Configuring Check Point Syslogs Over Encrypted TCP

This topic is intended for TOS Administrators.

Overview

The syslog mechanism is used to pass policy change and traffic information from your devices to SecureTrack. For Check Point devices, you can configure syslogs encrypted over TCP, as described here, or non-encrypted over UDP.

Encrypted syslog configuration for Check Point includes configuring:

Syslog processing method
SecureTrack to retrieve audit/traffic logs

To configure non-encrypted syslogs, see Check Point Syslogs over non-encrypted UDP. For general information about sending syslogs to TOS, see Sending Additional Information using Syslog.

Syslogs over TCP is not supported for TOS deployments on Azure, AWS, or GCP.

Syslog Processing Methods

TOS supports two methods of processing syslog information for Check Point devices:

Original method (default)
- The Automatic Policy Generator (APG) and in the Rule and Object Usage reports display rule usage.
- The SecureTrack Reporting Essentials (STRE) reports do not display objects.
- The Rule Viewer displays last-hit information only for rules (not for objects in rules).

New method

Tufin Support might advise switching to the new method if you have a large volume of syslog traffic and have experienced performance issues.

On switching to the new method, all existing last-hit information is cleared and reinitialized.
- The Rule Viewer displays last-hit information for both rules and objects in rules.
- The STRE reports includes objects.
- The following are not available:
  - Automatic Policy Generator
  - Rule and Object Usage report

Switching from the new method back to the original method does not restore the last-hit information cleared previously.

Configure Syslog Processing Method

Switch to the new method:
```
tos config set -p opm.usage.support.legacy.types=checkpoint
```
tos config set -p opm.usage.support.legacy.types=checkpoint
Switch to the default method:
```
tos config reset -p opm.usage.support.legacy.types
```
tos config reset -p opm.usage.support.legacy.types

Configure TOS for Encrypted Syslogs

Configure the TOS CLI, Check Point CLI, and TOS UI for encrypted syslogs. Import an encryption certificate to the TOS server, sign the certificate, and modify the log exporter on the Check Point server, and then configure the new syslog connection in SecureTrack.

You must configure the log exporter on all monitored MDSM CMA, SMC and CLM log server devices.

Prerequisites

On the TOS server:

A root CA key and password (click here for procedure).
1. Create a new private key.
  [<ADMIN> ~]# openssl genrsa -aes256 -out ca.key 4096 && chmod 400 ca.key
  
  openssl genrsa -aes256 -out ca.key 4096 && chmod 400 ca.key
  You are prompted to enter a password.
2. Create a certificate signing request (CSR).
  [<ADMIN> ~]# openssl req -new -sha256 -days 2048 -key ca.key -out ca.csr
  
  openssl req -new -sha256 -days 2048 -key ca.key -out ca.csr
  The following message is displayed.
3. Fill in "." in all fields except Common Name.
  
  In Common Name, give the certificate a meaningful name. For example, "Tufin".
4. Create the certificate.
  [<ADMIN> ~]# openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  
  openssl x509 -in ca.crt -out ca.pem -outform PEM
5. Convert the ca.crt file to .pem.
  [<ADMIN> ~]# openssl x509 -in ca.crt -out ca.pem -outform PEM
  
  openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
A server certificate for your syslog VIP on the Tufin Server (click here for procedure)
1. Create a private key for the Tufin server:
  [<ADMIN> ~]# openssl genrsa -out server.key 2048 && chmod 400 server.key
  
  openssl genrsa -out server.key 2048 && chmod 400 server.key
2. Create a Certificate Signing Request (CSR):
  [<ADMIN> ~]# openssl req -new -key server.key -sha256 -out server.csr
  
  openssl req -new -key server.key -sha256 -out server.csr
  The DN fields are displayed.
3. Define the following values:
  - Common Name: The syslog VIP used by your deployment, based on whether it is on-premises or cloud-based.
  - A Challenge Password (this may only appear in the next step): leave blank
  - All other fields: "."
4. Sign the CSR:
  [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt
  
  openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt
5. When prompted, enter your root CA password.
6. Edit the permission of the file.
  [<ADMIN> ~]#chmod 444 server.crt
  
  chmod 444 server.crt
7. Verify:
  1. The validity of the new certificate:
    
    [<ADMIN> ~]# openssl x509 -noout -text -in server.crt
    
    openssl x509 -noout -text -in server.crt
    
    The server key information is displayed. Next to Server: CN=, your syslog VIP appears. For cloud deployments, the syslog VIP is the IP of the cloud load balancer.
  2. That the certificate signing was successful
  3. server.crt: OK should appear.
In root@TufinOS cert, the following files appear:
- ca.crt
- ca.key
- server.crt
- server.csr
- server.key

Set up Encrypted Syslogs Over TCP in TOS

Import the certificate to the TOS server:

Run:

[<ADMIN> ~]# tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>

tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>

where

Parameter	Description	Required/Optional
`<CERT-PATH>`	Location of the CA.	Required
`<CERT-PATH>`	Location of the certificate.	Required
`<KEY-PATH>`	Location of the key.	Required

Sample output

$ tos certificate import --type syslog --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key

For on-premises deployments, define the syslog VIP. If you are deploying on the cloud, skip this step.

sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] --transport tcp [--debug]

where

Parameter	Description	Mandatory /Optional
`<SYSLOG_VIP>`	VIP of the cluster.	Mandatory
`--port`	Allows you to specify a port; otherwise, the default port 6514 is used.	Optional

It can take up to 10 minutes for the device to be added. When the process is finished the message: "INFO VIP "<VIP-ADDRESS>" Added!" appears.

Create and sign client certificate (click here for procedure)
Note that Check Point acts as the client.
1. Create a key:
  [<ADMIN> ~]# openssl genrsa -out client.key 2048
  
  openssl genrsa -out client.key 2048
2. Create a certificate signing request (CSR):
  [<ADMIN> ~]# openssl req -new -key client.key -out client.csr
  
  openssl req -new -key client.key -out client.csr
3. Fill in the field as follows:
  - Common Name - the device IP address or resolvable host name of the client
  - A Challenge Password (this may only appear in the next step) - leave blank
  - All other fields - "."
4. Sign the CSR with the root CA:
  [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem
  
  openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem
5. View the certificate details:
  [<ADMIN> ~]# openssl x509 -noout -text -in client.pem
  
  openssl x509 -noout -text -in client.pem
6. Verify the certificate validity:
  [<ADMIN> ~]# openssl verify -CAfile ca.crt client.pem
  
  openssl verify -CAfile ca.crt client.pem
  If the certificate is valid, OK is returned.

Convert the certificate to .p12 format:

openssl pkcs12 -inkey client.key -in client.pem -export -out client.p12

Modify the log exporter on your Check Point device and take note of the log ID.
When adding/configuring your device in TOS:
1. Select Custom > Syslog Authentication.
2. Enter the log ID from the Check Point log exporter.
3. Select Protocol TCP