Add Check Point devices

Relevant for: AFA Administrators

This topic describes how to add Check Point MDSM, SmartCenter / Gateway, or CMA devices, as well as fields and options shared by all of these device types.

Note: You must also perform procedures on your devices, depending on how you connect to the device from AFA. For details, see Enable data collection for Check Point devices.

Tip: Watch a training video on how AFA can collect data from a few Check Point devices. See Defining Check Point Devices on the AlgoSec portal.

Check Point network connections

The following diagrams shows an ASMS Central Manager or Remote Agent connecting to a Check Point MDSM, CMA, or Smart Center device, and a Check Point Gateway. Check Point versions R80 or higher have an additional connection via HTTP-REST.

Note: If your CLM/MLM log servers reside on separate hosts, you'll need to connect to these separately from ASMS.

Check Point device permissions

AFA can collect data or logs via SSH or OPSEC. For Check Point versions R80 and higher, you must also define data collection via REST.

ASMS requires the following permissions for each type of connection to your Check Point devices:

Connections via OPSEC (recommended)

Connections via SSH

Add a Check Point Multi-Domain Security Management device

Check Point Multi-Domain Security Management (MDSM) integrates multiple 'firewalled' networks within a single administrative framework. These devices consolidate multiple SmartCenter Servers, referred to as Customer Management Add-ons (CMAs), on a single host.

AFA analyzes the Filter Module security policy via a secure connection to the MDSM server.

Note: Multi-Domain Security Management, or MDSM, refers to both MDSM and Provider-1 devices.

Do the following:

Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.
In the vendor and device selection page, select Check Point > Multi Domain Security Management (Provider-1).

Configure the fields and options on the page as needed. For details, see Check Point fields and options.

Note: If you select to enable ActiveChange, the ActiveChange License Agreement appears. Select the I agree checkbox, and then click OK.
Click Next.

The fields on the Check Point - Multi-Domain Security Management (Provider-1) - Step 2/3 page differ, depending on whether you selected to connect to the device via SSH or OPSEC.

Do one of the following:

OPSEC

Recommended.

Enter the IP address of the CMA that manages the devices you wish to analyze.

SSH

Select the CMA that manages the devices you wish to analyze by clicking the relevant row.

Click Next.

The Check Point - Multi-Domain Security Management (Provider-1) - Step 3/3 page appears.

This page displays a table listing all the devices that are managed by the Check Point MDSM, including standalone devices and virtual systems.
Optional: Configure AFA to use logs created by a managed device or virtual system.
Tip: This enables AFA to detect certain policy optimization information, such as unused rules. For more details, see Device report pages.

Do the following:
1. In the Add Device column, select the check box next to the device's name.
2. In the Log Analysis column, select one of the following:
  - None. Disables logging.
  - Standard. Enables logging.
  - Extensive. Enables logging and the Intelligent Policy Tuner. For more details, see Intelligent Policy Tuner.
3. In the Log Server column, click Settings. Then, do one of the following:
  - Select the log server you want to use from the drop-down list.
  - Select Other and enter the log server's name manually.
  Click OK when you're done.
4. SSH only: To edit SSH definitions, Edit SSH definitions.
  
  In the Check Point Log Server SSH Setup dialog, do the following:
  - Specify whether this log server is part of a Multi-domain log module (MLM/CLM) or a Stand-alone log server.
  - Populate the fields as needed. For details, see Log Server fields.
5. OPSEC only: To test OPSEC connectivity to the defined log server, click Test OPSEC connectivity.
  
  A message informs you whether AFA connected to the log server successfully.
6. Click OK.
Close ⌃
Optional: Enable AFA to generate baseline compliance reports and/or allow dynamic routing collection for all managed devices
Do the following:
1. In the Direct access to managed devices area, click .
2. The Direct Access Configuration dialog box appears.
3. Complete the fields as needed. For details, see Baseline Configuration Compliance fields
  
  Note: Specifying this information for a device triggers a direct SSH connection to the device.
4. Click OK.
Close ⌃
Complete the remaining fields as needed. For details, see Additional Check Point options.
Click Finish.

The new device is added to the device tree.

Set user permissions

If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports for this account. To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

Add a Check Point SmartCenter/Gateway

Check Point products are based on a distributed architecture, where a typical Check Point deployment is composed of a Filter Module or device and the SmartCenter Server.

A standalone deployment is the simplest deployment where the SmartCenter Server and the Filter Module are installed on the same machine.
A distributed deployment is a more complex deployment where the Filter Module and the SmartCenter Server are deployed on different machines.

AFA provides an analysis of the Filter Module's security policy via a secure connection to the SmartCenter server.

Do the following:

Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.
In the vendor and device selection page, select Check Point > Security Management (SmartCenter).

Configure the fields and options on the page as needed. For details, see Check Point fields and options.

Note: If you select to enable ActiveChange, the ActiveChange License Agreement appears. Select the I agree checkbox, and then click OK.
Click Next.

The Check Point - Security Management (SmartCenter) - Step 2/2 page appears, displaying a table that lists all the devices that are managed by the Check Point SmartCenter/Gateway, including standalone devices and virtual systems.
Optional: Configure AFA to use logs created by a managed device or virtual system.
Tip: This enables AFA to detect certain policy optimization information, such as unused rules. For more details, see Device report pages.

Do the following:
1. In the Add Device column, select the check box next to the device's name.
2. In the Log Analysis column, select one of the following:
  - None. Disables logging.
  - Standard. Enables logging.
  - Extensive. Enables logging and the Intelligent Policy Tuner. For more details, see Intelligent Policy Tuner.
3. In the Log Server column, click Settings. Then, do one of the following:
  - Select the log server you want to use from the drop-down list.
  - Select Other and enter the log server's name manually.
  Click OK when you're done.
4. SSH only: To edit SSH definitions, Edit SSH definitions.
  
  In the Check Point Log Server SSH Setup dialog, do the following:
  - Specify whether this log server is part of a Multi-domain log module (MLM/CLM) or a Stand-alone log server.
  - Populate the fields as needed. For details, see Log Server fields.
5. OPSEC only: To test OPSEC connectivity to the defined log server, click Test OPSEC connectivity.
  
  A message informs you whether AFA connected to the log server successfully.
6. Click OK.
Close ⌃
Optional: Enable generation of baseline compliance reports and/or allow dynamic routing collection for all managed devices.

To do so, in the Direct access to managed devices area, click Configure.

The Direct Access Configuration dialog box appears.

Complete the fields as needed, and click OK. For details, see Baseline Configuration Compliance fields.

Note: Specifying this information for a device triggers a direct SSH connection to the device.

Close ⌃
Complete the remaining fields using the information in Check Point Options Fields (see Additional Check Point options).
Click Finish.

The new device is added to the device tree.

Set user permissions

If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports for this account. To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

Add a Check Point CMA

You can add single Customer Management Add-ons (CMAs) using the following procedure.

Tip:

Add multiple CMAs at once by adding a Check Point MDSM. For details, see Add Check Point devices.

Do the following:

Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.
In the vendor and device selection page, select Check Point > Single CMA.

Configure the fields and options on the page as needed. For details, see Check Point fields and options.

Note: If you select to enable ActiveChange, the ActiveChange License Agreement appears. Select the I agree checkbox, and then click OK.
Click Next.

The Check Point - Single CMA - Step 2/2 page appears, displaying a table that lists all the devices that are managed by the Check Point CMA, including standalone devices and virtual systems.
Optional: Configure AFA to use logs created by a managed device or virtual system.
Tip: This enables AFA to detect certain policy optimization information, such as unused rules. For more details, see Device report pages.

Do the following:
1. In the Add Device column, select the check box next to the device's name.
2. In the Log Analysis column, select one of the following:
  - None. Disables logging.
  - Standard. Enables logging.
  - Extensive. Enables logging and the Intelligent Policy Tuner. For more details, see Intelligent Policy Tuner.
3. In the Log Server column, click Settings. Then, do one of the following:
  - Select the log server you want to use from the drop-down list.
  - Select Other and enter the log server's name manually.
  Click OK when you're done.
4. SSH only: To edit SSH definitions, Edit SSH definitions.
  
  In the Check Point Log Server SSH Setup dialog, do the following:
  - Specify whether this log server is part of a Multi-domain log module (MLM/CLM) or a Stand-alone log server.
  - Populate the fields as needed. For details, see Log Server fields.
5. OPSEC only: To test OPSEC connectivity to the defined log server, click Test OPSEC connectivity.
  
  A message informs you whether AFA connected to the log server successfully.
6. Click OK.
Close ⌃
Optional: Enable generation of baseline compliance reports and/or allow dynamic routing collection for all managed devices.

To do so, in the Direct access to managed devices area, click Configure.

The Direct Access Configuration dialog box appears.

Complete the fields as needed, and click OK. For details, see Baseline Configuration Compliance fields.

Note: Specifying this information for a device triggers a direct SSH connection to the device.

Close ⌃
Complete the remaining fields using the information in Check Point Options Fields (see Additional Check Point options).
Click Finish. The new device is added to the device tree.
If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Check Point fields and options

Check Point devices include the following types of fields and options:

Access Information

Log Server fields

Baseline Configuration Compliance fields

Additional Check Point options

Configure one-armed mode manually

AFA automatically identifies Check Point CloudGuard devices in one-armed mode, when the device has a single interface. If your device has multiple interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

On the AFA machine, access your device configuration meta file as follows:

/home/afa/.fa/firewalls/<device_name>/fwa.meta

where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.
On a new line, enter:

is_steering_device=yes
Run an analysis on the device to update the device data in AFA.

Host	Enter the host name or IP address of the device.
R80 or higher	Select this option for devices versions R80 or higher. For R80 devices, you must configure the Management API Settings of the device to accept API calls from the IP address of the AlgoSec server. For more information, see Enabling REST Calls to the Security Management Server (see Enable data collection via REST).
Connect via	Specify how AFA should connect to the device, by selecting one of the following: SSH: Connect via SSH (Secure Shell protocol). This option is not available when adding a single Check Point CMA. OPSEC (NGX R60 or higher): Connect via OPSEC. Recommended. To specify a custom port, select Custom Port and enter the port number. Note: For Windows environments, only OPSEC is supported. Tip: Configure AFA to connect to the device using SSH with Public-Key authentication. To do so, select the Use public key authentication in data collection check box in the General sub-tab of the Options tab in the Administration area. For details, see Define AFA preferences.
User Name / Password	Type the user name and password to access the device. These fields only appear if you selected R80 or higher or you selected SSH in the Connect via area. For more details, see Required device permissions.
SecurePlatform	Choose this option to specify that the device is installed on a Check Point SecurePlatform operating system. You must complete the Expert Password field. This field only appears if you selected SSH in the Connect via area.
Expert Password	Type the expert password, which allows access to all the functions on the SmartCenter server required for this process. This field only appears if you selected SSH in the Connect via area.
Solaris / RedHat Linux	Choose this option to specify that the device is installed on a Solaris or RedHat Linux operating system. This field only appears if you selected SSH in the Connect via area.
User credentials above are for root user	Select this option to specify that the user name and password entered in the User Name and Password fields are the credentials for the Solaris root user. If you clear this option, you must complete the Root Password field. This field only appears if you selected SSH in the Connect via area.
Root Password	Type the root password for Solaris. This field only appears if you selected SSH in the Connect via area.
High Availability	Select this option to configure High Availability for CMAs. Important: AFA connects to the HA cluster using the active IP address, not the virtual IP address. You must configure access rules for each device in the cluster to allow this traffic. This field only appears if you selected OPSEC in the Connect via area. It is not relevant for Check Point MDSM.
Secondary Security Management (SmartCenter)	Type the secondary CMA. This field only appears if you selected OPSEC in the Connect via area. It is not relevant for Check Point MDSM.

Host (MLM)	Type the host name or IP address of the log server.
Username	Type the user name to use for SSH access to the log server.
Password	Type the password to use for SSH access to the log server.
Secure Platform	Choose this option to specify that the log server is installed on a Check Point SecurePlatform operating system. You must complete the Expert Password field.
Expert Password	Type the expert password, which allows access to all the functions on the log server required for this process.
Solaris	Choose this option to specify that the log server is installed on a Solaris operating system.
User credentials above are for root user	Select this option to specify that the user name and password entered in the Username and Password fields are the credentials for the Solaris root user. If you clear this option, you must complete the Root Password field.
Root Password	If you use a user other than "root" for accessing the Solaris OS, type the root password for Solaris.
Test Connectivity	Click this button to test connectivity to the defined log server. A message informs you whether AFA connected to the log server successfully.

Host IP	Type the IP address of the device.
User Name	Type the user name to access the device.
Password	Type the password to access the device.
Platform	Select the device's platform. This field only appears for Check Point devices.
Extra Password	Type the password to use for running OS commands on the device. This field only appears for Check Point devices.
Baseline Profile	Select the baseline compliance profile to use. The drop-down list includes all baseline compliance profiles in the system. For more information on baseline compliance profiles and instructions for adding new baseline compliance profiles, see Customizing Baseline Configuration Compliance Profiles (see Customize baseline configuration profiles). To disable Baseline Compliance Report generation for this device, select None.
Test Connectivity	Click this button to test connectivity to the defined device. A message informs you whether AFA connected to the device successfully.

Real-time change monitoring	Select to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring.
Set user permissions	Select to set user permissions for this device
Collect audit logs from CLM	Select to collect audit logs from a CLM. Note: When this option is enabled, all modules must be configured to collect logs from the same CLM.
Log collection frequency	Enter the interval of time in minutes, at which AFA should collect logs for the Check Point device.

Add Check Point devices

Check Point network connections

Check Point device permissions

Add a Check Point Multi-Domain Security Management device

Set user permissions

Add a Check Point SmartCenter/Gateway

Set user permissions

Add a Check Point CMA

Check Point fields and options

Configure one-armed mode manually

Sorry about that

Want to tell us more?

Great!