Configuring the SmartEvent components in the First Time Configuration Wizard
Configure the components of the dedicated server for SmartEvent on a Smart-1 appliance, or on an open server.
To configure the SmartEvent components:
- Connect to the SmartEvent Server Portal:
https://
<ServerIP> - Run the .
To learn how to run the First Time Configuration Wizard, see the R80.20 Installation and Upgrade Guide.
- On the page, select .
- On the page:
- On a Smart-1 , select and .
- On an open server select
- Install the R80.20 SmartConsole GUI client.
R80.20 SmartConsole has the Logs & Monitor catalog of views, which includes the views in the SmartEvent GUI.
Connecting R80.20 SmartEvent to R80.20 Security Management Server
This procedure explains how to configure a dedicated server for these components:
- SmartEvent Server and SmartEvent Correlation Unit
- SmartEvent Correlation Unit
To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to R80.20 Security Management Server:
- In SmartConsole, create a new Check Point host object for the SmartEvent Server.
- Create an SIC trust with the SmartEvent Server.
- Select R80.20.
- On the tab, enable these Software Blades:
- On a dedicated SmartEvent Server that is not a Log Server: In the page, make sure that is not selected. This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.
- Click .
- Click .
- Click .
- Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
- Open the SmartEvent GUI:
- In > , click to open a catalog (new tab).
- Click .
- In > , define a Correlation Unit object.
- Select the production Log Servers and local log server on the SmartEvent Server to read logs from.
- In > , define the internal Network.
- For R77.xx and lower Gateways: Optional - Enable the report.
The report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.
To enable this report, on the SmartEvent GUI tab, select and enable
.
- Click .
- Install the Event Policy on the Correlation Unit: menu > > .
Connecting R80.20 SmartEvent to R77.xx Security Management Server
This procedure explains how to configure a dedicated server for these components:
- SmartEvent Server and SmartEvent Correlation Unit
- SmartEvent Correlation Unit
To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to an R77.xx Security Management Server:
- Open an SSH connection to the SmartEvent Server.
- Run this script:
$RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
- Wait until the script has finished running. This is when
cpstart
has finished and you have a prompt. - Run:
cpconfig
- Select
(2) Administrator
to configure the SmartEvent Server administrators.Note – Administrators that are configured in R77.xx SmartConsole cannot manage the R80.20 SmartEvent Server.
- In SmartConsole, create a Check Point Host object for the SmartEvent Server R80.20.
- Open the R77.xx SmartConsole.
- Create an SIC trust between the Security Management Server and the new server for SmartEvent R80.20.
- Define it with the highest version available and ignore the Warning message.
- For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: In the page, click .
- In the > tab, enable these Software Blades:
- Click .
- Click > > .
- Wait until the server synchronizes and loads SmartEvent
- Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
- Open the R80.20 SmartConsole to the IP address of the SmartEvent Server:
- In > , click to open a catalog (new tab).
- Click .
- In > , define a SmartEvent Correlation Unit object.
- Select the production Log Servers and local Log Server on the SmartEvent Server that will send logs to the SmartEvent Correlation Unit.
- In > , define the internal Network.
- Optional: For R77.30 Gateways and lower - Enable the report.
The report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.
To enable this report, on the SmartEvent GUI tab, select and enable
>.
Note: This configuration increases the number of events a day by five. This can have a performance effect.
- Click .
- Install the Event Policy on the SmartEvent Correlation Unit: menu > > .
Connecting R80.20 SmartEvent to R80.20 Multi-Domain Server
You can configure a dedicated R80.20 server for SmartEvent components, and connect them to one or more Domains in an R80.20 Multi-Domain Security Management environment.
This procedure explains how to configure a dedicated server for these SmartEvent components:
- SmartEvent Server and SmartEvent Correlation Unit
- SmartEvent Correlation Unit
Notes:
- In R80 Multi-Domain Security Management environment, you can only define the SmartEvent Server and SmartEvent Correlation Units at the global level and not the domain level.
- Configure SmartEvent to read logs from one domain or a number of domains.
To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to an R80.20 Multi-Domain Server:
- Open SmartConsole.
- Log in to the global Domain:
- In the SmartConsole login window, enter the Multi-Domain Server IP address or host name.
- Select the global Domain from the list (
\Global
).
- Create a Check Point Host object for .
- In the > , select these Management Blades:
- Initialize SIC with the new SmartEvent R80.20 Server.
- Click .
- Click .
- Reassign the global Policy for the Domains that use SmartEvent. For new Domains, create a new global assignment.
- In each Domain Management Server, open SmartConsole.
- Click > , on each Domain Management Server and Domain Log Servers.
- Wait until the server synchronizes and loads SmartEvent process.
- Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
- Open SmartConsole and connect to the SmartEvent Server.
- Launch the SmartEvent GUI client:
- In the view, click on to open a catalog (new tab).
- Click the link.
Note - The primary GUI application is the R80.20 SmartConsole. With R80.20, some configurations can be done only in the SmartEvent GUI client.
- If SmartEvent is connected to a Multi-Domain Server, in tab > , define the required domains to connect to.
- In > , define a SmartEvent Correlation Unit object.
- Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.
- In > , define the internal Network.
- Optional: Enable the report.
The report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.
To enable this report, on the SmartEvent GUI tab, select and enable
>.
Note: This configuration increases the number of events a day by five. This can have a performance effect.
- Click .
- Install the Event Policy on the Correlation Unit: menu > > .
Connecting R80.20 SmartEvent to R77.xx Multi-Domain Server
You can connect R80.20 SmartEvent components to one or more Domains in an R77.xx Multi-Domain Security Management environment.
This procedure explains how to configure a dedicated server for these components:
- SmartEvent Server and SmartEvent Correlation Unit
- SmartEvent Correlation Unit
Configure SmartEvent to read logs from one domain or a number of domains.
To connect R80.20 SmartEvent Server and SmartEvent Correlation Unit to an R77.xx Multi-Domain Server:
- Open an SSH connection to the Correlation Unit server.
- Run this script:
$RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
- Wait until the script has finished running. This is when
cpstart
has finished and you have a prompt. - Open R77.xx SmartDomain Manager.
- Log in to the global Domain:
- Create a Check Point Host object for the dedicated server for SmartEvent Server R80.20. Define it with the highest version possible, and ignore the Warning message.
- In the > , select these Management Blades:
- Initialize SIC between the Multi-Domain Server and the new server for SmartEvent R80.20.
- For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: In the page, click .
- Click .
- Click .
- Reassign the global Policy for the Domains that use SmartEvent. For new Domains, create a new global assignment.
- In each Domain Management Server, open SmartConsole.
- Click > , on each Domain Management Server and Domain Log Server.
- Wait until the server synchronizes and loads SmartEvent.
- Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
- Open R80.20 SmartConsole.
- Launch the SmartEvent GUI client.
- In the view, click on to open a catalog (new tab).
- Click the link.
Note - The primary GUI application is the R80.20 SmartConsole. With R80.20, some configurations can be done only in the SmartEvent GUI client.
- If SmartEvent is connected to a Multi-Domain Server, in tab > , define the required domains to connect to.
- In > , define a Correlation Unit object.
- Select the production Log Servers and local log server on the SmartEvent Server to read logs from.
- In > , define the internal Network.
- For R77.xx and lower Gateways: Optional - Enable the report.
The report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.
To enable this report, on the SmartEvent GUI tab, select and enable
.
Note: This configuration increases the number of events a day by five. This can have a performance effect.
- Click .
- Install the Event Policy on the Correlation Unit: menu > > .