TLS Configuration
You can configure a secured connection between the Log Exporter and the Syslog server.
Log Exporter can export logs over an encrypted connection using the TLS protocol.
When using TLS, it is important to know that only mutual authentication is allowed.
For mutual authentication, the Log Exporter needs these certificates:
-
CA certificate (in the PEM format) that signed both the client (Log Exporter side) and server (syslog server side) certificates
-
Client certificate (in the P12 format) on the Management Server / Log Server with Log Exporter
|
Notes:
|
|
Important:
|
Part 1 of 4 - Creating a CA Certificate:
-
Create a CA Key file:
openssl genrsa -out ca.key 2048
-
Create a CA Certificate file:
openssl req -x509 -new -nodes -key ca.key -days 2048 -out ca.pem
You are prompted to provide information regarding the certificate.
Apart from the Common Name (it is recommended to use the device IP address as the Common Name), all other fields are optional and can be skipped.
If you are purchasing an SSL certificate from a certificate authority, it often requires these additional fields.
Part 2 of 4 - Creating a Log Exporter Certificate:
|
Warning - Do not share the client key files with anyone. |
-
Create a Log Exporter Key file:
openssl genrsa -out cp_client.key 2048
-
Create a Log Exporter CSR file:
openssl req -new -key cp_client.key -out cp_client.csr
-
Create a Log Exporter CRT file:
openssl x509 -req -in cp_client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cp_client.crt -days 2048 -sha256
-
Create Log Exporter P12 file:
openssl pkcs12 -inkey cp_client.key -in cp_client.crt -export -out cp_client.p12
Part 3 of 4 - Creating a Syslog Server Certificate:
|
Warning - Do not share the server key files with anyone. |
-
Create a Target Server key file:
openssl genrsa -out server.key 2048
-
Create a Target Server CSR file:
openssl req -new -key server.key -out server.csr
-
Create a Target Server CRT file:
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 2048 -sha256
|
Note - Several SIEM applications require the Server certification to be in a specific format. For more information, see Instructions for Specific SIEM Applications. |
Part 4 of 4 - Put the certificate files on the Check Point Management Server / Log Server
-
Connect to the command line on the Check Point Management Server / Log Server.
-
Log in to the Expert mode.
-
Create the sub-directory "
certs
" in the applicable Log Exporter directory:mkdir -p $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs
-
Copy these files to the Management Servers / Log Server to the sub-directory "
certs
":-
ca.pem
-
cp_client.p12
-
-
Assign the "read" permission the certificate files:
chmod -v +r $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/ca.pem
chmod -v +r $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/cp_client.p12
-
Configure the Log Exporter:
cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol tcp format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} encrypted true ca-cert $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/ca.pem client-cert $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/certs/cp_client.p12 client-secret <Password for cp_client.p12>