In order for AFA to collect data from a Check Point device, you must configure certain settings on the device itself. AFA collects data from Check Point devices using either SSH or OPSEC, and for Check Point versions R80 and above, AFA collects data via REST (along with either SSH or OPSEC). You must enable the data collection requirements for every method you use.
Note: In addition the requirements listed below, ensure that the user that AFA is using to access the device has the required permissions. The minimum permission required in Read Only All. When the device is using ActiveChange, the minimum permission is Read Write All. For more details, see Required device permissions.
This procedure describes how to enable AFA to process Check Point application control traffic logs.
AFA can be configured to collect logs from a Check Point device via SSH, but special configuration is required on the Check Point device. Application control traffic logs include the app_rule_id field, and this field is masked by default for the SSH log collection user that is specified when adding the device to AFA. As a result, AFA cannot process application control logs that are collected via SSH, nor use them to generate information for the Application Control Rules Cleanup area of the device report's Policy Optimization page.
In order to enable AFA to process application control traffic logs, you must modify permissions for the app_rule_id field on the Check Point device, as described in the following procedure.
Note: For R80 and above, AFA collects data via REST (along with either SSH or OPSEC). For more details, see Enable data collection via REST.
Do the following:
Run GuiDBedit.exe, and connect to the Check Point device's management station.
The management station is typically located at C:\Program Files (x86)\CheckPoint\SmartConsole\RXX\PROGRAM
where RXX is the version number.
In the left pane, navigate to Other > log_fields.
In the right pane, click on app_rule_id.
The bottom pane displays the fields that are displayed for app_rule_id.
In the bottom pane, double-click on the permissions field.
The Edit dialog is displayed.
In the Value field, change the value from 2 to 0.
Click OK.
Save your changes and exit the program.
If the device sends its traffic logs to a log server other than the management station (for example, a CLM or external log server), do the following:
Connect to the Check Point device's management station via SmartDashboard.
Re-install the Check Point database on the log server, by selecting Policy and then Install Database from the main menu.
Exit the program.
Enable data collection via OPSEC
This procedure describes how to specify a certificate for OPSEC access to a Check Point device, which must be performed in the Check Point - Multi-Domain Security Management (Provider-1) - Step 1/3 or Check Point - SmartCenter or CMA - Step 1/2 page after selecting OPSEC as the connection method.
Do the following:
Create a certificate for your device. For more details, see:
In order for AFA to collect data from a Check Point MDSM via OPSEC, a global certificate needs to be created for authentication and security purposes. The certificate is created using Check Point's SmartConsole for the PV-1.
Do the following:
Connect to the SmartConsole, selecting the MDS domain.
Right-click Global and select Connect to Domain.
Create a network object for the host that will run AFA
Note: If a network object for the host is already defined, you can skip this step.
Do the following:
Click New, and then Host.
The New Host window appears.
Complete the Object Name and IPv4 Address fields with the name and address of the host that will run AFA.
Click OK.
Create an OPSEC application object for this network object.
Note: If an OPSEC application object is already defined, you can skip this step.
Do the following:
In the Object Categories, under Servers, select OPSEC Applications > Application.
The OPSEC Application Properties dialog is displayed.
In the OPSEC Application Properties dialog, define the following:
Name
Enter the OPSEC application name.
Note: Record the name you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
Host
Select the host to run AFA.
Vendor
Choose User defined. (Do not choose AlgoSec)
Object Entities
Select the LEA and CPMI items.
The LEA Permissions and CPMI Permissions tabs appear.
In the CPMI Permissions tab, select Permissions Profile, and then do one of the following:
Important: Do not select Administrator's credentials.
Select the super profile in the list, or any other profile with the required minimum permissions.
Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.
Minimum permissions required are Read Only All access. If you're using ActiveChange, you must have Read/Write All access.
For example:
In the LEA Permissions tab, select According to Permissions Profile, and then do one of the following:
Select the super profile in the list, or any other profile with the required minimum permissions.
Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.
Minimum permissions required are Read Only All access.
Click OK. The General tab appears again, with additional options.
Create your certificate. Do the following:
Click Communication.
In the Communication dialog that appears, enter a one-time password , and then enter it again to confirm.
Note: Record the password you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
Click Initialize.
The Trust state will change from Uninitialized to Initialized but trust not established. After the certificate is retrieved by AFA, the trust state will change to Trusted.
Tip: Create a new certificate if needed by clicking Reset and repeating this step.
At the top of the screen, click Publish.
Connect to the MDS (PV-1) console, and select Global Assignments.
Right-click Global and select Reassign on Domains.
In order for AFA to collect data from a Check Point CMA or SMC via OPSEC, a local certificate needs to be created for authentication and security purposes. The certificate is created using Check Point's SmartConsole for the CMA/SMC.
Do the following:
Connect to the SmartConsole.
Create a network object for the host that will run AFA.
Note: If a network object for the host is already defined, you can skip this step.
Do the following:
In the right pane, click the New button and select Host.
In the New Host dialog, enter the Name and IP address of the host that will run AFA, and click OK.
Create an OPSEC application object for this network object.
Note: If an OPSEC application object is already defined, you can skip this step.
Do the following:
Click the icon at the top left of the screen and select:
New object > More object types > Server > OPSEC Application > New Application.
In the OPSEC Application Properties dialog, define the following:
Name
Enter the OPSEC application name.
Note: Record the name you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
Host
Select the host to run AFA.
Vendor
Choose User defined. (Do not choose AlgoSec)
Object Entities
Select the LEA and CPMI items.
In the CPMI Permissions tab, select Permissions Profile, and then do one of the following:
Important: Do not select Administrator's credentials.
Select the super profile in the list, or any other profile with the required minimum permissions.
Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.
Minimum permissions required are Read Only All access. If you're using ActiveChange, you must have Read/Write All access.
For example:
In the LEA Permissions tab, select According to Permissions Profile, and then do one of the following:
Select the super profile in the list, or any other profile with the required minimum permissions.
Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.
Minimum permissions required are Read Only All access.
Click OK. The General tab appears again, with additional options.
Create your certificate. Do the following:
Click Communication.
In the Communication dialog that appears, enter a one-time password , and then enter it again to confirm.
Note: Record the password you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
Click Initialize.
The Trust state will change from Uninitialized to Initialized but trust not established. After the certificate is retrieved by AFA, the trust state will change to Trusted.
Tip: Create a new certificate if needed by clicking Reset and repeating this step.
Reinstall the Check Point database on all existing log servers, including CLMs or external log servers.
Do the following:
At the top of the screen, click Publish.
At the top left, click the icon, and select Install database.
In the Install database dialog, verify that your CMA is selected, and click Install.
In order to collect the policy and routing table from a Check Point FireWall-1 module, AFA can use the OPSEC API. In order for this to happen a certificate needs to be created for authentication and security purposes.
The certificate is created on the SmartCenter server, using Check Point's SmartDashboard utility, or on the MDSM server, using Check Point's Global SmartDashboard utility.
Do the following:
Create a network object for the host.
Note: If a network object for the host running AFA is already defined, you can skip this step.
Do the following:
In the main SmartDashboard menu panel, select Manage > Network Objects.
Click New > Node > Host.
In the Host Node dialog, enter the Name and IP address of the host that will run AFA, and then click OK.
Create an OPSEC application object for this network object.
Note: If an OPSEC application object is already defined, you can skip this step.
Do the following:
In the SmartDashboard main menu, select Manage and then Servers and OPSEC Applications.
In the Servers and OPSEC Applications dialog box, click New > OPSEC Application.
In the OPSEC Application Properties dialog, define the following:
Name
Enter the OPSEC application name.
Note: Record the name you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
Host
Select the host to run AFA.
Vendor
Choose User defined. (Do not choose AlgoSec)
Object Entities
Select the LEA and CPMI items.
In the CPMI Permissions tab, select Permissions Profile, and then do one of the following:
Important: Do not select Administrator's credentials.
Select the super profile in the list, or any other profile with the required minimum permissions.
Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.
Minimum permissions required are Read Only All access. If you're using ActiveChange, you must have Read/Write All access.
For example:
For Check Point version R76 or above, in the LEA Permissions tab, select According to Permissions Profile.
Then do one of the following:
Select the super profile in the list, or any other profile with the required minimum permissions.
Create a new permission profile. To do this, click New. In the Permissions Profile Properties dialog, enter a name for your new profile and select the required permissions.
Minimum permissions required are Read Only All access.
Click OK. The General tab appears again, with additional options.
Create your certificate. Do the following:
Click Communication.
In the Communication dialog that appears, enter a one-time activation key, and then enter it again to confirm.
Note: Record the key you entered here. You'll need to specify this name in AFA when you retrieve the certificate.
Click Initialize.
The Trust state will change from Uninitialized to Initialized but trust not established. After the certificate is retrieved by AFA, the trust state will change to Trusted.
Tip: Create a new certificate if needed by clicking Reset and repeating this step.
Reinstall the Check Point database on all existing log servers, including CLMs or external log servers. Click Save, and then selecting Policy and Install Database from the main menu.
This procedure describes how to enable REST calls to the Security Management Server.
Note: For versions R80 and above, AFA collects data via REST, along with either SSH or OPSEC. In addition to enabling REST, you must also enable SSH or OPSEC as needed.
In the left pane, navigate to Manage & Settings > Blades > Management API > Advanced Settings.
The Management API Settings window appears.
To automatically start the API server at Security Management Server startup, select the Automatic Start check box.
Select which IP addresses from which the API server accepts requests:
All IP addresses that can be used for GUI clients
API server will accept scripts and web service requests from the same devices that are allowed access to the Security Management Server. Make sure the AFA server is in this list.
All IP addresses
The API server will accept scripts and web-service requests from any device
Click OK.
In the Management API restart message that appears, click OK.
At the top, click Publish.
In the Management Check Point Server CLI, run the api restart command, and then exit.
Sometimes due to caching issues, 0 search results are returned for every query . When this happens try pressing SHIFT+F5 several times to clear your browser’s cache.
You can search for a complete word or number string.
Note
The full text search is not case-sensitive. For example, a search for the word "run" will find matches for "Run" and "run." The full text search also matches with variant endings. For example, a search for the word "run" will also find matches for words such as, "runner," "running," and "runs."
You can search for phrases by enclosing their search terms in quotation marks (" "). This is useful when you want to restrict a search to locate terms that appear in an exact order.
icon at the top left of the screen and select:
icon, and select 
