Configuring External Log Servers

The Logs & Monitoring > Log Servers page lets you configure external log servers for security and system logs for additional logging storage.

Note - You cannot configure external log servers when Cloud Services is turned on.

External Check Point Log Server

You can use an external Check Point Log ServerClosed A dedicated Check Point server that runs Check Point software to store and process logs. that is managed by a Security Management ServerClosed A dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. for storing additional logs.

Use cases for an external Check Point Log Server:

  • Extend the log retention time. For example, currently, when your gateway is managed by Quantum Spark Portal, you can retain logs for 3 months. If you configure an external Log Server, you can retain the logs for a year.

  • Export the logs format to a 3rd party mechanism for data mining.

Do these steps before you configure an external Check Point Log Server from this page in the WebUI:

  1. Identify the Log Server you want to send logs to.

  2. Identify the Security Management ServerClosed A Check Point Security Management Server or a Multi-Domain Security Management Server. that manages the Log Server.

  3. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. on this Security Management Server.

  4. Run the Security GatewayClosed A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. wizard to define and create a Security Gateway object that represents this appliance with the these details:

    In the General Properties window, select:

    • Gateway platform - Select your appliance

    • Gateway IP address - Dynamic IP address

    In the Trusted Communication window, from Gateway Identifier select MAC address or First to connect.

  5. Install the database on the Security Management Server and other related objects.

To configure an external Check Point Log Server:

  1. Under Check Point Log Server, click Configure.

    The External Check Point Log Server window opens.

  2. Enter the Management Server IP address.

    This IP address is used only to establish trusted communication between the appliance and the Security Management Server.

  3. In SIC name, enter the SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. name of the Log Server object defined in SmartConsole.

    These are the options to get this name:

    • Option 1:

      1. Connect with Database Tool (GuiDBEdit Tool) (see sk13009) to the Security Management Server.

      2. From the Tables tab, expand Table > Network Objects.

      3. In the right pane, locate the Log Server object.

      4. In the bottom pane, locate sic_name.

    • Option 2:

      Run this CLI command on the Log Server in the Expert mode (use SSH or console connection):

      $CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0

    Copy the SIC name value and paste it into the SIC name field on this page.

  4. In Set SIC One-time Password, enter the same password that was entered for the Security Management Server and then enter it again in the Confirm SIC One-time Password field.

    Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)

  5. If the Log Server is not located on the Security Management Server, select Log server uses different IP address and enter the IP address.

  6. Click Apply

    Important:

    • After successful configuration of the external log server, any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartConsole. If you do not reinitialize SIC in SmartConsole, connectivity to the log server can fail.

    • To see the logs, you must connect with SmartConsole to the dedicated Log Server (and not the Security Management Server).

To configure a new external Check Point Log Server when the gateway is connected to Quantum Spark Portal (Cloud):

After you initiate traffic from resources behind the gateway, open the Check Point Log Server to verify that you see the logs.

Syslog Server Configuration

You can configure a gateway to send logs to multiple syslog servers. - Only one secure syslog server is supported.

To configure a syslog server:

  1. Under Syslog Servers, click Configure.

    The Syslog Server window opens.

  2. Select Protocol:

    • UDP - Send security logs or system logs (not secured).

    • TLS Over TCP (secured) - Send system or security logs from gateways in a secured and encrypted fashion.

  3. Enter a Name and IP address/ Host Name.

  4. Enter a Port number.

  5. Select Enable log server.

  6. Optional - Select Show obfuscated fields. Obfuscated packets are shown as plain text.

  7. Select Forwarded logs:

    • System logs

    • Security logs

  8. Click Upload to upload a Trusted CA Certificate.

  9. Click Apply

Secured Syslog

Use Case

A system administrator wants to send system and/or security logs from the organization's gateways in a secured and encrypted fashion. Therefore, he selects TLS Over TCP as the protocol. UDP is not secure.

Notes:

  • Only one remote TLS server is supported.

  • You can upload a CA certificate to establish trust with the remote syslog server.

  • The TLS server must be configured using its domain name. Only UDP allows you to configure the server by IP address.

  • The configured domain name must be identical to the domain name in the server's certificate.

  • Both system and security logs are supported.

To configure additional syslog servers:

Click Add a syslog server....

To edit the syslog server:

  1. Click the Edit link next to the server's IP address.

  2. Edit the necessary information.

  3. Click Apply

Note - When more than one server is defined, the syslog servers appear in a table. Select the syslog server you want to edit and click Edit.

To delete the syslog server:

  1. Select the syslog server.

  2. Click Delete.