Deploying SmartEvent

SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. is integrated with the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. architecture. It communicates with Log Servers to read and analyze logs. You can enable SmartEvent on the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or deploy it as a dedicated server.

Only a Security Management Server can also work as a SmartEvent Server. In a Multi-Domain environment, you must install SmartEvent on a dedicated server.

You must execute the Install Database function on the remote SmartEvent Server when you:

  • Enable or disable a SmartEvent Server blade, including Log Indexing in a server object.

  • Add a new SmartEvent Server to the system.

  • Change a SmartEvent Server log settings or make any other SmartEvent Server object change.

  • Change anything in the Global Properties that might affect the SmartEvent Server.

SmartEvent Licensing

You can deploy SmartEvent in these ways:

  • As part of the SmartEvent - A renewable one year license is included with the SmartEvent package.

  • As a dedicated server - You can purchase a perpetual license for a SmartEvent Server.

Enabling SmartEvent on the Security Management Server

  1. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. From the left navigation panel, click Gateways & Servers.

  3. Open the Security Management Server object.

  4. On the Management tab, enable these Software Blades:

    • Logging & Status

    • SmartEvent Server

    • SmartEvent Correlation Unit

  5. Click OK.

  6. Publish the SmartConsole session.

Note - For Security Gateways R77.30 and lower, you must activate the Firewall session for the network activity reportClosed Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent.. See Exporting Views and Reports.

Note - When the trial license of SmartEvent expires, and after adding a new license, the Security Management Server does not accept any connection.

To resolve this issue: stop and start the Security Management Server (run cpstop;cpstart) after adding the new license.

System Requirements

For versions earlier than R81, the SmartEvent Server from one version can be managed by multiple management versions.

Management Server support for SmartEvent Server

 

Management Server version

SmartEvent Server version

R77.30

R80

R80.10

R80.20
(all)

R80.30

R80.40

R81

R77.30
R80
R80.10
R80.20 (all)
R80.30
R80.40
R81

Starting from R81, SmartEvent server can only be managed by a Security Management Serverof the same version. Managing SmartEvent by a lower version of the Security Management Server is no longer supported.

To use SmartEvent, see the requirements in the R81 Release Notes.

Installing a Dedicated SmartEvent Server

For information on how to install a SmartEvent Server, see the R81 Installation and Upgrade Guide.

  1. Download the installation ISO file.

  2. Install the ISO on a Smart-1 appliance or an open server.

    Allocate partition size:

    • Root partition: at least 20 GB

    • Logs partition: more than allocated for Root and backup (set maximum possible) to let the server keep a long history.

  3. When prompted, reboot.

  4. Run the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard.

Configuring the SmartEvent Components in the First Time Configuration Wizard

Configure the components of the dedicated server for SmartEvent on a Smart-1 appliance, or on an open server.

For information on how to install a SmartEvent Server, see the R81 Installation and Upgrade Guide.

Connecting R81 SmartEvent to R81 Security Management Server

This procedure explains how to configure a dedicated server for these components:

Note - For information on how to install a dedicated SmartEvent Server, see the R81 Installation and Upgrade Guide.

To connect R81 SmartEvent Server and SmartEvent Correlation Unit to R81 Security Management Server:

  1. In SmartConsole, create a new Check Point Host object for the dedicated SmartEvent Server.

  2. In the Version field, select R81.

  3. Create a SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust with the dedicated SmartEvent Server.

  4. On the Management tab, enable these Software Blades:

    • Logging & Status

    • SmartEvent Server

    • SmartEvent Correlation Unit

  5. On a dedicated SmartEvent Server that is not a Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. (recommended):

    In the Logs page, make sure that Enable Log Indexing is not selected.

    This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.

  6. Click OK.

  7. Publish the SmartConsole session.

  8. Click Menu > Install Database > select all objects > click Install.

Note - For Security GatewaysR77.30 and lower: activate the Firewall session for the network activity report. See Exporting Views and Reports.

Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit

  1. Open the SmartEvent GUI:

    1. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).

    2. Click SmartEvent Settings & Policy.

  2. In Policy tab > Correlation Units, define a Correlation Unit object.

  3. Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.

  4. In Policy tab > Internal Network, define the internal Network.

  5. Click Save.

  6. Install the Event PolicyClosed Set of rules that define the behavior of SmartEvent. on the Correlation Unit:

    SmartEvent menu > Actions > Install Event Policy.

Connecting R81 SmartEvent to R81 Multi-Domain Server

You can configure a dedicated R81 server for SmartEvent components, and connect them to one or more Domains in an R81 Multi-Domain Security Management environment.

This procedure explains how to configure a dedicated server for these SmartEvent components:

  • SmartEvent Server and SmartEvent Correlation Unit

Notes:

  • From R81, you can configure the SmartEvent Server and SmartEvent Correlation Unit at the level of the Global Domain and at the level of a specific Domain.

  • Configure SmartEvent to read logs from one Domain or a number of Domains.

See also Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit in Connecting R81 SmartEvent to R81 Security Management Server.

Note - For Security Gateways R77.30 and lower: activate the Firewall session for the network activity report in Exporting Views and Reports.

Configuring SmartEvent to use a Non-Standard LEA Port

You can get logs from and send logs to a third-party Log Server. The Check PointLog Server and the third party Log Server use the LEA (Log Export API) protocol to read logs. By default, the Check PointLog Server uses port 18184 for this connection. If you configure the Log Server to use a different LEA port, you must manually configure the new port on the SmartEvent Server and on the SmartEvent Correlation Unit.

Note - This procedure is not relevant if you use Log Exporter

To change the default LEA port:

  1. Open $INDEXERDIR/log_indexer_custom_settings.conf in a text editor.

  2. Add this line to the file:

    :lea_port (<new_port_number>)

  3. Save the changes in the file and exit the editor.

  4. In the SmartEvent client, configure the new port on the Correlation Unit.

  5. In Policy tab > Correlation Units, configure the Correlation Unit to read logs from the local Log Server (on the SmartEvent Server).

  6. Install the EventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Policy on the Correlation Unit: Actions > Install Event Policy

Configuring SmartEvent to read External Logs

To configure SmartEvent to read logs from an externally-managed Log Server or an external Security Management Server, see sk35288.

An externally managed Log Server is managed by a different Security Management Server than the one that manages the SmartEvent Server. An external Security Management Server is not the one that manages the SmartEvent Server.