Configuring Check Point Server for OPSEC Communication

The LEA protocol is expected to be discontinued by Check Point and if you use LEA with version R81 or above you may already experience technical issues. We therefore recommend using syslog instead of LEA.

Configure OPSEC communication

  1. Open the management application:

    • For a Provider-1 MDS: Open the MDG for the MDS and, in Global Policies, right-click a Global Policy and select Open selected global policy.

    • For a CMA, SmartCenter or Log Server: Open SmartDashboard.

  2. Create a SecureTrack Host:

    For a CMA: If you already configured monitoring for the MDS, use the global host object that you configured and skip this step.

    1. In the Objects menu, select More > Network Object > Host...:

      New Host

    2. In the Host Node - General Properties window, enter a Name and the IP Address of SecureTrack (use the network IP address, not the VIP):

      Host Properties

    3. Click OK.

  3. Create an OPSEC Application for SecureTrack for Check Point R80:

    1. In the Global Domain Manager GDM, connect to a Domain server.

    2. In the Objects menu, select: More object types > Server > OPSEC Application > New Application

      The OPSEC Application Properties window opens.

      OPSEC properties

    3. Enter a Name for the OPSEC Application.

      For a CMA: Do not use the same name as the OPSEC Application in the MDS.

    4. Select the SecureTrack Host object:
      • For a CMA: You can use the SecureTrack host global object that you created on the MDS.

      • For all others: Select the Host object that you created for SecureTrack.

      For Vendor, do not select Tufin. This will not work, due to a known Check Point issue.

    5. In Client Entities, select LEA and CPMI, but do not click OK.

  4. Set the CPMI Permissions:

    1. In the CPMI Permissions tab, select Permissions Profile.

      CPMI permissions

    2. Select a Permissions Profile:
      • For a CMA: Select from the list the Permissions Profile global object that you created for the MDS, and click OK.

      • For all others: Click New, enter a name for the profile, and make sure that Read Only All is selected.

        Permissions Properties

    Note: For the SecureChange Designer to apply changes directly to Check Point policies, you must configure TOS Aurora to use an OPSEC object that has Read/Write All permissions. (Do not select Manage Administrators.)

  5. If you are using SmartDashboard R76 or higher, set the LEA permissions:
    • In the LEA Permissions tab, select Show all log fields.

  6. Initialize trust with TOS Aurora:

    1. In the OPSEC Application Properties window, click Communication.
    2. In the Communication window, enter and confirm an Activation Key and click Initialize:

      You will need to enter the same Activation Key when you add the server to SecureTrack.

      OPSEC communication

      The Trust state changes to: Initialized but trust not established.

    3. Close the Communication window.

  7. Click OK.

  8. If you have an Application Control Policy layer, create a Cleanup rule that will send rule UIDs to SecureTrack.

    If you already have an existing cleanup rule, skip to step 8c.
    1. Go to Access Control > Policy, and select the Application Control Policy Layer.

    2. If you are missing a cleanup rule, a message will be displayed.

    3. Click on the message, and select Add Cleanup Rule.

    4. Edit the following settings:

      • Action: Change to Accept
      • Track: Change to Log
  9. To save the changes for an MDS device, click Publish in the Global Domain Manager.

  10. For SMC and CMA devices:

    1. Select Install database....

    2. In the Install database dialog, select the relevant options and click Install.

      If there is a CLM/Log Server device, select the relevant option.