events Determine whether the SESA Agent is being updated with firewall events from Check Point To determine whether the SESA Agent is receiving Check Point firewall events 1 On the Check Point Log Server at the command prompt change directories to the following folder on the hard drive C Program Files Symantec SESA Agent Type the following command java jar agentcmd jar status A list is generated showing the number of events in the SESA Agent queue and the number of events that have been processed In the queues that are displayed look for ProdID 3030 which is the product ID for the Symantec Event Collector for Check
30. ic to SESA Manager 24 configuring for Symantec Event Collector for Check Point 44 configuring the LEA port 25 connectivity to SESA Manager 23 installing SESA Agent 30 33 installing Symantec Event Collector for Check Point 33 system requirements 24 Check Point policies configuring alerts 45 configuring services 45 enabling tracking 45 Check Point Policy Editor 45 Check Point SmartDashboard 45 Configuration view tab SESA Console 45 configurations distributing changes 46 connectivity between Check Point Log Server and SESA Manager 23 testing 23 custom reports creating 43 D data processing Symantec Event Collector for Check Point 14 retrieval Symantec Event Collector for Check Point 14 distribute from configuration 46 E Event Collector See Symantec Event Collector for Check Point F Firewall Event Family viewing in SESA Console 35 l installing Java Runtime Library 29 planning 20 SESA Agent 30 33 Symantec Event Collector for Check 33 Symantec Event Manager for Firewall 30 troubleshooting 37 verification 35 J JRE installing 29 50 Index L LEA configuring port for Symantec Event Collector for Check Point 25 description 14 Log Export API See LEA log file Symantec Event Collector for Check Point 36 viewing for SESA Agent 36 log messages alert field 16 severity 16 logging parameters configuring for SESA Agent 45 M message queue limits SESA Agent 15 R removing See uninstalling
31. ilable 24 hours a day 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support program m Advanced features such as the Symantec Alerting Service and Technical Account Manager role offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs The specific features available may vary based on the level of support purchased and the specific product that you are using registration If the product that you are implementing requires registration and or a license key the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www symantec com certificate Alternatively you may go to www symantec com techsupp ent enterprise html select the product that you wish to register and from the Product Home Page select the Licensing and Registration link Contacting Technical Support Customers with a current support agreement may contact the Technical Support group by phone or online at www symantec com techsupp Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www secure symantec com platinum When contacting the Technical Support group please have the following Customer Service Product release level Hardware information Available memory disk space NIC information Operating system Version and patch level Ne
32. in the left pane expand the Firewall Events Family folder See Viewing reports installed for the Symantec Event Collector for Check Point on page 42 2 Click on the report you want to view In the right pane if the report displayed is a graph or pie chart click on a section of the graph to display a table of events on which it is based 4 Inthe table view the column headings to see what data is represented by the report Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 45 Customizing the SESA Agent configuration To create Check Point policies 1 Do one of the following m Ifyou are using Check Point VPN 1 FireWall 1 FP2 open the Check Point Policy Editor m Ifyou are using Check Point VPN 1 FireWall 1 FP3 open the Check Point SmartDashboard 2 For each rule decide whether and how you want to enable tracking m For rules that control connections that you do not want to log leave tracking turned off m To log statistical information so that it appears in Firewall Event Family reports set Track to Account m To log connection events so that they appear in the Check Point specific reports and the Firewall Event Family reports set Track to Log 3 To log the accessing of individual files through FTP or individual Web pages through HTTP or HTTPS configure a rule that uses a Service with Resource 4 To draw special attention to some particular type of event configure it to be logged as
33. l send The Symantec Event Collector for Check Point also requires the installation of the Symantec Event Manager for Firewall on the Check Point Log Server and on each SESA Manager to which Check Point firewall events will be sent Installation instructions are provided in this guide and in the Symantec Event Manager for Firewall Integration Guide Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 23 Before installing Before installing This section describes the prerequisites that must be met before you begin installing the components of the Symantec Event Collector for Check Point The prerequisite software must be installed as shown in Figure 2 1 You must also ensure that you have connectivity between the SESA Manager and the Check Point Log Server SESA Manager computer prerequisites Before installing any components on the SESA Manager ensure that it is installed and operating properly For installation information see the Symantec Enterprise Security Architecture Installation Guide Install the SESA integration components for the Symantec Event Collector for Check Point on the SESA Manager before you install the Symantec Event Collector for Check Point on the Check Point Log Server If you do not install the SESA integration components you cannot connect the Symantec Event Collector for Check Point to the SESA Manager See Installing the SESA integration components on page 26 Ensuring connectivi
34. mantec Event Collector for Check Point They only indicate that the Symantec Event Collector for Check Point has started or stopped Control Message Security Informational A control log message has been received These or Warning represent various kinds of system oriented messages Key Install Security Informational A Key Install message has been received A new set of or Warning encryption keys has been generated usually for use by a VPN session Connection Security Informational A new connection has been accepted Accepted or Warning Connection Security Informational A connection attempt was dropped without notifying the Dropped or Warning source Connection Security Informational A connection attempt was rejected actively notifying the Rejected or Warning source Table 1 4 Symantec Event Collector for Check Point VPN 1 FireWall 1 17 What the Symantec Event Collector for Check Point CD contains Events processed by the Symantec Event Collector for Check Point Connection Security Informational An incoming VPN connection was accepted Decrypted or Warning Connection Security Informational An outgoing VPN connection has been established Encrypted or Warning SecurClient User Security Informational A SecurClient has logged in Logon Authorize or Warning SecurClient User Security Informational A SecurClient has logged off Logoff De or Warning
35. mizing firewall event reports a 43 Configuring Check Point for Symantec Event Collector for Check Point logging uw u a aaa uqa E E 44 Customizing the SESA Agent configuration a 45 Index Chapter symantec Event Collector for Check Point VPN 1 FireWall 1 This chapter includes the following topics About the Symantec Event Collector for Check Point Symantec Event Collector for Check Point components How the Symantec Event Collector for Check Point retrieves data What the Symantec Event Collector for Check Point CD contains 10 Symantec Event Collector for Check Point VPN 1 FireWall 1 About the Symantec Event Collector for Check Point About the Symantec Event Collector for Check Point Symantec Event Collector for Check Point VPN 1 FireWall 1 provides centralized logging alerting and reporting for Check Point VPN 1 FireWall 1 Next Generation NG products Symantec Event Collector for Check Point VPN 1 FireWall 1 retrieves firewall events and forwards these events to the Symantec Enterprise Security Architecture SESA management system Currently the logged events represent the operation of the Check Point VPN 1 FireWall 1 NG Feature Pack 2 FP2 and Feature Pack 3 FP3 products These firewall events are stored in the SESA DataStore where they are available for visual inspection as the basis for alert notifications and as raw data for report generation The S
36. nents You install the Symantec Event Manager for Firewall and Symantec Event Collector for Check Point SESA integration components on the SESA Manager You perform two separate installation procedures m Use the Symantec Event Manager for Firewall CD ROM to install the Symantec Event Manager for Firewall SESA integration components m Use the Symantec Event Collector for Check Point VPN 1 FireWall 1 CD ROM to install the Symantec Event Collector for Check Point SESA integration components These components must be installed before you install the Symantec Event Manager for Firewall and the Symantec Event Collector for Check Point on the Check Point Log Server This is required so that after you install on the Check Point Log Server you can connect to SESA You must install both sets of components on every SESA Manager to which you will forward Check Point events Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 27 Installing the SESA integration components Installing Symantec Event Manager for Firewall SESA integration components You must install the Symantec Event Manager for Firewall SESA integration components before you install the Symantec Event Collector for Check Point SESA integration components These components contain the Firewall Event Family common reports and the Symantec Security Gateway reports Use the Symantec Event Manager for Firewall CD ROM to perform the installa
37. nt Collector for Check Point 39 Symantec Event Manager for Firewall 40 V verifying SESA operation 35 Symantec Event Collector for Check Point installation 35
38. nt is installed and that the java version is 1 3 1_02 3 Ifit is not install the Java Runtime Environment before you install the Symantec Event Manager for Firewall To install the Java Runtime Environment 1 On the Check Point Log Server insert the Symantec Event Manager for Firewall CD into the CD ROM drive If the installation program does not start automatically navigate to the CD ROM drive and double click cdstart exe 30 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Installing on the Check Point Log Server In the Symantec Enterprise Security Architecture dialog box click Install JRE 1 3 1_02 The Java files are unpacked and the Java installation is launched Complete the installation as prompted Installing the Symantec Event Manager for Firewall and SESA Agent Before you install the Symantec Event Collector for Check Point you must install the Symantec Event Manager for Firewall and SESA Agent To install the Symantec Event Manager for Firewall 1 On the Check Point Log Server insert the Symantec Event Manager for Firewall CD into the CD ROM drive If the installation program does not start automatically navigate to the CD ROM drive and double click cdstart exe In the Symantec Enterprise Security Architecture dialog box click Install Event Manager for Firewall In the Event Manager for Firewall InstallShield Wizard Welcome dialog box click Next In the License Agreement dialog
39. og Server The installation process installs the Symantec Event Collector for Check Point as a service The Symantec Event Collector for Check Point is accessible through the Services control panel applet It is also accessible through the Add Remove Programs control panel applet To install Symantec Event Collector for Check Point 1 On the Check Point Log Server insert the Symantec Event Collector for Check Point VPN 1 FireWall 1 CD ROM into the CD ROM drive If the installation program does not start automatically navigate to the CD ROM drive and double click cdstart exe 2 Inthe Symantec Enterprise Security Architecture dialog box click Install Symantec Event Collector for Check Point FW 1 3 In the Symantec Event Collector for Check Point VPN 1 FireWall 1 InstallShield Wizard Welcome dialog box click Next 4 Inthe License Agreement dialog box read the License Agreement and do one of the following m If you accept the license terms click I accept the terms in the license agreement Then click Next m Ifyou do not accept the license terms click I do not accept the terms in the license agreement This cancels the installation process 5 The Custom Setup dialog box shows the default location to which the Symantec Event Collector for Check Point is installed C Program Files Symantec Event Collector for Check Point Do one of the following m To install the Symantec Event Collector for Check Point to the default locati
40. on click Next m To change the installation location for the Symantec Event Collector for Check Point click Change In the Change Current Destination Folder dialog box select a new location for the Symantec Event Collector for Check Point click OK and then click Next 34 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Starting and stopping the Symantec Event Collector for Check Point service 6 In the Ready to Install the Program dialog box click Install A DOS window shows the installation of the Symantec Event Collector for Check Point files In the InstallShield Wizard Completed dialog box click Finish When you are prompted to restart your system do one of the following m To restart now click Yes m To restart later click No You must restart your system before you can use the Symantec Event Collector for Check Point VPN 1 FireWall 1 Starting and stopping the Symantec Event Collector for Check Point service The Symantec Event Collector for Check Point runs as a service on the computer on which the it is installed To start and stop the Symantec Event Collector for Check Point you start and stop the service as necessary You can also stop the Symantec Event Collector for Check Point by stopping the SESA Agent service To start or stop a service 1 On Check Point Log Server on the desktop right click My Computer and click Manage In the Computer Management window expand Services
41. ootstrap successful If you do not see this message see the procedure Checking the SESA Manager address and port on page 37 3 Select Start gt Settings gt Control Panel gt Administrative Tools gt Event Viewer 4 Click Application Log Examine the log The following Symantec Event Collector for Check Point VPN 1 FireWall 1 event should be present The service was started Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 37 Troubleshooting the Symantec Event Collector for Check Point installation Troubleshooting the Symantec Event Collector for Check Point installation If you are not receiving Check Point firewall events after you have installed Symantec Event Collector for Check Point VPN 1 FireWall 1 and have run the verification procedures described previously perform the following procedures to confirm operation Checking the SESA Manager address and port Determining whether the SESA Agent is receiving Check Point firewall events Confirming Symantec Event Collector for Check Point operation Checking the SESA Manager address and port Verify that you specified the correct SESA Manager IP address or host name and the correct number for the SESA secure directory port when you ran the Symantec Event Manager for Firewall installation To check the SESA Manager address and port 1 On Check Point Log Server at the command prompt change directories to the following folder on the
42. or Check Point Viewing reports installed for the Symantec Event Collector for Check Point The Symantec Event Collector for Check Point VPN 1 FireWall 1 lets you use the SESA Console to view firewall events logged by your Check Point firewalls The SESA integration components that you installed on the SESA Manager include pre defined reports for firewall and Check Point collector events The Firewall Event Family contains reports that are common to all firewall products For details of these reports see the Symantec Event Manager for Firewall Integration Guide The reports that are specific to firewall events collected for Check Point are found in the Symantec Event Collector for Check Point VPN 1 FireWall 1 folder within the Firewall Event Family The following table describes the firewall event reports that are specific to the Symantec Event Collector for Check Point Table 3 1 Symantec Event Collector for Check Point VPN 1 FireWall 1 reports All Check Point events Table All events logged by Check Point VPN 1 FireWall 1 All Check Point alerts Table Details of Check Point alerts To view Symantec Event Collector for Check Point reports 1 Logon to the SESA Console using a SESA user account with sufficient rights to view SESA events The SESA user must belong to a role that has rights to the SESA enabled security gateway product See the Symantec Enterprise Security Architecture Administrator s Guide for inf
43. ormation see your Check Point documentation Use the Check Point Log Viewer if you are running FP2 or Check Point SmartView Tracker if you are running FP3 to verify that the firewalls to be monitored are passing traffic and logging appropriately In addition complete the instructions in the following sections m Ensuring connectivity from the Log Server to the SESA Manager on page 23 m Allowing traffic from the Symantec Event Collector for Check Point to the SESA Manager on page 24 m Configuring the LEA port for use by the Symantec Event Collector for Check Point on page 25 Allowing traffic from the Symantec Event Collector for Check Point to the SESA Manager If you plan to install the Symantec Event Collector for Check Point on a Check Point Log Server on which there is also a firewall Check Point must be configured to allow traffic from the Symantec Event Collector for Check Point to the SESA Manager You can do this with either an implied policy rule that lets all traffic that originates from the firewall computer pass or by creating an explicit rule Depending on how your Check Point environment is currently set up this may or may not require additional action on your part To allow traffic from the Symantec Event Collector for Check Point to the SESA Manager 1 On the Check Point Log Server do one of the following m Ifyou are using Check Point VPN 1 FireWall 1 FP2 open the Check Point Policy Editor
44. ormation on roles 2 On the Events view tab in the left pane expand lt Domain Name gt gt SESA DataStore gt Firewall Event Family to display all common Firewall Event Family reports To display available Symantec Event Collector for Check Point reports expand lt Domain Name gt gt SESA DataStore gt Firewall Event Family gt Symantec Event Collector for Check Point VPN 1 FireWall 1 Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 43 Customizing firewall event reports Where lt Domain Name gt is the SESA Domain as defined during the SESA installation Click the icon or name of the report you want to view The report appears in the right pane SESA Console symantec Selection Console Help QOSaR AR E Y t Waltham NorthAmerica SES Severity Event Type Machine _ Destination Service Name J SESA DataStore sym 22py510ep3a A I 41 19 X 1 Informational Connection Accepted sebulba domain udp gt Global Reports 3 I E 1 Informational Connection Accepted sebulba domain udp b F System Events 7 1 Informational Connection Accepted sebulba nttps Vv a Firewall Event Family i Informational Connection Accepted sebulba https rewall network events A Informational Connection Accepted sebulba domain udp EAI fi II net t Infe tional C ti ted bulb d in udi irewall rule matches Informational Connection Accepted sebulba domain udp lI denied connections Apr 8 2
45. prohibited 6 GENERAL If You are located in North America or Latin America this Agreement will be governed by the laws of the State of California United States of America Otherwise this Agreement will be governed by the laws of England This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software The disclaimers of warranties and damages and limitations on liability shall survive termination This Agreement may only be modified by a License Module which accompanies this license or by a written document which has been signed by both You and Symantec Should You have any questions concerning this Agreement or if You desire to contact Symantec for any reason please write to i Symantec Customer Service 555 International Way Springfield OR 97477 U S A ii Symantec Customer Service Center PO BOX 5689 Dublin 15 Ireland or iii Symantec Customer Service 1 Julius Ave North Ryde NSW 2113 Australia Contents Chapter 1 Chapter 2 Symantec
46. reports customizing 43 viewing in SESA Console 35 42 S services configuring in Check Point policies 45 SESA Agent Application Library 14 configuring logging parameters 45 description 14 installing 30 33 message queue limits 15 viewing agent log 36 SESA Console Configuration view tab 45 logging on 35 viewing Firewall Event Family 35 viewing Symantec Event Collector for Check Point logs 35 SESA DataStore system requirements 26 SESA integration components installing for Symantec Event Collector for Check Point 26 SESA Manager connectivity to Check Point Log Server 23 installing SESA integration components 26 system requirements 23 verifying IP address and port 37 severity log messages 16 Symantec Event Collector for Check Point CD contents 18 components installed 11 22 data processing 14 data retrieval 14 description 10 events processed 15 installation planning 20 installing 33 installing SESA integration components 26 log examining 36 mapping of Check Point Events 15 system requirements 22 topology 13 uninstalling 39 verifying installation 35 verifying operation 38 viewing in SESA Console 35 Symantec Event Manager for Firewall installing 30 uninstalling 40 system requirements Check Point Log Server 24 SESA DataStore 26 SESA Manager 23 Symantec Event Collector for Check Point 22 T tracking enabling for Check Point policies 45 troubleshooting installations 37 Index 51 U uninstalling Symantec Eve
47. rewalls The SESA Agent is included with the Symantec Event Manager for Firewall installation It handles communications between the Symantec Event Collector for Check Point and the SESA Manager It passes firewall events from the Check Point Log Server to the SESA Manager and receives configuration data Note The Java Runtime Environment JRE must already be installed on the computer on which you install the SESA Agent If necessary you can install it from the Symantec Event Manager for Firewall CD ROM m Symantec Event Collector for Check Point VPN 1 FireWall 1 You install the Symantec Event Collector for Check Point on the Check Point Log Server It gathers security event data from Check Point VPN 1 FireWall 1 processes the data into SESA events and then sends the events to the SESA Manager by way of the SESA Agent How the Symantec Event Collector for Check Point works The Symantec Event Collector for Check Point components work together to collect and route log messages from the Check Point Log Server to SESA This enables centralized logging alerting and reporting using the SESA Console Figure 1 1 and the remaining sections of this chapter describe how the Symantec Event Collector for Check Point components collect and route events to the SESA Manager for processing Symantec Event Collector for Check Point VPN 1 FireWall 1 13 How the Symantec Event Collector for Check Point works Figure 1 1 How the Symantec Event
48. s and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 Technical support Licensing and As part of Symantec Security Response the Symantec global Technical Support group maintains support centers throughout the world The Technical Support group s primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion For example the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include m A range of support options that give you the flexibility to select the right amount of service for any size organization m Telephone and Web support components that provide rapid response and up to the minute information m Upgrade insurance that delivers automatic software upgrade protection m Content Updates for virus definitions and security signatures that ensure the highest level of protection m Global support from Symantec Security Response experts which is ava
49. s installed click Change In the Change the SESA Agent Distribution Folder dialog box specify the destination folder for the SESA Agent then click OK IP Address of the m If SESA is using default anonymous SSL type the IP SESA Manager address of the SESA Manager computer m IfSESA has been upgraded to use authenticated SSL type the host name of the SESA Manager computer Port on which the Type the port number if it is other than the default SESA Management 443 Server listens Click Next In the Ready to Install the Program dialog box click Install A DOS window shows the installation of files When it closes the Status field of the Installing Event Collector dialog box shows the progress of the installation of the SESA Agent In the InstallShield Wizard Completed dialog box click Finish When you are prompted to restart your system do one of the following m To restart now click Yes m To restart later click No Note You must restart your system to complete the installation of the SESA Agent however you can wait until after you have installed the Symantec Event Collector for Check Point software Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 33 Installing on the Check Point Log Server Installing Symantec Event Collector for Check Point After you install Symantec Event Manager for Firewall you install Symantec Event Collector for Check Point VPN 1 FireWall 1 on the Check Point L
50. ssful then click Finish Repeat steps 1 through 9 on each SESA Manager to which you will forward Check Point events Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 29 Installing on the Check Point Log Server Installing on the Check Point Log Server You install the products that enable the forwarding of Check Point firewall events to SESA on the Check Point Log Server Install the following products in the order in which they are listed m Use the Symantec Event Manager for Firewall CD ROM to install m Java Runtime Environment JRE version 1 3 1_02 m Symantec Event Manager for Firewall m Use the Symantec Event Collector for Check Point VPN 1 FireWall 1 CD ROM to install Symantec Event Collector for Check Point VPN 1 FireWall 1 Installing the Java Runtime Environment The Java Runtime Environment JRE version 1 3 1_02 is required by the SESA Agent If it is not already present on your system it must be installed before you install the Symantec Event Manager for Firewall which includes the SESA Agent installation To install the Java Runtime Environment Determine whether the correct version of the JRE is already installed on your Check Point Log Server If it is not perform the JRE installation procedure To determine whether the Java Runtime Environment is installed 1 On the Check Point Log Server at the DOS prompt type the following command java version 2 Verify that the Java Runtime Environme
51. talling Symantec Event Collector for Check Point VPN 1 FireWall 1 Installing the SESA integration components 10 In the SESA Domain Administrator Information dialog box do the following SESA Domain Type the name of the SESA Domain Administrator Administrator Name account SESA Domain Type the password for the SESA Domain Administrator Administrator Password account IP Address of SESA Type the IP address of the computer on which the SESA Directory Directory is installed may be the same as the SESA Manager IP address if both are installed on the same computer If you use authenticated SSL instead of the SESA default anonymous SSL you must type the host name of the SESA Directory computer For example myhost com For more information on SESA default anonymous SSL and upgrading to authenticated SSL see the Symantec Enterprise Security Architecture Installation Guide SSL Port Type the number of the SESA Directory secure port By default the port number is 636 Click Next In the Ready to proceed dialog box do one of the following m If you are ready to proceed click Next m Ifyou want to change your settings click Back In the Configuring Your System dialog box you will see the progress of the configuration of the SESA Console for the Symantec Event Collector for Check Point VPN 1 FireWall 1 When it is complete click Next In the SESA Console Integration Status window verify that your installation was succe
52. the SESA Agent configuration 1 2 3 On the Configurations view tab in the left pane expand the SESA folder Expand SESA Agent Configuration On the Logging tab change the parameters to the settings described in Table 3 2 When you finish editing the configuration select one of the following m Apply Save your changes and continue editing m Reset Cancel all of the changes that you have made on all of the tabs and reset the values to those that existed when you started editing When you are prompted to distribute the changes select one of the following m Yes Immediately informs computers that are associated with the configuration of the changes The computers receive a message that a new configuration is waiting No Inform computers of the changes at a later time or the computers will pick up changes at the next scheduled configuration update interval When you distribute a configuration the software of the target systems will retrieve their new configuration when the config poll time is reached Note For information on all SESA Agent parameters and settings see the chapter on configuring products in the Symantec Enterprise Security Architecture Administrators Guide Table 3 2 Recommended SESA Agent settings Maximum queue size 9999 kb When an application s queue reaches this size any future log requests will be refused Table 3 2 App flush size App flush count App flush time Using the S
53. tion on every SESA Manager to which you are forwarding Check Point firewall events For installation instructions see the section on installing Symantec Event Manager for Firewall SESA integration components in the Symantec Event Manager for Firewall Integration Guide Installing Symantec Event Collector for Check Point SESA integration components You install the Symantec Event Collector for Check Point SESA integration components to provide reports that are specific to Check Point VPN 1 Firewall 1 You must install these components on every SESA Manager to which you are forwarding Check Point firewall events To install Symantec Event Collector for Check Point SESA integration components 1 On the SESA Manager computer insert the Symantec Event Collector for Check Point VPN 1 FireWall 1 CD If the installation program does not start automatically navigate to the CD ROM drive and double click cdstart exe 2 Inthe Symantec Enterprise Security Architecture dialog box click Install SESA Integration Components 3 In the Welcome to the SESA Integration Wizard window click Next In the SESA Integration Requirements dialog box verify that you have the SESA Manager running on this machine then do one of the following m Ifyou have satisfied these requirements click Next m Ifyou have not satisfied these requirements click Cancel This exits you from setup so that you can install the necessary files 28 Ins
54. twork topology Router gateway and IP address information Problem description a Error messages log files w Troubleshooting performed prior to contacting Symantec a Recent software configuration changes and or network changes To contact Enterprise Customer Service online go to www symantec com select the appropriate Global Site for your country then select Service and Support Customer Service is available to assist with the following types of issues Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language availability local dealers Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec s technical support options Nontechnical presales questions Missing or defective CD ROMs or manuals SYMANTEC CORPORATION SOFTWARE LICENSE AGREEMENT COLLECTORS THIS LICENSE AGREEMENT SUPERSEDES THE LICENSE AGREEMENT CONTAINED IN THE SOFTWARE INSTALLATION SYMANTEC CORPORATION AND OR ITS SUBSIDIARIES SYMANTEC IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAR
55. ty category These can include connection statistic messages Application Events generated by the Symantec Event Collector for Check Point application are listed as Application 16 Symantec Event Collector for Check Point VPN 1 FireWall 1 How the Symantec Event Collector for Check Point works Application Start In Check Point severities are assigned as follows Table 1 3 Informational Check Point severities Events that represent expected behavior Warning Events that represent suspicious behavior Any Check Point log message can have an alert field attached to it which indicates that the firewall administrator wants extra significance attached to that message The severity of events created from such log messages is raised to Warning For example connection messages that are Informational become Warnings when they have an alert field attached The combination of the severity determined by the Symantec Event Collector for Check Point and the Check Point assigned severity results in the severity shown in Table 1 4 Table 1 4 Application Events processed by the Symantec Event Collector for Check Point Informational The Symantec Event Collector for Check Point is starting Application Stop Application Informational The Symantec Event Collector for Check Point is stopping These two events are not logged by Check Point They are generated by the Sy
56. ty from the Log Server to the SESA Manager By default the SESA Agent connects to the SESA Manager using HTTPS on port 443 You can configure a different port if desired Appropriate routing must exist between the SESA Agent and SESA Manager so that firewall event messages can reach the SESA Manager In addition make sure that there is no firewall policy blocking the connection between the SESA Agent and the SESA Manager To test for connectivity Atacommand prompt issue the following command telnet lt SESA IP address gt 443 where lt SESA IP address gt is the IP address of the SESA Manager The connection should appear to hang but not be refused After typing a few characters there should be a message that the connection has been lost If the connection is refused make sure that the Check Point firewall has a rule that allows traffic to the SESA Manager See Allowing traffic from the Symantec Event Collector for Check Point to the SESA Manager on page 24 24 Installing Symantec Event Collector for Check Point VPN 1 FireWall 1 Before installing Check Point Log Server prerequisites Symantec Event Manager for Firewall the SESA Agent and the Symantec Event Collector for Check Point VPN 1 FireWall 1 must be installed on the computer that is running the Check Point Log Server Before you install any components on the Check Point Log Server ensure that it is installed and operating properly For installation inf
57. warranty period or refund the money you paid for the Software Symantec does not warrant that the Software will meet your requirements or that operation of the Software will be uninterrupted or that the Software will be error free THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY 4 DISCLAIMER OF DAMAGES SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE The disclaimers and limitations set forth above will apply regardless of whether you accept the Software 5
58. ymantec Event Collector for Check Point VPN 1 FireWall 1 Customizing the SESA Agent configuration Recommended SESA Agent settings Continued 999 kb 1000 30 seconds Agent outbound data is sent to the SESA Manager whenever one of the three triggers is tripped Note This only applies to batch events Direct events are always sent as soon as possible By default the SESA Agent waits 5 minutes to forward events unless the App flush count is exceeded Reducing the App flush time limits how many events queue up or how long before they are sent to the SESA Manager App spool size 1000 kb The size in kilobytes of the Symantec Event Collector for Check Point queue that the SESA Agent will hold in memory when not able to send the normal queue to the SESA Manager If the queue exceeds this size and it still needs to grow the queue will be written to disk 47 48 Using the Symantec Event Collector for Check Point VPN 1 FireWall 1 Customizing the SESA Agent configuration A Add Remove Programs Symantec Event Collector for Check Point 39 agent settings file 37 alerts affect on log messages 16 configuring in Check Point policies 45 Application Library SESA Agent 14 Application Log verifying Symantec Event Collector for Check Point operation 39 C CD contents Symantec Event Collector for Check Point 18 Check Point events processed 15 mapping of events to SESA 15 Check Point Log Server allowing traff
59. ymantec Event Collector for Check Point VPN 1 FireWall 1 requires the Symantec Event Manager for Firewall 1 0 and Symantec Enterprise Architecture Foundation Pack version 1 1 Note This guide uses the phrase Symantec Event Collector for Check Point to refer to the Symantec Event Collector for Check Point VPN 1 FireWall 1 About Symantec Enterprise Security Architecture Symantec Enterprise Security Architecture SESA is an underlying software infrastructure and a common user interface framework It integrates multiple Symantec Enterprise Security products and third party products to provide flexible control of security within organizations SESA consists of several individual components that together provide a unique scalable security infrastructure Symantec Event Collector for Check Point VPN 1 FireWall 1 11 Symantec Event Collector for Check Point components Table 1 1 describes these components Table 1 1 SESA components SESA Manager The SESA Manager is the hub for the SESA Directory and the SESA DataStore It is a central processing unit server for the Agents DataStore Directory and Console All SESA data passes through the SESA Manager SESA DataStore This relational database stores all event and alert data generated by SESA and SESA enabled products such as the Symantec Event Collector for Check Point SESA Directory Stores the configuration data required to manage SESA enabled security products and SE
Download Pdf Manuals
Related Search