Event Forwarding

Introduction

Event Forwarding is an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. The SIEM server processes large amounts of data and shows it in dashboards or notifications. To set up Event Forwarding, you must use certificates to establish secure communication between the Infinity Portal and your SIEM server.

Use Case

A typical use case is an organization that uses a number of security vendors, along with Check Point, to protect itself from cyber attacks. The organization uses an external analytics platform to see all data from every vendor in a single pane of glass.

Prerequisite

The SIEM server must support TLS 1.2.

The OpenSSL CLI must be installed on your computer.

Glossary

File 

Description

<CA>.key

Private key

<CA>.pem

Public key

.csr file

Certificate Sign Request.

.crt file

file you create when you sign the .csr file with the <CA>.key and the <CA>.pem.

.pfx file

If you use an existing Domain Certificate, this file contains the [CA].key and CA].pem.

Configuration

If you already have a <CA>.key file and a <CA>.pem file, then skip this step

If you do not have a <CA>.key file and a <CA>.pem file, follow one of these procedures to prepare your organization's Domain Certificate:

  1. On your computer, in OpenSSL CLI, generate a Client CA:

    1. Create the <CA>.key file:

      openssl genrsa -out <CA>.key 2048

    2. Create <CA>.pem file:

      openssl req -x509 -new -nodes -key <CA>.key -sha256 -days 825 -out <CA>.pem

  2. On your computer, in OpenSSL CLI, create a certificate for the SIEM server:

    1. Create a key for the SIEM server:

      openssl genrsa -out <SERVER>.key 2048

    2. Generate a .csr file for the SIEM server:

      openssl req -new -key <SERVER>.key -out <SERVER>.csr

    3. Generate a Client Certificate (.crt) file for the SIEM server. To do this, sign the .csr file of the SIEM server with the SIEM server's <CA>.pem and <SERVER>.key:

      openssl x509 -req -in <SERVER>.csr -CA <CA>.pem -CAkey <SERVER>.key -CAcreateserial -out <SERVER>.crt -days 825 -sha256

  3. Install your SIEM server certificate, SIEM server key, and the CA on your SIEM server (examples: Splunk, Syslog, QRadar).

  4. In the configuration of the SIEM server, define the <CA>.pem as a trusted certificate.

If you already have a .pfx file, then use this method.

Prerequisites:

  • The .pfx file that contains the <CA>.key file and the <CA>.pem file.

  • The passphrase of the .pfx file.

Procedure

Do these steps in Open SSL CLI on your computer:

  1. Extract the <CA>.pem file from the .pfx file:

    openssl pkcs12 -in <CERTIFICATE>.pfx -out <CA>.pem –nodes

  2. Extract the <CA>.key file from the .pfx file:

    openssl pkcs12 -in <CERTIFICATE>.pfx -nocerts -out <CA>.key

  3. Remove the passphrase from the <CA>.key file:

    openssl rsa -in <CA>.key -out <my-key-nopass>.key

On your SIEM server, open a dedicated port to receive logs from Event Forwarding.

Region

IP Addresses

Port

EU

  • 20.73.193.110

No specific port required

AUS

  • 20.92.158.64

  • 20.92.158.102

No specific port required

US

  • 20.85.1.184

No specific port required

UAE

  • 20.74.203.248

514

A Destination object in the Infinity Portal defines a connection between the Infinity Portal and a SIEM server.

After you configure a Destination for your SIEM server, you can review, edit, search, and delete the destination(s) in the Manage Destinations window. For more information, see Managing Destinations.

  1. In the Infinity Portal, click > Event Forwarding.

  2. Click Create Destination /Manage Destinations.

    The Create Destination / Manage Destinations window opens.

  3. Click + ADD DESTINATION.

    The New `Destination window opens.

  4. In the field at the top of the New Destination window, enter a name for the destination.

    The General tab opens.

  5. In the Host field, enter the address of the SIEM server as an IP address or FQDN.

  6. In the Port field, enter the port to use for the SIEM server.

    Note -Below the Port field, default configurations appear. You cannot change these configurations:

    • Type - The type of logs that your external analytics platform receives. Currently, only Syslog is supported.

    • Protocol - The communication protocol. Currently, only TCP is supported.

    • Encryption - The encryption protocol. Currently, only mutual TLS is supported.

  7. Click Next.

    The Certificates tab opens.

For this step, keep the Certificates tab of the Infinity Portal open and keep the SIEM server active. Follow the numbered workflow in the Certificates tab in the Infinity Portal.

  1. Client Certification Sign Request (.csr file)

    1. In the Infinity Portal, click Certificate Sign Request.

      Your web browser downloads the Infinity Portal's .csr file to your computer.

    2. On your computer, use the OpenSSL command line to open the .csr file.

    3. On your computer, use the openssl x509 command to sign the downloaded Client Certificate. To do this, it is necessary to enter your private and public keys.

      Note - Make sure you are in the same working folder as the <CA>.key and <CA>.pem files.

      openssl x509 -req -in <CERTIFICATE>.csr -CA <CA>.pem -CAkey <CA>.key -CAcreateserial -out <YOUR-CERTIFICATE>.crt -days 825 -sha256

  2. Client Certificate (.crt file)

    1. In the Infinity Portal, click Browse and upload the signed Client Certificate (.crt file).

    Best Practice - For a more secure connection, Check Point recommends to also upload the signed Client Certificate (.crt file) to your SIEM server.

  3. Certificate Authority (CA) certificate (.pem file)

    1. Click Browse and upload the SIEM server's CA certificate (<CA>.pem).

  4. Test Connectivity

    This is to confirm that the server communicates with Event Forwarding and that Event Forwarding is not impersonated by an attacker.

    Important - In a first-time configuration, you must do a successful test before you can continue configuring Event Forwarding.

    1. Click Test Connectivity.

      If the connection is successful, then Connect successfully appears.

      If the connection is not successful, then one ore more of these error messages appears:

      Error Message

      Resolution

      TLS certificates mismatch

      1. Download the .csr file again.

      2. Re-sign the .csr file.

      3. Upload the .crt file.

      4. Upload the <CA>.pem file.

      Connection Time Out

      Make sure that:

      1. In the SIEM server settings, the relevant port and IP address are open.

      2. You server has the maximum number of TCP connections allowed.

      3. If there is a firewall, make sure the firewall does not block the relevant port and IP address.

      Destination self-signed certificates validation failed

      Make sure the CA certificate you used to sign the .csr file is installed on your SIEM server

      Could not connect to destination

      1. Make sure your firewall does not block the connection.

      2. Make sure your SIEM server settings are correct and that the relevant ports and IP address are open.

  5. Click Finish.

A Forwarding rule is a set of conditions for data forwarding from the Infinity Portal to a SIEM server.

To create a forwarding rule:

  1. Click the [+] icon or the + Add button.

    The New Forwarding Rule window opens.

  2. Fill the relevant fields.

  3. Click Create.

Managing Destinations

After you configure destination(s) for an external-analytics platform, you can review, edit, delete, and search them in the Manage Destinations window.

In the Manage Destinations window, on the left pane, select the name of the destination. The right pane shows the settings for the destination and the rules that use the destination.

  1. In the Destinations window, on the left pane, select the destination's name.

  2. Click the edit icon .

    The Edit Destination window opens.

  3. Change the settings as necessary.

  4. Click Apply.

  5. Click Close.

  1. In the Manage Destinations window, on the left pane, select the destination's name.

  2. Make sure that no rule uses this destination. A destination cannot be deleted if it corresponds to a rule.

    If there is no destination configured with the Used by Rule, then the right pane is empty. If some rules use the destination, replace the destination or delete the rules.

  3. Click the delete icon.

  1. In the Manage Destinations window, in the search field, start to enter the destination's name.

    A list of destinations opens.

  2. Click the destination to see more details about the configuration.

  3. To exit, click Close.

Managing Forwarding Rules

On the Events page, Forwarding Rules show with the rule name, the services you forward data from, and the name of the destination to which you forward the data.

To add a new Forwarding Rule:

Click the [+] icon or the + Add.

To edit a Forwarding Rule

Put the cursor on the rule and click , then select Edit. Change the rule settings as necessary.

To delete a Forwarding Rule

Put the cursor on the rule and click , then select Delete.