Check Point configuration overview
To integrate Check Point with QRadar, you must complete the following
procedures in sequence:
1. Add QRadar as a host for Check Point.
2. Add an OPSEC application to Check Point.
3. Locate the Log Source Secure Internal Communications DN.
4. In QRadar, configure the OPSEC LEA protocol.
5. Verify the OPSEC/LEA communications configuration.
1
Adding a Check Point Host
You can add IBM Security QRadar as a host in Check Point SmartCenter:
Procedure
1. Log in to the Check Point SmartDashboard user interface.
2. Select Manage > Network Objects > New > Node > Host.
3. Enter the information for your Check Point host:
v Name: QRadar
v IP address: IP address of QRadar
v Comment: You do not need to comment.
4. Click OK.
5. Select Close.
What to do next
You are now ready to create an OPSEC Application Object for Check Point.
2
Creating an OPSEC Application Object
After you add IBM Security QRadar as a host in Check Point SmartCenter, you can
create the OPSEC Application Object:
Procedure
1. Open the Check Point SmartDashboard user interface.
2. Select Manage > Servers and OPSEC applications > New > OPSEC
Application Properties.
3. Assign a name to the OPSEC Application Object.
Example:
QRadar-OPSEC
The OPSEC Application Object name must be different than the host name
you typed when you created the node.
From the Host list, select QRadar.
From the Vendor list, select User Defined.
In Client Entities, select the LEA check box.
To generate a Secure Internal Communication (SIC) DN, click
Communication.
8. Enter an activation key.
4.
5.
6.
7.
184
QRadar DSM Configuration Guide
Note: The activation key is a password that is used to generate the SIC DN.
When you configure your Check Point log source in QRadar, the activation
key is typed into the Pull Certificate Password parameter field.
9. Click Initialize.
The window updates the Trust state from Uninitialized to Initialized but
trust not established.
10. Click Close.
The OPSEC Application Properties window is displayed.
11. Write down or copy the displayed SIC DN to a text file.
Note: The displayed SIC value is needed for the OPSEC Application Object
SIC Attribute parameter when you configure the Check Point log source in
QRadar.
The OPSEC Application Object SIC resembles the following example:
CN=QRadar-OPSEC,O=cpmodule..tdfaaz.
What to do next
You are now ready to locate the log source SIC for Check Point.
3
Locating the log source SIC
After you create the OPSEC Application Object, you can locate the Log Source SIC
from the Check Point SmartDashboard:
Procedure
1. Select Manage > Network Objects.
2. Select your Check Point Log Host object.
Important: You must confirm whether the Check Point Log Host is a separate
object in your configuration from the Check Point Management Server. In most
cases, the Check Point Log Host is the same object as the Check Point
Management Server.
3. Click Edit.
The Check Point Host General Properties window is displayed.
4. Copy the Secure Internal Communication (SIC).
Important: Depending on your Check Point version, the Communication
button does display the SIC attribute. You can locate the SIC attribute from the
Check Point Management Server command-line interface. You must use the
cpca_client lscert command from the command-line interface of the
Management Server to display all certificates.
Important: The Log Source SIC Attribute resembles the following example:
cn=cp_mgmt,o=cpmodule...tdfaaz. For more information, see your Check Point
Command Line Interface Guide.
You must now install the Security Policy from the Check Point SmartDashboard
user interface.
5. Select Policy > Install > OK.
6. Select Policy > Install Database > OK
Chapter 28. Check Point
185