Initial Configuration

SmartEvent and SmartReporter components require secure internal communication (SIC) with the Management server, either a Security Management Server or a Domain Management Server.

Once connectivity is established, install SmartEvent and SmartReporter and perform the initial configuration.

Licenses

Check Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point User Center.

The Certificate Key is used in order to receive a License Key for products that you are evaluating.

In order to purchase the required Check Point products, contact your reseller.

Check Point software that has not yet been purchased will work for a period of 15 days. You are required to go through the User Center in order to register this software.

1. Activate the Certificate Key shown on the back of the media pack via Check Point User Center.

   The Certificate Key activation process consists of:

   • Adding the Certificate Key
   • Activating the products
   • Choosing the type of license
   • Entering the software details

   Once this process is complete, a License Key is created and made available to you.

2. Once you have a new License Key, you can start the installation and configuration process. During this process, you will be required to:
   • Read the End Users License Agreement and if you accept it, select Yes.
   • Import the license that you obtained from the User Center for the product that you are installing.

   Licenses are imported via the Check Point Configuration Tool.

   The License Keys tie the product license to the IP address of the SmartEvent server. This means that:

   • Only one IP address is needed for all licenses.
   • All licenses are installed on the SmartEvent server.

Initial Configuration of SmartEvent and SmartReporter Clients

The final stage of getting started with SmartEvent and SmartReporter is the initial configuration of the clients. After you install SmartConsole according to the instructions in the R76 Release Notes and R76 Installation and Upgrade Guide:

1. For SmartEvent:
   • Define the Internal Network and Correlation Units
   • Install the Event Policy

   Events will begin to appear in the SmartEvent client.

2. For SmartReporter, create consolidation sessions.

   Logs will now be created and sent to the SmartReporter database. As a result, reports can be created.

Defining the Internal Network for SmartEvent

To help SmartEvent determine whether events have originated internally or externally, the Internal Network must be defined. Certain network objects are copied from the Management server to the SmartEvent server during the initial sync and updated afterwards periodically. Define the Internal Network from these objects.

To define the Internal Network, do the following:

1. Start the SmartEvent client.
2. From the Policy view, select General Settings > Initial Settings > Internal Network.
3. Add internal objects.

   Note - It is recommended to add all internal Network objects, and not Host objects.

Defining Correlation Units and Log Servers for SmartEvent

1. From the Policy view of the SmartEvent client, select General Settings > Initial Settings > Correlation Units.
2. Select Add.
3. Click the [...] symbol and select a Correlation Unit from the displayed window.
4. Select OK.
5. Click Add and select the Log servers available as data sources to the Correlation Unit from the displayed window.
6. Select Save.
7. From the Actions menu, select Install Events Policy.

Once the Correlation Units and Log servers are defined, and the Events Policy installed, SmartEvent will begin reading logs and detecting events.

To learn to manage and fine-tune the system through the SmartEvent client, see SmartEvent client.

Creating a Consolidation Session for SmartReporter

The consolidation session reads logs from the log server and adds them to the SmartReporter database. If there is a single log server connected to a Security Management Server, a consolidation session will automatically be created to read newly generated logs. If multiple log servers connect to one management server, users must manually define consolidation sessions for each log server.

When creating a Consolidation session you are determining the log server that should be used to extract information and the database table in which the consolidated information should be stored.

1. In the Selection Bar view, select Management > Consolidation.
2. Select the Sessions tab.
3. Click the Create New... button to create a new session.

   The New Consolidation Session - Select Log Server window appears.

4. Select the log server from which logs will be collected and will be used to generate reports.
5. Click Next.

   The New Consolidation Session - Select Log Files and database for consolidation session window appears.

6. Choose whether to use the default source logs and default database tables or select specific source logs and specific database tables for consolidation.

If you select Select default log files and database, click Finish to complete the process. This option indicates that the source of the reports will be preselected logs and all the information will be stored in the default database table named CONNECTIONS. The preselected logs are the sequence of log files that are generated by Check Point products. The preselected logs session will begin at the beginning of last file in the sequence or at the point the sequence was stopped.

If you want to customize the Consolidation session, refer to the R76 SmartReporter Administration Guide.

Enabling Connectivity with Multi-Domain Security Management

In a Multi-Domain Security Management environment, the SmartEvent server can be configured to analyze the log information for any or all of the Domain Management Servers on the Multi-Domain Server. In order to do this, the SmartEvent server database must contain all of the network objects from each of the Domain Management Servers and then be configured to gather logs from the selected log servers.

Installing the Network Objects in the SmartEvent Database

1. From the SmartDomain Manager, open the Global SmartDashboard.
2. In the Global SmartDashboard, create a Host object for the SmartEvent server.
3. Configure the object as a SmartEvent server and Log server.
4. Save the Global Policy.
5. Close the Global SmartDashboard.
6. In the Multi-Domain Security Management client, assign the Global Policy to the Domains with which you will use SmartEvent.

Configuring SmartEvent to work with Multi-Domain Security Management

1. In the SmartEvent client, select Policy > General Settings > Objects > Domains and add all of the Domains you will be working.

   Objects will be synchronized from the Domain Management Servers – this may take some time.

2. Select Policy > General Settings > Objects > Network Objects, and add networks and hosts that are not defined in the Domain Management Servers.
3. Select Policy > General Settings > Initial Settings > Internal Network, and add the networks and hosts that are part of the Internal Network.
4. Select Policy > General Settings > Initial Settings > Correlation Units, click Add and select the SmartEvent Correlation Unit and its Log servers. For traffic logs, select the relevant Domain Log Server or Multi-Domain Log Server. For audit logs, select the relevant Domain Management Server.
5. Install the Event Policy.

Incorporating Third-Party Devices

Syslog Devices

Various third-party devices use the syslog format for logging. SmartEvent and SmartReporter can process third-party syslog messages by reformatting the raw data. As the reformatting process should take place on the SmartEvent or SmartReporter computer, it is recommended to enable a Log server on one of them. Direct all third-party syslog traffic to this Log server.

1. Connect to the Management server using SmartDashboard and edit the properties of the SmartEvent or SmartReporter object. For that object only, enable the property Log Server under Check Point Products. For the purposes of this section, this object will be referred to as the "syslog Log server."
2. Open Logs and Masters > Additional Logging.
3. Enable the property Accept Syslog messages.
4. To enable the log server properties on the SmartEvent server, select SmartDashboard > Policy > Install Database. Select the SmartEvent server as one of the targets.
5. On the third-party device, configure syslogs to be sent to the syslog Log server.
6. On the Management server, create this rule in the Rule Base.
   • Source - Third-party devices that issue syslog messages
   • Destination - syslog Log Server
   • Service - UDP syslog
7. On the SmartEvent client, add the syslog Log server to a Correlation Unit, if not already enabled.
8. Install the Event Policy on the SmartEvent server.
9. Reboot the syslog Log server.

Windows Events

Check Point Windows Event Service is a Windows service application. It reads Windows events, normalizes the data, and places the data in the Check Point Log Server. SmartEvent processes this data. The process can only be installed on a Windows machine, but it does not have to be a machine running SmartEvent. Thus, Windows events can be processed even if SmartEvent is installed on a different platform.

How Windows Event Service Works

Check Point Windows Event Service is given the addresses of Windows computers that it will read and the address of a Log server to which it will write. It reads a Windows event at a time, converts the fields of the event according to configuration files and stores the Windows event as a log in the Log server.

Check Point Windows Event Service is first installed as a service on the user machine and the user provides a user name and password. The user name can be a domain administrator responsible for the endpoint computer or a local administrator on the endpoint computer.

Check Point Windows Event Service requires trust to be established so it can communicate with the Log server.

Sending Windows Events to SmartEvent

In SmartDashboard, create an OPSEC object for Windows Event Service:

1. Open Manage > Servers and OPSEC Applications.

   The Servers and OPSEC Applications window appears.

2. Select New > OPSEC Application.
3. Enter the name of the application that will send log files to SmartEvent.
4. Click on New to create a Host.
5. Enter a name and the IP address of the machine that will run WinEventToCPLog, and click OK.
6. Under Client Entities, select ELA.
7. Select Communication.
8. Enter an Activation Key, repeat it in the confirmation line, and keep a record of it for later use.
9. Click Initialize. The system should report the trust state as Initialized but trust not established.
10. Click Close.
11. Click OK.

From the File menu, select Save.

On the Windows host, configure the Windows service to send logs to SmartEvent:

1. Install the WinEventToCPLog package from the Check Point DVD.
2. When the installation completes, restart the machine.
3. Open a command prompt window and go to this location:

   C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin

   On 64 bit computers the path starts with C:\Program files (x86).

4. Run: windowEventToCPLog -pull_cert
   1. Enter the IP address of the management server.
   2. Enter the name of the corresponding OPSEC Application object that you created in SmartDashboard for the Windows events.
   3. Enter the Activation Key of the OPSEC object.
5. Restart the Check Point Windows Event Service.
6. If this machine is running a log server then install the Event Policy on this machine.

In the SmartDashboard, establish trust relationship between the Security Management Server and the Windows Host:

1. Edit the OPSEC Application that you created in SmartDashboard for the Windows events.
2. Select Communication and verify that the trust state is Trust Established.
3. From the Policy menu, select Install Database.

On Each Machine that will send Windows Events, configure the Windows Audit Policy:

1. From the Start menu, select Settings > Control Panel > Administrative Tools > Local Security Policy > Local Policies > Audit Policy.
2. Make sure that the Security Setting for the Policy Audit Logon Events is set to Failure. If not, double click and select Failure.
3. Open a command prompt window and go to this path:
   C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin.

   On 64 bit computers, the path starts with C:\Program files (x86).

4. Run the following commands:

   windowEventToCPLog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that will receive the Windows Events.

   windowEventToCPLog -a <ipaddr>, where <ipaddr> is the IP address of each machine that will send Windows Events.

   windowEventToCPLog -s, where you will be prompted for an administrator name and the administrator password that to be registered with the windowEventToCPLog service.

The administrator that runs the windowEventToCPLog service must have permissions to access and read logs from the IP addressed defined in this procedure. This is the IP address of the computer that sends Windows events.

When you configure windowEventToCPLog to read Windows events from a remote machine, make sure that the administrator can access remote computer events. To do this, log in as the administrator on and try to read the events from the remote machine using the Microsoft Event Viewer.

SNMP Traps

To convert SNMP traps to the cplog format, the machine must first be registered as a server that accepts SNMP traps. Run the following commands on a SmartEvent computer:

1. snmpTrapToCPLog -r
2. For each machine from which you want to read SNMP traps: snmpTrapToCPLog -a IPaddress
3. cpstop
4. cpstart