Enable data collection for Check Point devices

In order for AFA to collect data from a Check Point MDSM via OPSEC, a global certificate needs to be created for authentication and security purposes. The certificate is created using Check Point's SmartConsole for the PV-1.

Do the following:

1. Connect to the SmartConsole, selecting the MDS domain.

2. Right-click Global and select Connect to Domain.

   

3. Create a network object for the host that will run AFA

   Note: If a network object for the host is already defined, you can skip this step.

   Do the following:

   1. Click New, and then Host.

      

      The New Host window appears.

      

   2. Complete the Object Name and IPv4 Address fields with the name and address of the host that will run AFA.
   3. Click OK.

4. Create an OPSEC application object for this network object.

   Note: If an OPSEC application object is already defined, you can skip this step.

   Do the following:

   1. In the Object Categories, under Servers, select OPSEC Applications > Application.

      

      The OPSEC Application Properties dialog is displayed.

      

   2. In the OPSEC Application Properties dialog, define the following:

      Name	Enter the OPSEC application name. Note: Record the name you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
      Host	Select the host to run AFA.
      Vendor	Choose User defined. (Do not choose AlgoSec)
      Object Entities	Select the LEA and CPMI items.

      The LEA Permissions and CPMI Permissions tabs appear.

   3. In the CPMI Permissions tab, select Permissions Profile, and then do one of the following:

      

      Important: Do not select Administrator's credentials.

      • Select the super profile in the list, or any other profile with the required minimum permissions.

      • Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.

        Minimum permissions required are Read Only All access. If you're using ActiveChange, you must have Read/Write All access.

      For example:

      

   4. In the LEA Permissions tab, select According to Permissions Profile, and then do one of the following:

      • Select the super profile in the list, or any other profile with the required minimum permissions.
      • Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.

      Minimum permissions required are Read Only All access.

   5. Click OK. The General tab appears again, with additional options.

5. Create your certificate. Do the following:

   1. Click Communication.

   2. In the Communication dialog that appears, enter a one-time password , and then enter it again to confirm.

      Note: Record the password you entered here. You'll need to specify this name in AFA when you retrieve the certificate.

   3. Click Initialize.

      The Trust state will change from Uninitialized to Initialized but trust not established. After the certificate is retrieved by AFA, the trust state will change to Trusted.

   Tip: Create a new certificate if needed by clicking Reset and repeating this step.

6. At the top of the screen, click Publish.
7. Connect to the MDS (PV-1) console, and select Global Assignments.

8. Right-click Global and select Reassign on Domains.

   

   Continue with Enable data collection via OPSEC.

In order for AFA to collect data from a Check Point CMA or SMC via OPSEC, a local certificate needs to be created for authentication and security purposes. The certificate is created using Check Point's SmartConsole for the CMA/SMC.

Do the following:

1. Connect to the SmartConsole.

2. Create a network object for the host that will run AFA.

   Note: If a network object for the host is already defined, you can skip this step.

   Do the following:

   1. In the right pane, click the New button and select Host.

      

   2. In the New Host dialog, enter the Name and IP address of the host that will run AFA, and click OK.

      

3. Create an OPSEC application object for this network object.

   Note: If an OPSEC application object is already defined, you can skip this step.

   Do the following:

   1. Click the icon at the top left of the screen and select:

      New object > More object types > Server > OPSEC Application > New Application.

      

   2. In the OPSEC Application Properties dialog, define the following:

      Name	Enter the OPSEC application name. Note: Record the name you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
      Host	Select the host to run AFA.
      Vendor	Choose User defined. (Do not choose AlgoSec)
      Object Entities	Select the LEA and CPMI items.

   3. In the CPMI Permissions tab, select Permissions Profile, and then do one of the following:

      

      Important: Do not select Administrator's credentials.

      • Select the super profile in the list, or any other profile with the required minimum permissions.
      • Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.

      Minimum permissions required are Read Only All access. If you're using ActiveChange, you must have Read/Write All access.

      For example:

      

   4. In the LEA Permissions tab, select According to Permissions Profile, and then do one of the following:

      • Select the super profile in the list, or any other profile with the required minimum permissions.
      • Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.

      Minimum permissions required are Read Only All access.

   5. Click OK. The General tab appears again, with additional options.

4. Create your certificate. Do the following:

   1. Click Communication.

   2. In the Communication dialog that appears, enter a one-time password , and then enter it again to confirm.

      Note: Record the password you entered here. You'll need to specify this name in AFA when you retrieve the certificate.

   3. Click Initialize.

      The Trust state will change from Uninitialized to Initialized but trust not established. After the certificate is retrieved by AFA, the trust state will change to Trusted.

   Tip: Create a new certificate if needed by clicking Reset and repeating this step.

5. Reinstall the Check Point database on all existing log servers, including CLMs or external log servers.

   Do the following:

   1. At the top of the screen, click Publish.
   2. At the top left, click the icon, and select Install database.
   3. In the Install database dialog, verify that your CMA is selected, and click Install.

Continue with Enable data collection via OPSEC above.

In order to collect the policy and routing table from a Check Point FireWall-1 module, AFA can use the OPSEC API. In order for this to happen a certificate needs to be created for authentication and security purposes.

The certificate is created on the SmartCenter server, using Check Point's SmartDashboard utility, or on the MDSM server, using Check Point's Global SmartDashboard utility.

Do the following:

1. Create a network object for the host.

   Note: If a network object for the host running AFA is already defined, you can skip this step.

   Do the following:

   1. In the main SmartDashboard menu panel, select Manage > Network Objects.

      

   2. Click New > Node > Host.

      

   3. In the Host Node dialog, enter the Name and IP address of the host that will run AFA, and then click OK.

2. Create an OPSEC application object for this network object.

   Note: If an OPSEC application object is already defined, you can skip this step.

   Do the following:

   1. In the SmartDashboard main menu, select Manage and then Servers and OPSEC Applications.

      

   2. In the Servers and OPSEC Applications dialog box, click New > OPSEC Application.

      

   3. In the OPSEC Application Properties dialog, define the following:

      Name	Enter the OPSEC application name. Note: Record the name you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
      Host	Select the host to run AFA.
      Vendor	Choose User defined. (Do not choose AlgoSec)
      Object Entities	Select the LEA and CPMI items.

   4. In the CPMI Permissions tab, select Permissions Profile, and then do one of the following:

      

      Important: Do not select Administrator's credentials.

      • Select the super profile in the list, or any other profile with the required minimum permissions.
      • Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.

      Minimum permissions required are Read Only All access. If you're using ActiveChange, you must have Read/Write All access.

      For example:

      

   5. For Check Point version R76 or above, in the LEA Permissions tab, select According to Permissions Profile.

      Then do one of the following:

      • Select the super profile in the list, or any other profile with the required minimum permissions.
      • Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.

      Minimum permissions required are Read Only All access.

   6. Click OK. The General tab appears again, with additional options.

3. Create your certificate. Do the following:

   1. Click Communication.

   2. In the Communication dialog that appears, enter a one-time activation key, and then enter it again to confirm.

      Note: Record the key you entered here. You'll need to specify this name in AFA when you retrieve the certificate.

   3. Click Initialize.

      The Trust state will change from Uninitialized to Initialized but trust not established. After the certificate is retrieved by AFA, the trust state will change to Trusted.

   Tip: Create a new certificate if needed by clicking Reset and repeating this step.

4. Reinstall the Check Point database on all existing log servers, including CLMs or external log servers. Click Save, and then selecting Policy and Install Database from the main menu.

Continue with Enable data collection via OPSEC above.