Check Point configuration overview To integrate Check Point with QRadar, you must complete the following procedures in sequence: 1. Add QRadar as a host for Check Point. 2. Add an OPSEC application to Check Point. 3. Locate the Log Source Secure Internal Communications DN. 4. In QRadar, configure the OPSEC LEA protocol. 5. Verify the OPSEC/LEA communications configuration. 1 Adding a Check Point Host You can add IBM Security QRadar as a host in Check Point SmartCenter: Procedure 1. Log in to the Check Point SmartDashboard user interface. 2. Select Manage > Network Objects > New > Node > Host. 3. Enter the information for your Check Point host: v Name: QRadar v IP address: IP address of QRadar v Comment: You do not need to comment. 4. Click OK. 5. Select Close. What to do next You are now ready to create an OPSEC Application Object for Check Point. 2 Creating an OPSEC Application Object After you add IBM Security QRadar as a host in Check Point SmartCenter, you can create the OPSEC Application Object: Procedure 1. Open the Check Point SmartDashboard user interface. 2. Select Manage > Servers and OPSEC applications > New > OPSEC Application Properties. 3. Assign a name to the OPSEC Application Object. Example: QRadar-OPSEC The OPSEC Application Object name must be different than the host name you typed when you created the node. From the Host list, select QRadar. From the Vendor list, select User Defined. In Client Entities, select the LEA check box. To generate a Secure Internal Communication (SIC) DN, click Communication. 8. Enter an activation key. 4. 5. 6. 7. 184 QRadar DSM Configuration Guide Note: The activation key is a password that is used to generate the SIC DN. When you configure your Check Point log source in QRadar, the activation key is typed into the Pull Certificate Password parameter field. 9. Click Initialize. The window updates the Trust state from Uninitialized to Initialized but trust not established. 10. Click Close. The OPSEC Application Properties window is displayed. 11. Write down or copy the displayed SIC DN to a text file. Note: The displayed SIC value is needed for the OPSEC Application Object SIC Attribute parameter when you configure the Check Point log source in QRadar. The OPSEC Application Object SIC resembles the following example: CN=QRadar-OPSEC,O=cpmodule..tdfaaz. What to do next You are now ready to locate the log source SIC for Check Point. 3 Locating the log source SIC After you create the OPSEC Application Object, you can locate the Log Source SIC from the Check Point SmartDashboard: Procedure 1. Select Manage > Network Objects. 2. Select your Check Point Log Host object. Important: You must confirm whether the Check Point Log Host is a separate object in your configuration from the Check Point Management Server. In most cases, the Check Point Log Host is the same object as the Check Point Management Server. 3. Click Edit. The Check Point Host General Properties window is displayed. 4. Copy the Secure Internal Communication (SIC). Important: Depending on your Check Point version, the Communication button does display the SIC attribute. You can locate the SIC attribute from the Check Point Management Server command-line interface. You must use the cpca_client lscert command from the command-line interface of the Management Server to display all certificates. Important: The Log Source SIC Attribute resembles the following example: cn=cp_mgmt,o=cpmodule...tdfaaz. For more information, see your Check Point Command Line Interface Guide. You must now install the Security Policy from the Check Point SmartDashboard user interface. 5. Select Policy > Install > OK. 6. Select Policy > Install Database > OK Chapter 28. Check Point 185