Connecting R81 SmartEvent to R81 Security Management Server

This procedure explains how to configure a dedicated server for these components:

• SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. and SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events.

Note - For information on how to install a dedicated SmartEvent Server, see the R81 Installation and Upgrade Guide.

To connect R81 SmartEvent Server and SmartEvent Correlation Unit to R81 Security Management Server:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Check Point Host object for the dedicated SmartEvent Server.

2. In the Version field, select R81.

3. Create a SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust with the dedicated SmartEvent Server.

4. On the Management tab, enable these Software Blades:

   • Logging & Status

   • SmartEvent Server

   • SmartEvent Correlation Unit

5. On a dedicated SmartEvent Server that is not a Log Server Dedicated Check Point server that runs Check Point software to store and process logs. (recommended):

   In the Logs page, make sure that Enable Log Indexing is not selected.

   This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.

6. Click OK.

7. Publish the SmartConsole session.

8. Click Menu > Install Database > select all objects > click Install.

Note - For Security Gateways R77.30 and lower: activate the Firewall session for the network activity report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent.. See Exporting Views and Reports.

Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit

1. Open the SmartEvent GUI:

   1. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).

   2. Click SmartEvent Settings & Policy.

2. In Policy tab > Correlation Units, define a Correlation Unit object.

3. Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.

4. In Policy tab > Internal Network, define the internal Network.

5. Click Save.

6. Install the Event Policy Set of rules that define the behavior of SmartEvent. on the Correlation Unit:

   SmartEvent menu > Actions > Install Event Policy.