Appendix D - Using MS-DHCP as the IoT Discovery Engine (Logs Read from Splunk)

You can set up an IoT discovery engine on the Check Point Management Server to discover IoT assets in your network. The IoT discovery engine uses the network devices in the network, such as switches, routers, gateways, or Network Access Control (NAC) devices to discover IoT assets.

You can use the Microsoft Dynamic Host Configuration Protocol (MS-DHCP) server to discover IoT assets. It maintains a pool of IP addresses and provides (leases) an IP address to every new DHCP-enabled client. MS-DHCP integration is based on events log files created by the MS-DHCP server. The events may include the MAC address of the device (DHCP-enabled client) and the leased IP address.

MS-DHCP server reads the DHCP events by one of these methods:

• The event logs from the MS-DHCP server are copied to a local directory and the logs are read from this local directory.

• The event logs from the MS-DHCP server are forwarded to the Splunk server and the logs are read from the Splunk server.

This appendix describes the MS-DHCP integration when the MS-DHCP event logs are read from the Splunk server.

Setting Up MS-DHCP as the IoT Discovery Engine (Logs Read from Splunk)

1. Set the Splunk server to index DHCP event logs created by the MS-DHCP server.

   1. To forward the logs to Splunk, install Splunk Universal Forwarder on the MS-DHCP server. To install the Splunk Universal Forwarder, see Splunk Universal Forwarder.

   2. To parse the MS-DHCP logs, install the Splunk Add-on for Microsoft Windows on the Splunk server. To install Splunk Add-on for Microsoft Windows, see Splunk Add-on for Microsoft Windows.

   3. Create a Custom Index for MS-DHCP logs (DHCP). To create a Custom Index, see Create Custom Indexes.

2. Create a scheduled report of the MS-DHCP event logs on the Splunk server. To create a scheduled report, see Creating Scheduled Reports in Splunk.

   

3. In the report created, search for the keyword index*dhcp.

   

4. Edit the schedule for the report.

   

5. Set Read permission for the report created.

   

6. Create an authentication token to securely access Splunk REST API to read MS-DHCP event logs (Reading from Splunk).

   1. In the Splunk server, go to Settings > Tokens.

      

   2. Click New Token.

   3. In the New Token window, enter this information:

      • User - The Splunk platform user that you want to create the token for.

      • Audience - A short description on the purpose of the token.

      • (Optional) Expiration- Select Absolute Time or Relative Time.

      • (Optional) Not Before - Select Absolute Time or Relative Time.

      • Click Create.

        The New Token window updates the Token field to display the generated token.

        

7. Enable access to Splunk REST API in the Access Control policy (Reading from Splunk).

   Set the relevant access rules in the Access Control policy on the relevant gateway to allow the Management Server to access the Splunk REST API.

   Splunk REST API uses port 8089 (over TCP).

8. Set MS-DHCP as the IoT discovery engine in Quantum IoT Protect.

   1. Log in to Check Point Infinity Portal.

   2. Under Quantum, go to IoT Protect > IoT > Profiles.

   3. Set Integration type to MS DHCP.

   4. Set Read logs from to Splunk.

   5. Click Enforce.

      

9. Set local configuration on the Management Server (When using Splunk).

   MS-DHCP built-in discovery integration can access the Splunk REST API to read the MS-DHCP event logs. To securely access the Splunk REST API, set an authentication token locally on the Management Server.

   To set the authentication token:

   1. Set the integration in Quantum IoT Protect.

   2. Access (SSH) the Management Server.

   3. Run this bash script:

      /etc/cp/scripts/iot/msDhcp/set-local-configuration.sh

      

Configuring integration installed on a cluster gateway

1. Access each gateway through SSH and log in to Expert mode.

2. Change each gateway to active mode. For more information, see Initiating Manual Cluster Failover.

3. Run this bash script:

   /etc/cp/scripts/iot/msDhcp/set-local-configuration.sh

Configuring integration installed on a Management Server with HA or on MDS with HA

1. Access each gateway through SSH and log in to Expert mode.

2. Change the gateway to active mode. For more information, see Changing a Server to Active or Standby.

3. Run the command /etc/cp/scripts/iot/msDhcp/set-local-configuration.sh

Testing the MS-DHCP - IoT Discovery Engine

1. Connect to the command line on the Check Point Security Gateway / Management Server (over SSH or console).

2. Log in to the Expert mode.

3. Run:

   cpnano -s

   Note - The output for this command may take time to appear depending on how long the system takes to enforce the profile. If you do not see the output, then verify whether you have selected the correct Security Gateway / Management Server in the Profiles setting.

4. These nano services must be running:

   • Check Point Orchestration

   • Check Point IoT MS DHCP

   Output:

   

Troubleshooting MS-DHCP IoT Discovery Engine (Logs Read from Splunk)

1. Access the Check Point Management Server through SSH and log in to the Expert mode.

2. Run these commands to ensure that the network and access control rules have enabled the Check Point Management Server access to Splunk REST API:

   • ping <Splunk server's IP Address>

   • ping <Splunk server's FQDN>

   • telnet <Splunk server's FQDN> 8089