Deploying SmartEvent
SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. is integrated with the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. architecture. It communicates with Log Servers to read and analyze logs. You can enable SmartEvent on the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or deploy it as a dedicated server.
Only a Security Management Server can also work as a SmartEvent Server. In a Multi-Domain environment, you must install SmartEvent on a dedicated server.
You must execute the Install Database function on the remote SmartEvent Server when you:
-
Enable or disable a SmartEvent Server blade, including Log Indexing in a server object.
-
Add a new SmartEvent Server to the system.
-
Change a SmartEvent Server log settings or make any other SmartEvent Server object change.
-
Change anything in the Global Properties that might affect the SmartEvent Server.
SmartEvent Licensing
You can deploy SmartEvent in these ways:
-
As part of the SmartEvent - A renewable one year license is included with the SmartEvent package.
-
As a dedicated server - You can purchase a perpetual license for a SmartEvent Server.
Enabling SmartEvent on the Security Management Server
-
From the left navigation panel, click Gateways & Servers.
-
Open the Security Management Server object.
-
On the Management tab, enable these Software Blades:
-
Logging & Status
-
SmartEvent Server
-
SmartEvent Correlation Unit
-
-
Click OK.
-
Publish the SmartConsole session.
Note - For Security Gateways R77.30 and lower, you must activate the Firewall session for the network activity report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent.. See Exporting Views and Reports.
|
Note - When the trial license of SmartEvent expires, and after adding a new license, the Security Management Server does not accept any connection. To resolve this issue: stop and start the Security Management Server (run |
System Requirements
For versions earlier than R81, the SmartEvent Server from one version can be managed by multiple management versions.
Starting from R81, SmartEvent server can only be managed by a Security Management Serverof the same version. Managing SmartEvent by a lower version of the Security Management Server is no longer supported.
To use SmartEvent, see the requirements in the R81 Release Notes.
Installing a Dedicated SmartEvent Server
For information on how to install a SmartEvent Server, see the R81 Installation and Upgrade Guide.
-
Download the installation ISO file.
-
Install the ISO on a Smart-1 appliance or an open server.
Allocate partition size:
-
Root partition: at least 20 GB
-
Logs partition: more than allocated for Root and backup (set maximum possible) to let the server keep a long history.
-
-
When prompted, reboot.
-
Run the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard.
Configuring the SmartEvent Components in the First Time Configuration Wizard
Configure the components of the dedicated server for SmartEvent on a Smart-1 appliance, or on an open server.
For information on how to install a SmartEvent Server, see the R81 Installation and Upgrade Guide.
Connecting R81 SmartEvent to R81 Security Management Server
This procedure explains how to configure a dedicated server for these components:
-
SmartEvent Server and SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events.
Note - For information on how to install a dedicated SmartEvent Server, see the R81 Installation and Upgrade Guide.
To connect R81 SmartEvent Server and SmartEvent Correlation Unit to R81 Security Management Server:
-
In SmartConsole, create a new Check Point Host object for the dedicated SmartEvent Server.
-
In the Version field, select R81.
-
Create a SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust with the dedicated SmartEvent Server.
-
On the Management tab, enable these Software Blades:
-
Logging & Status
-
SmartEvent Server
-
SmartEvent Correlation Unit
-
-
On a dedicated SmartEvent Server that is not a Log Server Dedicated Check Point server that runs Check Point software to store and process logs. (recommended):
In the Logs page, make sure that Enable Log Indexing is not selected.
This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.
-
Click OK.
-
Publish the SmartConsole session.
-
Click > Install Database > select all objects > click Install.
Note - For Security GatewaysR77.30 and lower: activate the Firewall session for the network activity report. See Exporting Views and Reports.
Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit
-
Open the SmartEvent GUI:
-
In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).
-
Click SmartEvent Settings & Policy.
-
-
In Policy tab > Correlation Units, define a Correlation Unit object.
-
Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.
-
In Policy tab > Internal Network, define the internal Network.
-
Click Save.
-
Install the Event Policy Set of rules that define the behavior of SmartEvent. on the Correlation Unit:
SmartEvent menu > Actions > Install Event Policy.
Connecting R81 SmartEvent to R81 Multi-Domain Server
You can configure a dedicated R81 server for SmartEvent components, and connect them to one or more Domains in an R81 Multi-Domain Security Management environment.
This procedure explains how to configure a dedicated server for these SmartEvent components:
-
SmartEvent Server and SmartEvent Correlation Unit
Notes:
-
From R81, you can configure the SmartEvent Server and SmartEvent Correlation Unit at the level of the Global Domain and at the level of a specific Domain.
-
Configure SmartEvent to read logs from one Domain or a number of Domains.
-
Connect with SmartConsole to the Global Domain:
-
From the list of Domains, select Global.
-
Create a Check Point Host object for the Dedicated SmartEvent Server R81.
-
In the Check Point Host object > General Properties page > Management tab, select these Software Blades:
-
Logging & Status
-
SmartEvent Server
-
SmartEvent Correlation Unit
-
-
Initialize SIC with the dedicated SmartEvent Server R81 Server.
-
Click OK.
-
Publish the SmartConsole session.
-
Reassign the Global Policy for the Domains that use SmartEvent.
For new Domains, create a new global assignment.
-
For each Domain Management Server that uses SmartEvent:.
-
Open SmartConsole.
-
Click > Policy > Install Database > select all objects > click Install.
-
Wait until the Domain Management Server synchronizes and loads SmartEvent process.
-
-
Connect with SmartConsole to the specific Domain:
-
Connect to the Multi-Domain Server.
-
From the list of Domains, select the applicable .specific Domain.
-
-
Create a Check Point Host object for the Dedicated SmartEvent Server R81.
-
In the Check Point Host object > General Properties page > Management tab, select these Software Blades:
-
Logging & Status
-
SmartEvent Server
-
SmartEvent Correlation Unit
-
-
Initialize SIC with the dedicated SmartEvent Server R81 Server.
-
Click OK.
-
Publish the SmartConsole session.
-
Click > Policy > Install Database > select all objects > click Install.
-
Wait until the Domain Management Server synchronizes and loads SmartEvent process.
See also Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit in Connecting R81 SmartEvent to R81 Security Management Server.
Note - For Security Gateways R77.30 and lower: activate the Firewall session for the network activity report in Exporting Views and Reports.
Configuring SmartEvent to use a Non-Standard LEA Port
You can get logs from and send logs to a third-party Log Server. The Check PointLog Server and the third party Log Server use the LEA (Log Export API) protocol to read logs. By default, the Check PointLog Server uses port 18184 for this connection. If you configure the Log Server to use a different LEA port, you must manually configure the new port on the SmartEvent Server and on the SmartEvent Correlation Unit.
Note - This procedure is not relevant if you use Log Exporter
To change the default LEA port:
-
Open
$INDEXERDIR/log_indexer_custom_settings.conf
in a text editor. -
Add this line to the file:
:lea_port (<new_port_number>)
-
Save the changes in the file and exit the editor.
-
In the SmartEvent client, configure the new port on the Correlation Unit.
-
In Policy tab > Correlation Units, configure the Correlation Unit to read logs from the local Log Server (on the SmartEvent Server).
-
Configure the new port on the SmartEvent Server
-
In Policy tab > Network Objects, double-click the SmartEvent Server object.
-
Change the LEA port No parameter to
<new_port_number>
.
-
-
Install the Event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Policy on the Correlation Unit: Actions > Install Event Policy
-
On the SmartEvent Server
-
Run:
cpstop
-
Open
$FWDIR/conf/fwopsec.conf
in a text editor. -
Change these parameters:
lea_server auth_port <new_port_number>
lea_server port 0
-
Save the changes in the file and exit the editor.
-
Run:
cpstart
-
Configuring SmartEvent to read External Logs
To configure SmartEvent to read logs from an externally-managed Log Server or an external Security Management Server, see sk35288.
An externally managed Log Server is managed by a different Security Management Server than the one that manages the SmartEvent Server. An external Security Management Server is not the one that manages the SmartEvent Server.