TLS Configuration

You can configure a secured connection between the Log Exporter and the Syslog server.

Log Exporter can export logs over an encrypted connection using the TLS protocol.

When using TLS, it is important to know that only mutual authentication is allowed.

For mutual authentication, the Log Exporter needs these certificates:

CA certificate (in the PEM format) that signed both the client (Log Exporter side) and server (syslog server side) certificates
Client certificate (in the P12 format) on the Management Server / Log Server with Log Exporter

Notes:

For Log Exporter TLS Configuration on Smart-1 Cloud, refer to sk181142.
The Management Server / Log Server with Log Exporter must be able to connect to CA.
In addition to these two certificates, a third certificate should be installed on the Syslog server (based on the server requirement).

It is also possible to use self-signed certificates.
Log Exporter supports only keys encrypted and signed with the RSA for the TLS communication (ECC keys are not supported).

Important:

The procedure below uses the openssl commands on a non-Check Point server.
For testing purposes you can use the Cert_Generator.sh script to automate these steps.

To download the script, click here.

Part 1 of 4 - Creating a CA Certificate:

Create a CA Key file:

openssl genrsa -out ca.key 2048

Create a CA Certificate file:

openssl req -x509 -new -nodes -key ca.key -days 2048 -out ca.pem

You are prompted to provide information regarding the certificate.

Apart from the Common Name (it is recommended to use the device IP address as the Common Name), all other fields are optional and can be skipped.

If you are purchasing an SSL certificate from a certificate authority, it often requires these additional fields.

Part 2 of 4 - Creating a Log Exporter Certificate:

Warning - Do not share the client key files with anyone.

Create a Log Exporter Key file:

openssl genrsa -out cp_client.key 2048

Create a Log Exporter CSR file:

openssl req -new -key cp_client.key -out cp_client.csr

Create a Log Exporter CRT file:

openssl x509 -req -in cp_client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cp_client.crt -days 2048 -sha256

Create Log Exporter P12 file:

openssl pkcs12 -inkey cp_client.key -in cp_client.crt -export -out cp_client.p12

Part 3 of 4 - Creating a Syslog Server Certificate:

Warning - Do not share the server key files with anyone.

Create a Target Server key file:

openssl genrsa -out server.key 2048

Create a Target Server CSR file:

openssl req -new -key server.key -out server.csr

Create a Target Server CRT file:

openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 2048 -sha256

Note - Several SIEM applications require the Server certification to be in a specific format.

For more information, see Instructions for Specific SIEM Applications.

Part 4 of 4 - Put the certificate files on the Check Point Management Server / Log Server

Connect to the command line on the Check Point Management Server / Log Server.
Log in to the Expert mode.

Create the sub-directory "certs" in the applicable Log Exporter directory:

mkdir -p $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs

Copy these files to the Management Servers / Log Server to the sub-directory "certs":
- ca.pem
- cp_client.p12

Assign the "read" permission the certificate files:

chmod -v +r $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/ca.pem

chmod -v +r $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/cp_client.p12

Configure the Log Exporter:

cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol tcp format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} encrypted true ca-cert $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/ca.pem client-cert $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/cp_client.p12 client-secret <Password for cp_client.p12>