Log Exporter TLS Configuration

Log Exporter can export logs over an encrypted connection using the TLS protocol.

Only mutual authentication is allowed.

For mutual authentication, Log Exporter requires these certificates:

Notes:

  • The Management Server / Log Server with Log Exporter must be able to connect to the Certificate Authority.

  • In addition to these two certificates, a third certificate should be installed on the target server (based on the server requirement).

  • It is possible to use self-signed certificates.

If you do not already have the required certificates, the procedure below is an example of how to create the required certificates.

The procedure below uses the openssl commands on a Linux server (non-Check Point).

Run this if you do not already have a trusted CA certificates in the PEM format:

  1. Generate the root CA key and do not give it to anyone:

    openssl genrsa -out RootCA.key 2048

  2. Generate the root CA certificate in the PEM format:

    openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out RootCA.pem

  3. Enter the Distinguished Name (DN) information for the certificate.

    • Common Name(CN) is the exact Fully Qualified Domain Name (FQDN) of the host on which you use the certificate.

    • All other fields are optional. If you purchase an SSL certificate from a Certificate Authority, these additional fields may be required.

  1. Generate the client key and do not give it to anyone:

    openssl genrsa -out log_exporter.key 2048

  2. Generate the client certificate sign request:

    openssl req -new -key log_exporter.key -out log_exporter.csr

  3. Use the CA files to sign the certificate:

    openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out log_exporter.crt -days 2048 -sha256

  4. Convert the certificate file to the P12 format:

    openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12

    Note - The challenge phrase used in this conversion is required in the "log_exporter" TLS configuration.

After you created the required certificates, you must update the security parameters on the Check Point Management Server / Log Server.

  1. Connect to the command line on the Management Server / Log Server.

  2. Log in to the Expert mode.

  3. On a Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. / Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., switch to the required Domain:

    mdsenv <IP Address or Name of Domain Management Server / Domain Log Server>

  4. Go to the directory with the applicable Log Exporter Configuration:

    cd $EXPORTERDIR/targets/<Name of Log Exporter Configuration>

  5. Create a new directory for the certificates:

    mkdir -v certificates

    cd certificates

  6. Transfer these certificate files to the new directory "certificates":

    • RootCA.pem

    • log_exporter.p12

  7. Give the certificate files the execution permission:

    chmod -v +r RootCA.pem

    chmod -v +r log_exporter.p12

  8. Go to the directory with the applicable Log Exporter Configuration:

    cd $EXPORTERDIR/targets/<Name of Log Exporter Configuration>

  9. Update the targetConfiguration.xml file:

    1. Edit the file:

      vi targetConfiguration.xml

    2. Configure the full path to the new certificate files and the challenge phrase used to create the P12 certificate.

    3. Save the changes in the file and exit the editor.

  1. Generate the server key and do not give it to anyone:

    openssl genrsa -out syslogServer.key 2048

  2. Generate the server certificate sign request:

    openssl req -new -key syslogServer.key -out syslogServer.csr

  3. Use the CA files to sign the certificate:

    openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out syslogServer.crt -days 2048 -sha256