Event Forwarding
Event Forwarding is an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. The SIEM providers process large amounts of data and present it for analysis in created dashboards or sent notifications.
Use Case
A typical use case is an organization that uses a number of security vendors, along with Check Point, to protect itself from cyber attacks. The organization uses an external analytics platform to see all data from every vendor in a single pane of glass.
Prerequisites
To forward your data from the Infinity Portal to an external analytics platform, you must configure these entities:
-
Set the Destination - Details of your SIEM platform.
-
Create a Forwarding Rule - A set of conditions for data forwarding.
-
To enable this connection, open a specified port on your inbound server.
-
To secure your server and not expose all IPv4 addresses, you must configure the server to listen to a specific IP address based on region.
Region
IP Addresses
US
-
20.85.1.184
EU
-
20.73.193.110
AUS
-
20.213.113.233
-
20.92.158.64
-
20.92.158.102
UK
-
54.228.200.90
-
34.248.94.75
India
-
3.25.28.241
-
13.237.215.109
-
How to Create a New Destination
A destination is a connection between the Infinity Portal and a SIEM provider.
After you configure a destination for your external analytics platform, you can review, edit, search, and delete the destination(s) in the Manage Destinations window. For more information, see How to Manage Destinations
-
In the Infinity Portal, click > Event Forwarding.
-
Click Manage Destinations.
The Manage Destinations window opens.
-
Click + ADD DESTINATION.
The New Destination window opens.
-
In the field at the top of the New Destination window, enter a name for the destination.
-
Open the General tab.
-
Make sure these fields are populated:
-
Type - The type of logs that your external analytics platform receives. Currently, only Syslog is supported.
-
Host - Enter the host address as an IP address or FQDN.
-
Port - Enter the host's port.
-
Protocol -The communication protocol. Currently, only TCP is supported.
-
Encryption - The encryption protocol. Currently, only mutual TLS is supported.
-
|
Note - To complete this step, it is necessary to use the OpenSSL command line or an equivalent option. For OpenSSL, see OpenSSL Downloads. |
|
Important - The Client Certificate sign request (.csr) is global per account. When you download a new request, it cancels the previous request. |
|
Best Practice - Save the downloaded .csr file on your computer for later use. In the Certificates tab, click Certificate Sign Request to download the Check Point Certificate.csr file to your computer. |
It is necessary for clients to provide some certificates when they create or edit a destination below the Certificates field. This certification procedure is essentially a TLS Handshake."
There are the types of certificates related to the destination:
-
Client Certificate
-
Server Certificate
-
Certificate Authority
The .CSR
file:
It is necessary to download a .CSR
file (certificate signing request) for the client and server certificates. The .CSR
file represents a CA (Certificate Authority) public key that is linked to a CA private key.
For the client’s server to authenticate Check Point's Event Forwarding, the backend creates a private key and a public key, which you must add to the .CSR
file. The .CSR
file is not secret. It is a file that a server assigns to Check Point and allows communication based on our private key (because Check Point's .CSR
file was signed by the server).
|
Note - Each time you click to download a Client Certificate .CSR file, the Infinity Portal creates a new certificate sign request. The results:
|
|
Important - it downloads and creates a new |
Based on your configuration, use Method 1 or Method 2 to sign the .CSR file. To create a new Domain Certificate, use Method 1. To use an existing Domain Certificate, use Method 2.
Step 1: Create a certificate to use for event forwarding integrations
-
Generate a Client CA:
-
Create ca key:
openssl genrsa -out CA.key 2048
-
Create ca.pem:
openssl req -x509 -new -nodes -key CA.key -sha256 -days 825 -out CA.pem
-
-
Create a certificate for the SIEM server::
-
Create a key for the SIEM server:
openssl genrsa -out server.key 2048
-
Generate a .CSR file for the SIEM server:
openssl req -new -key server.key -out server.csr
-
Sign the .CSR file of the SIEM server with your CA.pem:
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 825 -sha256
-
-
Install your SIEM server certificate, SIEM server key, and the CA on your SIEM server (examples: Splunk, Syslog, QRadar).
-
In the configuration of the SIEM server, define the CA.pem as a trusted certificate.
-
Make sure you are in the same working folder as the CA key and .pem files.
Step 2: Sign the Certificate
-
In the Certificates tab, click Client Certificate. This downloads the Check Point
Certificate.csr
file to your computer. -
Use the OpenSSL command line to open the .
csr
file. -
Use the
openssl x509
command to sign the downloaded Client Certificate. To do this, it is necessary to enter your private and public keys.openssl x509 -req -in Certificate.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out your-cert.crt -days 825 -sha256
-
Parameter
Description
openssl
protocolDefault security protocol. The openssl protocol is optional. If necessary, use a different protocol.
x509
the certificate typeBinds your company's identity to a public key.
-req
Used to create and process certificate requests.
-
Enter the path to the downloaded Client Certificate:
-in Certificate.csr
The root directory path to the downloaded Client Certificate
.csr
(the path).Example:
[root@controller certs_x509]# openssl x509 -req -in server.csr -CA /root/tls/certs/
-
Enter your private key:
-CA ca.pem
-CA
- Specifies the CA certificate used for signing.ca.pem
- Your private key.The CA certificate used for signing. When this option is present,
x509
behaves like a mini CA. The input file is signed by the CA with this option. This means that its issuer's name is set to the subject name of the CA and it is digitally signed with the CA's private key.This option is usually combined with the
-req
option. Without the-req
option, the input is a certificate that must be self-signed.Example:
command
[root@controller certs_x509]# openssl x509 -req -in server.csr -CA /root/tls/certs/cacert.pem -
Set the private key to sign the certificate:
-CAkey ca.key
Set the CA private key to sign a certificate. Or else, it is assumed that the CA private key is present in the CA certificate file.
-CAkey
- Sets the CA private key used to sign a certificate.Example:
[root@controller certs_x509]# openssl x509 -req -in server.csr -CA /root/tls/certs/cacert.pem -CAkey /root/tls/private/cakey.pem
-
Create a Certificate Authority serial number:
-CAcreateserial
The CA serial number file is created if it does not exist.
Example:
[root@controller certs_x509]# openssl x509 -req -in server.csr -CA /root/tls/certs/cacert.pem -CAkey /root/tls/private/cakey.pem -CAcreateserial -CAserial serial
-
Enter the path to the output file:
-out your-cert.crt
Specifies the output filename to write to, or standard output by default.
-out
The output file to write to is taken from the root directory.
-
Enter the number of days
-days 825
Specifies the number of days to make a certificate valid.
Example:
[root@controller certs_x509]# openssl x509 -req -in server.csr -CA /root/tls/certs/cacert.pem -CAkey /root/tls/private/cakey.pem -out server.cert.pem -CAcreateserial -CAserial serial -days 365 -sha256
-sha256
A cryptographic hash function.
-
-
Upload the signed Client Certificate to the Server Certificate.
Best Practice - For a more secure connection, Check Point recommends to also upload the Client Certificate to your configured server.
-
Add a CA Certificate.
-
A CA functions as a trusted third party, which is trusted by the owner of the certificate and by the party that relies on the certificate.
-
CA is a certificate that helps Event Forwarding authenticate the client and must be added to Check Point's trusted CA store in Event Forwarding.
-
For detailed information about each parameter, see OpenSSL documentation here.
If you already have a CA key and pem
files, then use this method.
Prerequisites:
-
The
PFX
file of the certificate that has the CA and the Client. -
The Passphrase of the
PFX
file.
Step 1: Extract the pem
from the PFX
file
Step 2: Extract the key from the PFX
file
Step 3: Remove the passphrase
from the key file
Step 4: Sign the Client Certificate (.CSR
) with your CA .key
and .pem
generate client crt
openssl x509 -req -in <Certificate>.csr -CA CA.pem -CAkey <my-key>.key -CAcreateserial -out <your-cert>.crt -days 825 -sha256
|
Best Practice - Check Point recommends that for a more secure connection to also upload the Client Certificate to your configured server. |
To test connectivity between the client's and the host's server.
-
Click Test Connectivity.
If the connection is successful, then Connect successfully shows.
Error messages:
Error
Cause
Resolution
Authentication Error
This tenant did not create a private key for data forwarding.
Click Client Certification.
Authentication Error
Invalid CA Certificate.
The CA certificate is invalid, it is necessary to change it.
Connection Error
Failed to connect to remote address and port.
An error occurred when an attempt was made to connect a socket to a remote address and port. The connection was refused remotely.
Networking Error
Connection Reset.
An error occurred when an attempt was made to connect a socket to a remote address and port. The connection was refused remotely.
-
Click Create.
The new rule shows on the Event Forwarding page. It contains the rule name, the services you forward data from, and the destination's name to which you forward the data.
How to Manage Rules
On the Events page, Forwarding Rules show with the rule name, the services you forward data from, and the name of the destination to which you forward the data.
To add a new Forwarding Rule:
Click the [+] icon or the + Add.
To edit a Forwarding Rule
Put the cursor on the rule and click , then select Edit. Change the rule settings as necessary.
To delete a Forwarding Rule
Put the cursor on the rule and click , then select Delete.
How to Manage Destinations
After you configure destination(s) for an external-analytics platform, you can review, edit, search, and delete them in the Manage Destinations window.
In the Manage Destinations window, on the left pane, select the name of the destination. The right pane shows the settings for the destination and the rules that use the destination.
-
In the Destinations window, on the left pane, select the destination's name.
-
Click the edit icon .
The Edit Destination window opens.
-
Change the settings as necessary.
-
Click Apply.
-
Click Close.
-
In the Manage Destinations window, on the left pane, select the destination's name.
-
Make sure that no rule uses this destination. A destination cannot be deleted if it corresponds to a rule.
If there is no destination configured with the Used by Rule, then the right pane is empty. If some rules use the destination, replace the destination or delete the rules.
-
Click the delete icon.
-
In the Manage Destinations window, in the search field, start to enter the destination's name.
A list of destinations opens.
-
Click the destination to see more details about the configuration.
-
To exit, click Close.