Configuring Check Point Syslogs Over Encrypted TCP

Overview

The syslog mechanism is used to pass policy change and traffic information from your devices to SecureTrack.

This procedure requires configuration in the TOS CLI, Check Point CLI, and TOS UI. You will import an encryption certificate to the TOS server, sign the certificate and modify the log exporter on the Check Point server, and then configure the new syslog connection in SecureTrack.

Syslogs sent over TCP must always be encrypted and this option is not available for TOS deployments on Azure, AWS or GCP.

Prerequisites

A root CA key and password (click here for procedure).
1. Create a new private key.
  [<ADMIN> ~]# openssl genrsa -aes256 -out ca.key 4096 chmod 400 ca.key
  
  openssl genrsa -aes256 -out ca.key 4096 chmod 400 ca.key
  You are prompted to enter a password. Make sure to save the password somewhere safe, you will need it for later.
2. Create a certificate signing request (CSR).
  [<ADMIN> ~]# openssl req -new -x509 -sha256 -days 2048 -key c.key -out ca.crt
  
  openssl req -new -x509 -sha256 -days 2048 -key ca.key -out ca.crt
  The following message is displayed.
3. Fill in "." in all fields except Common Name.
  
  In Common Name, give the certificate a meaningful name. For example, "Tufin".
4. Create the certificate.
  [<ADMIN> ~]# openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  
  openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Your CA key/password pair, and certificate are created:
- ca.crt
- ca.key
A server certificate for your syslog VIP on the Tufin Server (click here for procedure)
1. Create a private key for the Tufin server:
  [<ADMIN> ~]# openssl genrsa -out server.key 2048 && chmod 400 server.key
  
  openssl genrsa -out server.key 2048 && chmod 400 server.key
2. Create a Certificate Signing Request (CSR):
  [<ADMIN> ~]# openssl req -new -key server.key -sha256 -out server.csr
  
  openssl req -new -key server.key -sha256 -out server.csr
  The DN fields are displayed.
3. Fill in the field as follows:
  - Common Name - the syslog VIP
  - A Challenge Password (this may only appear in the next step) - leave blank
  - All other fields - "."
4. Sign the CSR:
  [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt
  
  openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt
5. Edit the permission of the file.
  [<ADMIN> ~]#chmod 444 server.crt
  chmod 444 server.crt
6. When prompted, enter your root CA password.
7. Verify:
  1. The validity of the new certificate:
    
    [<ADMIN> ~]# openssl x509 -noout -text -in server.crt
    
    openssl x509 -noout -text -in server.crt
    
    The server key information is displayed. Next to Server: CN=, your syslog VIP appears.
  2. That the certificate signing was successful
  3. server.crt: OK should be displayed.
  In root@TufinOS cert, the following files appear:
  
  • ca.crt
  
  • ca.key
  
  • server.crt
  
  • server.csr
  
  • server.key

Set up encrypted syslogs over TCP in Check Point

Import the certificate to the TOS server:

Run:

[<ADMIN> ~]# tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>

tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>

where

Parameter	Description	Required/Optional
`<CERT-PATH>`	Location of the CA.	Required
`<CERT-PATH>`	Location of the certificate.	Required
`<KEY-PATH>`	Location of the key.	Required

Sample output

$ tos certificate import --type syslog --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key

Define the syslog VIP:

sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] --transport tcp [--debug]

where

Parameter	Description	Mandatory /Optional
`<SYSLOG_VIP>`	VIP of the cluster.	Mandatory
`--port`	Allows you to specify a port; otherwise, the default port 6514 is used.	Optional

It can take up to 10 minutes for the device to be added. When the process is finished the message: "INFO VIP "<VIP-ADDRESS>" Added!" is displayed.

Create and sign client certificate (click here for procedure)
1. Create a key:
  [<ADMIN> ~]# openssl genrsa -out client.key 2048
  
  openssl genrsa -out client.key 2048
  Save the key password somewhere safe. You will need it to import the certificate to the client device.
2. Create a certificate signing request (CSR):
  [<ADMIN> ~]# openssl req -new -key client.key -out client.csr
  
  openssl req -new -key client.key -out client.csr
3. Fill in the field as follows:
  - Common Name - the device IP address or resolvable host name of the client
  - A Challenge Password (this may only appear in the next step) - leave blank
  - All other fields - "."
4. Sign the CSR with the root CA:
  [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem
  
  openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem
5. Verify the validity of the certificate:
  [<ADMIN> ~]# openssl x509 -noout -text -in client.pem
  
  openssl openssl x509 -noout -text -in client.pem
  Subject: CN=<device IP> is displayed.
6. Verify the signature:
  [<ADMIN> ~]# openssl verify -CAfile ca.crt client.pem
  
  openssl verify -CAfile ca.crt client.pem
  The message server.crt:OK is displayed.
Add the client.csr, client.key, and the client.crt:

openssl x509 -sha1 -req -days 365 -in client.csr -signkey client.key -out client.crt

You can rename the certificates to align with the naming conventions of your business.

Convert the certificate to .p12 format:

openssl pkcs12 -inkey client.key -in client.crt -export -out client.p12

Modify the log exporter on your Check Point device and take note of the log ID.
When adding/configuring your device in TOS Aurora:

Select Custom > Syslog Authentication.

Enter the log ID from the Check Point log exporter.

Select Protocol TCP

By default, all TCP syslogs will be encrypted.