Configuring the SmartEvent components in the First Time Configuration Wizard

Configure the components of the dedicated server for SmartEvent on a Smart-1 appliance, or on an open server.

To configure the SmartEvent components:

1. Connect to the SmartEvent Server Portal:
   https://<ServerIP>
2. Run the First Time Configuration Wizard.

   To learn how to run the First Time Configuration Wizard, see the R80.20 Installation and Upgrade Guide.

3. On the Installation Type page, select Security Management.
4. On the Products page:
   • On a Smart-1 , select Dedicated Server and SmartEvent.
   • On an open server select Log Server / SmartEvent only
5. Install the R80.20 SmartConsole GUI client.

   R80.20 SmartConsole has the Logs & Monitor catalog of views, which includes the views in the SmartEvent GUI.

Connecting R80.20 SmartEvent to R80.20 Security Management Server

This procedure explains how to configure a dedicated server for these components:

• SmartEvent Server and SmartEvent Correlation Unit
• SmartEvent Correlation Unit

To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to R80.20 Security Management Server:

1. In SmartConsole, create a new Check Point host object for the SmartEvent Server.
2. Create an SIC trust with the SmartEvent Server.
3. Select Version R80.20.
4. On the Management tab, enable these Software Blades:
   • Logging & Status
   • SmartEvent Server (if applicable)
   • SmartEvent Correlation Unit
5. On a dedicated SmartEvent Server that is not a Log Server: In the Logs page, make sure that Enable Log Indexing is not selected. This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.
6. Click OK.
7. Click Publish.
8. Click Install Database.
9. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
   1. Open the SmartEvent GUI:
      1. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).
      2. Click SmartEvent Settings & Policy.
   2. In Policy tab > Correlation Units, define a Correlation Unit object.
   3. Select the production Log Servers and local log server on the SmartEvent Server to read logs from.
   4. In Policy tab > Internal Network, define the internal Network.
   5. For R77.xx and lower Gateways: Optional - Enable the Network Activity report.

      The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

      To enable this report, on the SmartEvent GUI Policy tab, select and enable
      Consolidated Sessions > Firewall Session.

   6. Click Save.
   7. Install the Event Policy on the Correlation Unit: SmartEvent menu > Actions > Install Event Policy.

Connecting R80.20 SmartEvent to R77.xx Security Management Server

This procedure explains how to configure a dedicated server for these components:

• SmartEvent Server and SmartEvent Correlation Unit
• SmartEvent Correlation Unit

To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to an R77.xx Security Management Server:

1. Open an SSH connection to the SmartEvent Server.
2. Run this script:
   $RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
3. Wait until the script has finished running. This is when cpstart has finished and you have a prompt.
4. Run: cpconfig
5. Select (2) Administrator to configure the SmartEvent Server administrators.

   Note – Administrators that are configured in R77.xx SmartConsole cannot manage the R80.20 SmartEvent Server.

6. In SmartConsole, create a Check Point Host object for the SmartEvent Server R80.20.
7. Open the R77.xx SmartConsole.
8. Create an SIC trust between the Security Management Server and the new server for SmartEvent R80.20.
9. Define it with the highest version available and ignore the Warning message.
10. For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: In the Logs page, click Enable SmartLog.
11. In the Check Point Host > Management tab, enable these Software Blades:
    • Logging & Status
    • SmartEvent Server (if applicable)
    • SmartEvent Correlation Unit
12. Click OK.
13. Click File > Policies > Install Database.
14. Wait until the server synchronizes and loads SmartEvent
15. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open the R80.20 SmartConsole to the IP address of the SmartEvent Server:
       1. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).
       2. Click SmartEvent Settings & Policy.
    2. In Policy tab > Correlation Units, define a SmartEvent Correlation Unit object.
    3. Select the production Log Servers and local Log Server on the SmartEvent Server that will send logs to the SmartEvent Correlation Unit.
    4. In Policy tab > Internal Network, define the internal Network.
    5. Optional: For R77.30 Gateways and lower - Enable the Network Activity report.

       The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

       To enable this report, on the SmartEvent GUI Policy tab, select and enable
       Consolidated Sessions > Firewall Session.

       Note: This configuration increases the number of events a day by five. This can have a performance effect.

    6. Click Save.
    7. Install the Event Policy on the SmartEvent Correlation Unit: SmartEvent menu > Actions > Install Event Policy.

Connecting R80.20 SmartEvent to R80.20 Multi-Domain Server

You can configure a dedicated R80.20 server for SmartEvent components, and connect them to one or more Domains in an R80.20 Multi-Domain Security Management environment.

This procedure explains how to configure a dedicated server for these SmartEvent components:

• SmartEvent Server and SmartEvent Correlation Unit
• SmartEvent Correlation Unit

Notes:

• In R80 Multi-Domain Security Management environment, you can only define the SmartEvent Server and SmartEvent Correlation Units at the global level and not the domain level.
• Configure SmartEvent to read logs from one domain or a number of domains.

To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to an R80.20 Multi-Domain Server:

1. Open SmartConsole.
2. Log in to the global Domain:
   • In the SmartConsole login window, enter the Multi-Domain Server IP address or host name.
   • Select the global Domain from the list (\Global).
3. Create a Check Point Host object for SmartEvent R80.
4. In the Check Point Host > Management, select these Management Blades:
   • Logging & Status
   • SmartEvent Server (if applicable)
   • SmartEvent Correlation Unit
5. Initialize SIC with the new SmartEvent R80.20 Server.
6. Click OK.
7. Click Publish.
8. Reassign the global Policy for the Domains that use SmartEvent. For new Domains, create a new global assignment.
9. In each Domain Management Server, open SmartConsole.
10. Click Menu > Install Database , on each Domain Management Server and Domain Log Servers.
11. Wait until the server synchronizes and loads SmartEvent process.
12. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open SmartConsole and connect to the SmartEvent Server.
    2. Launch the SmartEvent GUI client:
       1. In the Logs & Monitor view, click on + to open a catalog (new tab).
       2. Click the SmartEvent Settings & Policy link.

       Note - The primary GUI application is the R80.20 SmartConsole. With R80.20, some configurations can be done only in the SmartEvent GUI client.

    3. If SmartEvent is connected to a Multi-Domain Server, in Policy tab > Domains, define the required domains to connect to.
    4. In Policy tab > Correlation Units, define a SmartEvent Correlation Unit object.
    5. Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.
    6. In Policy tab > Internal Network, define the internal Network.
    7. Optional: Enable the Network Activity report.

       The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

       To enable this report, on the SmartEvent GUI Policy tab, select and enable
       Consolidated Sessions > Firewall Session.

       Note: This configuration increases the number of events a day by five. This can have a performance effect.

    8. Click Save.
    9. Install the Event Policy on the Correlation Unit: SmartEvent menu > Actions > Install Event Policy.

Connecting R80.20 SmartEvent to R77.xx Multi-Domain Server

You can connect R80.20 SmartEvent components to one or more Domains in an R77.xx Multi-Domain Security Management environment.

This procedure explains how to configure a dedicated server for these components:

• SmartEvent Server and SmartEvent Correlation Unit
• SmartEvent Correlation Unit

Configure SmartEvent to read logs from one domain or a number of domains.

To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to an R77.xx Multi-Domain Server:

1. Open an SSH connection to the Correlation Unit server.
2. Run this script: $RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
3. Wait until the script has finished running. This is when cpstart has finished and you have a prompt.
4. Open R77.xx SmartDomain Manager.
5. Log in to the global Domain:
6. Create a Check Point Host object for the dedicated server for SmartEvent Server R80.20. Define it with the highest version possible, and ignore the Warning message.
7. In the Check Point Host > Management, select these Management Blades:
   • Logging & Status
   • SmartEvent Server (if applicable)
   • SmartEvent Correlation Unit
8. Initialize SIC between the Multi-Domain Server and the new server for SmartEvent R80.20.
9. For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: In the Logs page, click Enable Log Indexing.
10. Click OK.
11. Click Save.
12. Reassign the global Policy for the Domains that use SmartEvent. For new Domains, create a new global assignment.
13. In each Domain Management Server, open SmartConsole.
14. Click Menu > Install Database, on each Domain Management Server and Domain Log Server.
15. Wait until the server synchronizes and loads SmartEvent.
16. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open R80.20 SmartConsole.
    2. Launch the SmartEvent GUI client.
       1. In the Logs & Monitor view, click on + to open a catalog (new tab).
       2. Click the SmartEvent Settings & Policy link.

       Note - The primary GUI application is the R80.20 SmartConsole. With R80.20, some configurations can be done only in the SmartEvent GUI client.

    3. If SmartEvent is connected to a Multi-Domain Server, in Policy tab > Domains, define the required domains to connect to.
    4. In Policy tab > Correlation Units, define a Correlation Unit object.
    5. Select the production Log Servers and local log server on the SmartEvent Server to read logs from.
    6. In Policy tab > Internal Network, define the internal Network.
    7. For R77.xx and lower Gateways: Optional - Enable the Network Activity report.

       The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

       To enable this report, on the SmartEvent GUI Policy tab, select and enable
       Consolidated Sessions > Firewall Session.

       Note: This configuration increases the number of events a day by five. This can have a performance effect.

    8. Click Save.
    9. Install the Event Policy on the Correlation Unit: SmartEvent menu > Actions > Install Event Policy.