Configuring Check Point Syslogs Over Encrypted TCP

Overview

The syslog mechanism is used to pass policy change and traffic information from your devices to SecureTrack.

This procedure requires configuration in the TOS CLI, Check Point CLI, and TOS UI. You will import an encryption certificate to the TOS server, sign the certificate and modify the log exporter on the Check Point server, and then configure the new syslog connection in SecureTrack.

Syslogs sent over TCP must always be encrypted and this option is not available for TOS deployments on Azure, AWS or GCP.

Prerequisites

    1. Create a new private key.

      [<ADMIN> ~]# openssl genrsa -aes256 -out ca.key 4096 && chmod 400 ca.key
      openssl genrsa -aes256 -out ca.key 4096 && chmod 400 ca.key

      You are prompted to enter a password.

    2. Create a certificate signing request (CSR).

      [<ADMIN> ~]# openssl req -new -x509 -sha256 -days 2048 -key c.key -out ca.crt
      openssl req -new -x509 -sha256 -days 2048 -key ca.key -out ca.crt

      The following message is displayed.

    3. Fill in "." in all fields except Common Name.

      In Common Name, give the certificate a meaningful name. For example, "Tufin".

    4. Create the certificate.

      [<ADMIN> ~]# openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt 
      openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

    Your CA key/password pair and certificate are created:

    • ca.crt

    • ca.key

    1. Create a private key for the Tufin server:

      [<ADMIN> ~]# openssl genrsa -out server.key 2048 && chmod 400 server.key
      openssl genrsa -out server.key 2048 && chmod 400 server.key

    2. Create a Certificate Signing Request (CSR):

      [<ADMIN> ~]# openssl req -new -key server.key -sha256 -out server.csr 
      openssl req -new -key server.key -sha256 -out server.csr

      The DN fields are displayed.

    3. Fill in the field as follows:

      • Common Name: the syslog VIP

      • A Challenge Password (this may only appear in the next step): leave blank

      • All other fields: "."

    4. Sign the CSR: 

      [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt 
                                  chmod 444 server.crt 
      openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt

    5. When prompted, enter your root CA password.

    6. Edit the permission of the file. 

      [<ADMIN> ~]#chmod 444 server.crt
      chmod 444 server.crt

    7. Verify:

      1. The validity of the new certificate:

        [<ADMIN> ~]# openssl x509 -noout -text -in server.crt 
        openssl x509 -noout -text -in server.crt

        The server key information is displayed. Next to Server: CN=, your syslog VIP appears.

      2. That the certificate signing was successful 

        3. [<ADMIN> ~]# openssl verify -CAfile ca.crt server.crt
        openssl verify -CAfile ca.crt server.crt

      3. server.crt: OK should appear.

    In root@TufinOS cert, the following files appear: 

    • ca.crt

    • ca.key

    • server.crt

    • server.csr

    • server.key

Set up encrypted syslogs over TCP in Check Point

  1. Stop TOS:

    2. tos stop -d

  2. Import the certificate to the TOS server:

    1. Run:

      [<ADMIN> ~]# tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>
      tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>

      2. where

      Parameter

      Description

      Required/Optional

      <CERT-PATH>

      Location of the CA.

      Required

      <CERT-PATH>

      Location of the certificate.

      Required

      <KEY-PATH>

      Location of the key.

      Required

      Sample output

      $ tos certificate import --type syslog --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key

      The message "Successfully changed configuration for syslog -agent-service." is displayed.

    2. Verify that the certificate was successfully imported to the TOS server: 

      [<ADMIN> ~]# kubectl get secrets syslog-agent-nginx-secret -oyaml
      kubectl get secrets syslog-agent-nginx-secret -oyaml

      An encrypted version of the certificate is displayed. Verify that it's the certificate you just created by checking the creationTimestamp.

      Example

  3. Restart TOS:

    4. tos start -d

  4. Define the syslog VIP:

    sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] --transport tcp [--debug]

    where

    Parameter

    Description

    Mandatory /Optional

    <SYSLOG_VIP>

    VIP of the cluster.

    Mandatory

    --port

    Allows you to specify a port; otherwise, the default port 6514 is used.

    Optional

    It can take up to 10 minutes for the device to be added. When the process is finished the message: "INFO VIP "<VIP-ADDRESS>" Added!" is displayed.

    1. Create a key:

      [<ADMIN> ~]# openssl genrsa -out client.key 2048
      openssl genrsa -out client.key 2048

    2. Create a certificate signing request (CSR):

      [<ADMIN> ~]# openssl req -new -key client.key -out client.csr
      openssl req -new -key client.key -out client.csr

    3. Fill in the field as follows:

      • Common Name - the device IP address or resolvable host name of the client

      • A Challenge Password (this may only appear in the next step) - leave blank

      • All other fields - "."

    4. Sign the CSR with the root CA:

      [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem
      openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem

    5. Verify the validity of the certificate:

      [<ADMIN> ~]#  openssl x509 -noout -text -in client.pem
      openssl openssl x509 -noout -text -in client.pem

      Subject: CN=<device IP> is displayed.

    6. Verify the signature:

      [<ADMIN> ~]# openssl verify -CAfile ca.crt client.pem 
      openssl verify -CAfile ca.crt client.pem

      The message server.crt:OK is displayed.

  6. Add the client.csr, client.key, and the client.crt:
    7. openssl x509 -sha1 -req -days 365 -in client.csr -signkey client.key -out client.crt

  7. Convert the certificate to .p12 format:

    openssl pkcs12 -inkey client.key -in client.crt -export -out client.p12

  8. Modify the log exporter on your Check Point device and take note of the log ID.

  9. When adding/configuring your device in TOS Aurora:

    Select Custom > Syslog Authentication.

    Enter the log ID from the Check Point log exporter.

    Select Protocol TCP

    By default, all TCP syslogs will be encrypted.