Monitoring Check Point R8x CMA Devices

Overview

After you upgrade a monitored Check Point CMA device to R8x, you must upgrade the device in SecureTrack to use Check Point R8x support. A CMA can be assigned to an MDS after the initial configuration is complete.

To manage a CMA device in SecureTrack, enable the API software blade for your MDS device.

To see which TOS features are supported for your device, review the feature support table.

Prerequisites

  1. Configure the Check Point server for OPSEC communication with SecureTrack.

  2. Configure the Check Point device to use your SecureTrack server as a GUI client.

    The SecureTrack server is displayed in a revision in the GUI client column.

  3. Create a Check Point user with Rest API Access to retrieve revisions:

    1. SecureTrack uses Check Point APIs to connect to (and monitor) Check Point R80.x devices. A user with the SmartCenter Manager or Domain Manager profile who has the Read Only All Permission Profile configured for All Global Domains with the required collection access via the Check Point APIs can retrieve revisions for the device.

      To allow the SecureChange Designer tool to provision changes to Check Point devices, the API user must have a Read/Write All permission profile or a customized profile with API and change permissions for all policies and objects.
    2. To maintain the password you defined for the Check Point user with REST API access, in Set Password, uncheck User must change password on next login.

Add a Check Point Device

  1. Select Check Point > CMA:

  2. Configure the device settings:

    New CP CMA stage 1

    Depending on the Check Point server type, some or all of the following options will appear:

    • Device Type: Check Point CMA (filled automatically)

    • Name for Display
    • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

    • MDS (optional for CMA devices): The MDS that manages the CMA.
    • Get revisions from: One of the following:

      • IP Address: Revisions are retrieved automatically
      • Offline File: N/A
    • ST server: In a distributed deployment, select which TOS Aurora cluster monitors this device (not shown in image)

    • Usage Analysis - select the relevant options:

      • Collect traffic logs for rule usage analysis is necessary for Rule Usage reports.
      • Collect traffic logs for object usage analysis is necessary for reporting on unused objects and services in Rule Usage Reports.

      Object usage analysis requires plenty of free disk space (depending on the number of gateways and the amount of traffic logs generated). If disk space is limited, you can configure SecureTrack to limit the number of days that data is kept.

      We recommend that you enable SecureTrack administrative alerts, which notify you if there is low disk space on the server. When disk utilization exceeds 90% in the partition that has the database, SecureTrack sends an alert.

    • Enable Topology: Collects routing information for building the network Interactive Map.
      Topology options for Advanced management mode are configured when you import managed devices.
  3. Click Next.

  4. In the OPSEC Secure Internal Communication (SIC):

    1. Configure:

      • SecureTrack's OPSEC Application Name: As you defined it for this Check Point server (case sensitive).
      • Activation Key: As defined when the OPSEC object was created.
    2. Click Click Retrieve Certificate to set up encrypted communication between TOS Aurora and the Check Point device.

      The following message appears:

      retrieved

  5. Click Next.

  6. In the Syslog and OPSEC Settings:

    1. Choose Authentication Type

      For Syslog Authentication:

      • Log ID:Log ID must correspond to the entry in Check Point Log Export

      • Protocol: Choose TCP or UDP

    2. Configure the CPMI Authentication fields:

      • Authentication Mode - (For CMA devices asym sslca)
      • Port
    3. For a CMA version FP3 device, select Backward compatibility for Provider-1 FP3.

      1. Enter the credentials of a Provider-1 Administrator.
      2. Enter the DN of the MDS.
  7. Click Next.

  8. For CMA devices with R8x, in the Management API settings:
    1. Enter the credentials for an administrator on the Check Point device. To use a vault server that contains access credentials, select Use Vault and select the server. For more information, see Configuring a Vault Server.
    2. Enter the port that the Check Point device uses for REST API connections.

    3. Click Establish Connection to setup encrypted communication between SecureTrack and the Check Point device. The certificate appears, and the following message appears:

      retrieved

  9. Click Next.

  10. In Monitoring Settings, do one of the following:

    • To use timing settings from the Timing configuration for this device, select Default.
    • To define specific timing settings for this device, select Custom, then select Custom settings, and configure:

      • 'Save policy' interval: When a Save Policy event is followed within this time interval by an Install Policy event for the same policy, SecureTrack tries to combine the two events into a single revision. The default value is 60 seconds. 
      • 'Install policy' interval: When two or more Install Policy events for the same policy occur within this time interval, SecureTrack combines the events into a single Install Policy revision (Default: 60 seconds)
      • Automatic fetch frequency: Frequency (in minutes) for automatic fetch 
  11. Click Next.

  12. You can test the communication with the Check Point server by clicking Test Connectivity:

    New CP CMA stage 5

  13. Click Save.

    The Check Point device is shown in the Device Configuration list.

    If you use non-standard LEA authentication, see Non-Standard LEA Authentication.

  14. To customize the device object that represents the Internet, see Define Internet Object.

  15. If you have a secondary Check Point management server, configure SecureTrack to communicate with the secondary server in the event of a failover.

Enable Check Point CMA Devices for Topology

To obtain topology information for VSX virtual devices, SecureTrack must also monitor the CMA management server that manages the physical VSX box. To ensure that topology information is being retrieved, verify that the relevant CMA is monitored by SecureTrack.

In the following example, the vsx_cluster is managed by the Domain47 CMA. To properly monitor this cluster and retrieve its topology information, you must verify that Domain47 has also been added to SecureTrack.

Configure a Monitored Device

After you add a device, further configuration options are available.

Options vary depending on your environment.

  • Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

  • Delete this device: Type yes to confirm that you want to delete the device.

  • Test Connectivity: Confirms connectivity between SecureTrack and the device.

  • Define Internet object

  • Migrate (ST servers): Available in distributed deployments. Select the server where the device will be monitored and click Migrate.

  • Migrate (Domains): Available in multi-domain deployments. Select the domain where the device will be monitored and click Migrate.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices