Add Check Point devices

Relevant for: AFA Administrators

This topic describes how to add Check Point MDSM, SmartCenter / Gateway, or CMA devices, as well as fields and options shared by all of these device types.

Note: You must also perform procedures on your devices, depending on how you connect to the device from AFA. For details, see Enable data collection for Check Point devices.

Tip: Watch a training video on how AFA can collect data from a few Check Point devices. See Defining security devices in Firewall Analyzer on the AlgoSec portal.

Check Point network connections

The following diagrams shows an ASMS Central Manager or Remote Agent connecting to a Check Point MDSM, CMA, or Smart Center device, and a Check Point Gateway. Check Point versions R80 or higher have an additional connection via HTTP-REST.

Note: If your CLM/MLM log servers reside on separate hosts, you'll need to connect to these separately from ASMS.

Check Point device permissions

AFA can collect data or logs via SSH or OPSEC. For Check Point versions R80 and higher, you must also define data collection via REST.

ASMS requires the following permissions for each type of connection to your Check Point devices:

Add a Check Point Multi-Domain Security Management device

Check Point Multi-Domain Security Management (MDSM) integrates multiple 'firewalled' networks within a single administrative framework. These devices consolidate multiple SmartCenter Servers, referred to as Customer Management Add-ons (CMAs), on a single host.

AFA analyzes the Filter Module security policy via a secure connection to the MDSM server.

Note: Multi-Domain Security Management, or MDSM, refers to both MDSM and Provider-1 devices.

Do the following:

  1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Check Point > Multi Domain Security Management (Provider-1).

    Configure the fields and options on the page as needed. For details, see Access Information and Geographic Distribution.

  3. Click Next.

    The fields on the Check Point - Multi-Domain Security Management (Provider-1) - Step 2/3 page differ, depending on whether you selected to connect to the device via SSH or OPSEC.

  4. Click Next.

    The Check Point - Multi-Domain Security Management (Provider-1) - Step 3/3 page appears.

    This page displays a table listing all the devices that are managed by the Check Point MDSM, including standalone devices and virtual systems.

  5. In the Options area, complete the remaining fields as needed. For details, see Additional Check Point options.

  6. Click Finish.

  7. If you selected Set user permissions in the Options area, the Edit users dialog box appears.

    In the list of users displayed, select one or more users who will have access to this new device and its reports. To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Add a Check Point SmartCenter/Gateway

Check Point products are based on a distributed architecture, where a typical Check Point deployment is composed of a Filter Module or device and the SmartCenter Server.

  • A standalone deployment is the simplest deployment where the SmartCenter Server and the Filter Module are installed on the same machine.
  • A distributed deployment is a more complex deployment where the Filter Module and the SmartCenter Server are deployed on different machines.

AFA provides an analysis of the Filter Module's security policy via a secure connection to the SmartCenter server.

Do the following:

  1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Check Point > Security Management (SmartCenter).

    Configure the fields and options on the page as needed. For details, see Access Information and Geographic Distribution.

  3. Click Next.

    The Check Point - Security Management (SmartCenter) - Step 2/2 page appears, displaying a table that lists all the devices that are managed by the Check Point SmartCenter/Gateway, including standalone devices and virtual systems.

  4. In the Options area, complete the remaining fields as needed. For details, see Additional Check Point options.

  5. Click Finish.

  6. If you selected Set user permissions in the Options area, the Edit users dialog box appears.

    In the list of users displayed, select one or more users who will have access to this new device and its reports. To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Add a Check Point CMA

You can add single Customer Management Add-ons (CMAs) using the following procedure.

Tip:  

Do the following:

  1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Check Point > Single CMA.

    Configure the fields and options on the page as needed. For details, see Access Information and Geographic Distribution.

  3. Click Next.

    The Check Point - Single CMA - Step 2/2 page appears, displaying a table that lists all the devices that are managed by the Check Point CMA, including standalone devices and virtual systems.

  4. In the Options area, complete the remaining fields as needed. For details, see Additional Check Point options.

  5. Click Finish.
  6. If you selected Set user permissions in the Options area, the Edit users dialog box appears.

    In the list of users displayed, select one or more users who will have access to this new device and its reports. To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Check Point fields and options

Check Point devices include the following types of fields and options:

Configure one-armed mode manually

AFA automatically identifies Check Point CloudGuard devices in one-armed mode, when the device has a single interface. If your device has multiple interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

  1. On the AFA machine, access your device configuration meta file as follows:

    /home/afa/.fa/firewalls/<device_name>/fwa.meta

    where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.

  2. On a new line, enter:

    is_steering_device=yes

  3. Run an analysis on the device to update the device data in AFA.