Configuring Check Point Syslogs Over Encrypted TCP

Overview

First see Configuring Check Point Syslogs.

From R22-2 PHF1.0.0, syslogs sent over TCP must be encrypted. Encrypted TCP is not available for TOS deployments on Azure, AWS or GCP.

This procedure requires configuration in the TOS CLI, Check Point CLI, and TOS UI. You will import an encryption certificate to the TOS server, sign the certificate and modify the log exporter on the Check Point server, and then configure the new syslog connection in SecureTrack.

Prerequisites

Set up encrypted syslogs over TCP in Check Point

  1. Stop TOS:
  2. tos stop -d

  3. Import the certificate to the TOS server:

    1. Run:

      [<ADMIN> ~]# tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>
      tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>
    2. where

      Parameter

      Description

      Required/Optional

      <CERT-PATH>

      Location of the CA.

      Required

      <CERT-PATH>

      Location of the certificate.

      Required

      <KEY-PATH>

      Location of the key.

      Required

      Sample output

      $ tos certificate import --type syslog --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key

      The message "Successfully changed configuration for syslog -agent-service." is displayed.

    3. Verify that the certificate was successfully imported to the TOS server: 

      [<ADMIN> ~]# kubectl get secrets syslog-agent-nginx-secret -oyaml
      kubectl get secrets syslog-agent-nginx-secret -oyaml

      An encrypted version of the certificate is displayed. Verify that it's the certificate you just created by checking the creationTimestamp.

      Example

  4. Restart TOS:
  5. tos start -d

  6. Define the syslog VIP:

    sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] --transport tcp [--debug]

    where

    Parameter

    Description

    Mandatory /Optional

    <SYSLOG_VIP>

    VIP of the cluster.

    Mandatory

    --port

    Allows you to specify a port; otherwise, the default port 6514 is used.

    Optional

    It can take up to 10 minutes for the device to be added. When the process is finished the message: "INFO VIP "<VIP-ADDRESS>" Added!" is displayed.

  7. Add the client.csr, client.key, and the client.crt:
  8. openssl x509 -sha1 -req -days 365 -in client.csr -signkey client.key -out client.crt
  9. Convert the certificate to .p12 format:

    openssl pkcs12 -inkey client.key -in client.crt -export -out client.p12

  10. Modify the log exporter on your Check Point device and take note of the log ID.
  11. When adding/configuring your device in TOS Aurora:

    Select Custom > Syslog Authentication.

    Enter the log ID from the Check Point log exporter.

    Select Protocol TCP

    By default, all TCP syslogs will be encrypted.