Event Forwarding - Push to SIEM
Infinity Portal can forward logs to SIEM in three formats: Syslog, LEEF, or CEF.
Prerequisites:
-
The SIEM server must support TLS 1.2.
-
The OpenSSL CLI must be installed on your computer.
-
Make sure your network and SIEM server allow these connections:
|
File |
Source IP Address |
FQDN (recommended) |
Source Port |
|---|---|---|---|
|
EU |
20.73.193.110 |
|
No specific port required |
|
US |
20.85.1.184 |
|
No specific port required |
|
UAE |
20.233.160.96/29 |
whitelist-cidr.ae.datatube.checkpoint.com |
514 |
|
AUS |
20.92.158.64 20.92.158.102 |
|
No specific port required |
File Extensions
|
File |
Description |
|---|---|
|
|
Private key |
|
|
Public key |
|
|
Certificate Sign Request |
|
|
File you create when you sign the |
|
|
If you use an existing Domain Certificate, this file contains the |
Step 1: Prepare Your Organization's Domain Certificate
If you already have a <CA>.key file and a <CA>.pem file, then skip this step.
If you do not have a <CA>.key file and a <CA>.pem file, follow one of these procedures to prepare your organization's Domain Certificate:
Create a New Domain Certificate
-
On your computer, in OpenSSL CLI, generate a Client CA:
-
Create the
<CA>.keyfile:openssl genrsa -out <CA>.key 2048 -
Create
<CA>.pemfile:openssl req -x509 -new -nodes -key <CA>.key -sha256 -days 825 -out <CA>.pem
-
-
On your computer, in the OpenSSL CLI, create a certificate for the SIEM server:
-
Create a key for the SIEM server:
openssl genrsa -out <SERVER>.key 2048 -
Generate a
.csrfile for the SIEM server:openssl req -new -key <SERVER>.key -out <SERVER>.csr -
Generate a Client Certificate (
.crt) file for the SIEM server. To do this, sign the.csrfile using your organization's CA:openssl x509 -req -in <SERVER>.csr -CA <CA>.pem -CAkey <CA>.key -CAcreateserial -out <SERVER>.crt -days 825 -sha256
-
-
Install your SIEM server certificate, SIEM server key, and the CA on your SIEM server (for example, Splunk, Syslog, or QRadar).
-
In the configuration of the SIEM server, define the
<CA>.pemfile as a trusted certificate.
Use an Existing Domain Certificate
If you already have a .pfx file, then use this method.
Prerequisites:
-
The
.pfxfile that contains the<CA>.keyfile and the<CA>.pemfile. -
The passphrase of the
.pfxfile.
Procedure
Do these steps in OpenSSL CLI on your computer:
-
Extract the
<CA>.pemfile from the.pfxfile:openssl pkcs12 -in <CERTIFICATE>.pfx -out <CA>.pem –noenc -
Extract the
<CA>.keyfile from the.pfxfile:openssl pkcs12 -in <CERTIFICATE>.pfx -nocerts -out <CA>.key
-
Remove the passphrase from the
<CA>.keyfile:openssl rsa -in <CA>.key -out <my-key-nopass>.key
Step 2: Open a Port on the SIEM Server
On your SIEM server, open a dedicated port to receive logs from Infinity Portal.
Step 3: Configure the SIEM Server to Listen to a Specific IP Address for its Region
|
Region |
IP Addresses |
Port |
|---|---|---|
|
EU |
|
No specific port required |
|
AUS |
|
No specific port required |
|
US |
|
No specific port required |
|
UAE |
|
514 |
Step 4: In the Infinity Portal, Create a Destination Object for the SIEM Server
A Destination object in the Infinity Portal defines a connection between the Infinity Portal and a SIEM server.
After you configure a Destination for your SIEM server, you can review, edit, search, and delete the destination(s) in the Manage Destinations window. For more information, see Managing Destinations.
-
In the Infinity Portal, click
> Event Forwarding. -
Click Create Destination or Manage Destinations.
The New Destination window opens.
-
From the Forwarding method list, select Push to SIEM.
-
Enter a name for the destination.
-
From the list, select a SIEM server.
-
In the Host field, enter the address of the SIEM server as an IP address or FQDN.
-
In the Port field, enter the port to use for the SIEM server.
Note - Below the Port field, default configurations appear. You cannot change these configurations:
-
Protocol - The communication protocol. Currently, only TCP is supported.
-
Encryption - The encryption protocol. Currently, only mutual TLS is supported.
-
-
Click Next.
The Certificates tab opens.
Step 5: Establish Secure Communication Between the Infinity Portal and your SIEM Server
For this step, keep the Certificates tab of the Infinity Portal open and the SIEM server active. Then, follow the numbered workflow in the Certificates tab.
-
Client Certification Sign Request (
.csrfile)-
In the Infinity Portal, click Certificate Sign Request.
Your web browser downloads the Infinity Portal's
.csrfile to your computer. -
On your computer, use the OpenSSL command line to open the
.csrfile. -
On your computer, use the
openssl x509command to sign the downloaded Client Certificate. To do this, it is necessary to enter your private and public keys.
Note - Make sure you are in the same working folder as the
<CA>.keyand<CA>.pemfiles.openssl x509 -req -in <CERTIFICATE>.csr -CA <CA>.pem -CAkey <CA>.key -CAcreateserial -out <YOUR-CERTIFICATE>.crt -days 825 -sha256
-
-
Client Certificate (
.crtfile) - In the Infinity Portal, click Browse and upload the signed Client Certificate (.crtfile).
Best Practice - For a more secure connection, Check Point recommends to also upload the signed Client Certificate (
.crtfile) to your SIEM server. -
Certificate Authority (CA) certificate (
.pemfile) - Click Browse and upload the CA certificate (<CA>.pem). -
Test Connectivity - Click Test Connectivity.
This is to confirm that the server communicates with Event Forwarding and that Event Forwarding is not impersonated by an attacker.
Important - In a first-time configuration, you must do a successful test before you can continue configuring Event Forwarding.
-
Click Finish.
If the connection is successful, then Connect successfully appears.
If the connection is not successful, refer to sk182879 - Infinity Portal Event Forwarding - Troubleshooting.
After configuring the destination, add a forwarding rule with this destination. For more information, see Managing Forwarding Rules.