Appendix E - Using Unix DHCP - Syslog as the IoT Discovery Engine

You can set up an IoT discovery engine on the Check Point Management Server to discover IoT assets in your network. The IoT discovery engine uses the network devices in the network, such as switches, routers, gateways, or Network Access Control (NAC) devices to discover IoT assets.

You can use Unix DHCP server as an IoT discovery engine. The Unix DHCP server maintains a pool of IP addresses and provides an IP address to every new DHCP-enabled client.

Unix DHCP - Syslog integration is based on Syslog messages generated by the Unix DHCP server. The Syslog message includes the MAC address of the device (DHCP-enabled client) and the leased IP address. Syslog uses port 514 to send log messages over TCP or UDP.

Prerequisites

Set the relevant Access Control rules on the relevant gateway to allow Syslog traffic between the Unix DHCP server and the Check Point Management Server.

To configure the Access Control rule:

  1. Connect with SmartConsole to the Check Point Management Server.

  2. From the left navigation panel, click Security Policies.

  3. In the Access Control section, click Policy.

  4. Configure this rule:

    Name

    Source

    Destination

    VPN

    Services & Applications

    Action

    Track

    Install On

    Traffic from Unix DHCP to Mgmt

    Unix DHCP Server

    Check Point Management Server

    Any

    syslog

    Accept

    None

    Policy Targets

Setting Up the Unix DHCP - Syslog as the IoT Discovery Engine

To set up Unix DHCP - Syslog as the IoT Discovery Engine:

  1. Configure the Unix DHCP server:

    1. Download the syslog-dest.sh file.

      The system downloads the file.

    2. Transfer the file to the Unix DHCP server.

    3. Connect to the command line on your Unix DHCP server (over SSH or console).

    4. Log in with your administrator credentials.

      Output:

    5. Run:

      sudo bash syslog-dest.sh

      Output:

    6. Enter the administrator password.

      Output:

    7. To install the discovery engine, enter 1 and press Enter.

      Output:

    8. Enter the IP address of your Check Point Management Server, and press Enter.

      Output:

    9. To close the setup tool, type exit.

      After the installation, the system copies the Syslog logs to your Check Point Management Server at one-minute intervals.

  2. Configure Unix DHCP - Syslog as the IoT discovery engine in Quantum IoT Protect.

    Notes:

    • When you install the Unix DHCP - Syslog built-in discovery engine, it modifies the configuration of the Check Point Management Server on which it is installed and enables it to receive Syslog messages.

    • Make sure no other user is logged in to SmartConsole.

    1. Log in to the Check Point Infinity Portal.

    2. In the Quantum section, go to IoT Protect > IoT > Profiles.

    3. Click and select IoT Discovery Source Profile.

    4. Enter these:

      1. In the Discovery Source section, from the Discovery source type list, select Unix DHCP Server (Syslog).

      2. In the Discovery Source Settings section, in the Server hostname field, enter the hostname of the Unix DHCP server.

      3. In the Run Discovery On section, select your Check Point Management Server.

      4. In the Gateways That Use This Service section, select the gateways relevant to your discovered assets, or select the policy-package for all gateways.

    5. Click Enforce.

      The system installs the Unix DHCP - Syslog discovery engine and starts running on the Check Point Management Server.

Testing the Unix DHCP - Syslog IoT Discovery Engine

  1. Connect to the command line on the Check Point Management Server (over SSH or console).

  2. Log in to the Expert mode.

  3. Run:

    cpnano -s

    Output:

  4. These nano services must be running:

    1. Check Point Orchestration

    2. Check Point IoT Syslog DHCP

Removing Unix DHCP - Syslog as the IoT Discovery Engine

To remove Unix DHCP - Syslog as the IoT discovery engine from the Unix DHCP server:

  1. Connect to the command line on your Unix DHCP server (over SSH or console).

  2. Log in with your administrator credentials.

    Output:

  3. Run:

    sudo bash syslog-dest.sh

    Output:

  4. Enter the administrator password.

    Output:

  5. To uninstall the discovery engine, enter 2 and press Enter.

    Output:

  6. Enter y and press Enter.

    Output:

  7. To close the setup tool, type exit.

    The system uninstalls the Unix DHCP - Syslog discovery engine. DHCP logs are no longer copied to the Check Point Management Server.

To remove the IoT Discovery Source Profile in Quantum IoT Protect:

  1. Log in to Check Point Infinity Portal.

  2. In the Quantum section, go to IoT Protect > IoT > Profiles.

  3. On the Unix DHCP Syslog discovery engine profile, click and then Delete.

  4. Click OK.

  5. Click Enforce.

Troubleshooting the Unix DHCP - Syslog IoT Discovery Engine

  1. Connect with SmartConsole to the Check Point Management Server.

  2. From the left navigation panel, click Gateways & Servers.

  3. Double-click the Management Server object.

  4. Expand Logs > click Additional Logging.

  5. Select Accept Syslog messages.

  6. Click OK.

  7. Install the Access Control policy.

  8. Enable Syslog traffic from the Unix DHCP server to the Check Point Management Server:

    1. Connect to the command line on your Unix DHCP server (over SSH or console).

    2. Log in with your administrator credentials.

    3. Run:

      1. nmap –sU –p 514 <IP Address of Management Server>

        Expected output:

      2. echo "Syslog Test Message - #1" | nc -u <IP Address of Management Server> 514

        Expected output in SmartConsole > Logs & Monitor view > Logs.

  9. Filter the logs with this query:

    blade: dhcpd or blade: syslog

  10. Connect to the command line on the Check Point Management Server(over SSH or console).

  11. Log in to the Expert mode.

  12. Run:

    cp_log_export show

    Expected output: