Configuring Check Point Syslogs Over Encrypted TCP

Overview

The syslog mechanism is used to pass policy change and traffic information from your devices to SecureTrack.

This procedure requires configuration in the TOS CLI, Check Point CLI, and TOS UI. You will import an encryption certificate to the TOS server, sign the certificate and modify the log exporter on the Check Point server, and then configure the new syslog connection in SecureTrack.

Syslogs sent over TCP must always be encrypted and this option is not available for TOS deployments on Azure, AWS or GCP.

Prerequisites

Set up encrypted syslogs over TCP in Check Point

  1. Import the certificate to the TOS server:

    Run:

    [<ADMIN> ~]# tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>
    tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>

    where

    Parameter

    Description

    Required/Optional

    <CERT-PATH>

    Location of the CA.

    Required

    <CERT-PATH>

    Location of the certificate.

    Required

    <KEY-PATH>

    Location of the key.

    Required

    Sample output

    $ tos certificate import --type syslog --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key
  2. Define the syslog VIP:

    sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] --transport tcp [--debug]

    where

    Parameter

    Description

    Mandatory /Optional

    <SYSLOG_VIP>

    VIP of the cluster.

    Mandatory

    --port

    Allows you to specify a port; otherwise, the default port 6514 is used.

    Optional

    It can take up to 10 minutes for the device to be added. When the process is finished the message: "INFO VIP "<VIP-ADDRESS>" Added!" is displayed.

  3. Add the client.csr, client.key, and the client.crt:
  4. openssl x509 -sha1 -req -days 365 -in client.csr -signkey client.key -out client.crt

    You can rename the certificates to align with the naming conventions of your business.

  5. Convert the certificate to .p12 format:

    openssl pkcs12 -inkey client.key -in client.crt -export -out client.p12

  6. Modify the log exporter on your Check Point device and take note of the log ID.
  7. When adding/configuring your device in TOS Aurora:

    Select Custom > Syslog Authentication.

    Enter the log ID from the Check Point log exporter.

    Select Protocol TCP

    By default, all TCP syslogs will be encrypted.