This section describes how to ensure that the IBM® Security QRadar® Check Point FireWall-1 DSMs accept FireWall-1 events with syslog.

Before you configure IBM Security QRadar to integrate with a Check Point FireWall-1 device, you must take the following steps:

Important: If Check Point SmartCenter is installed on Microsoft Windows, you must integrate Check Point with QRadar by using OPSEC.
  1. Type the following command to access the Check Point console as an expert user:

    expert

    A password prompt appears.

  2. Type your expert console password. Press the Enter key.
  3. Open the following file:

    /etc/rc.d/rc3.d/S99local

  4. Add the following lines:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> /dev/null 2>&1 &

    Where:

    • <facility> is a syslog facility, for example, local3.
    • <priority> is a syslog priority, for example, info.

    For example:

    $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &

  5. Save and close the file.
  6. Open the syslog.conf file.
  7. Add the following line:

    <facility>.<priority> <TAB><TAB>@<host>

    Where:

    • <facility> is the syslog facility, for example, local3. This value must match the value that you typed in Step 4.
    • <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.

    <TAB> indicates you must press the Tab key.

    <host> indicates the QRadar Console or managed host.

  8. Save and close the file.
  9. Enter the following command to restart syslog:
    • In Linux: service syslog restart
    • In Solaris: /etc/init.d/syslog start
  10. Enter the following command:

    nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &

    Where:

    • <facility> is a Syslog facility, for example, local3. This value must match the value that you typed in Step 4.
    • <priority> is a Syslog priority, for example, info. This value must match the value that you typed in Step 4.

The configuration is complete. The log source is added to QRadar as Check Point Firewall-1 syslog events are automatically discovered. Events that are forwarded to QRadar are displayed on the Log Activity tab.

Anuncios