Integrating Check Point by using TLS Syslog

Before you can add a log source in IBM QRadar, you need to generate certificates on the QRadar Console and then copy the certificates on your Check Point device.

Procedure

  1. Using SSH, log in to your QRadar Console.
  2. Generate the root CA key by typing the following command:
    openssl genrsa -out RootCA.key 2048
  3. Generate the root CA pem by typing the following command:
    openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out RootCA.pem
    Important: When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use CheckpointRootCA as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. However, if you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.
  4. To generate the client key, type the following command:
    openssl genrsa -out log_exporter.key 2048
    Important: Do not share the client key with anyone.
  5. To generate the client certificate sign request, type the following command:
    openssl req -new -key log_exporter.key -out log_exporter.csr
    Important: When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use the Check Point IP address as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. When you type a value for the A challenge password field, do not use special characters for the password. If you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.
  6. To sign the certificate by using the CA files, type the following command:
    openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out log_exporter.crt -days 2048 -sha256
  7. To convert the certificate to p12 format, type the following command:
    openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12
    Important: When you type a value for the Export password field, do not use special characters for the password.
  8. Generate the server key by typing the following command:
    openssl genrsa -out syslogServer.key 2048
    Important: Do not share the server key with anyone.
  9. Generate the server certificate sign request by typing the following command:
    openssl req -new -key syslogServer.key -out syslogServer.csr
    Important: When prompted to provide Distinguished Name (DN) information about the certificate, you might want to use the QRadar IP address as the Common Name value. The Common Name value can’t be the same Common Name value that you use for any other certificates. All other fields are optional and can be left blank. When you type a value for the A challenge password field, do not use special characters for the password. If you purchase an SSL certificate from a certificate authority, you might need to configure more fields, such as Organization to accurately reflect your organization's information.
  10. To sign the certificate by using the CA files, type the following command:
    openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out syslogServer.crt -days 2048 -sha256
  11. To convert the server certificate and key to a p12 file, type the following command:
    openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslogServer.p12
    Important: When you type a value for the Enter Export Password field, do not use special characters for the password.
  12. Using SSH, log in to your Check Point device.
  13. To access expert mode, type the following command:
    Expert
  14. Create a certs directory inside your deployment directory:
    mkdir -p $EXPORTERDIR/targets/<deployment_name>/certs

    Where <deployment_name> is the hostname of your QRadar Console.

  15. Copy the RootCA.pem and log_exporter.p12 that you created in Steps 3 and 7 to the directory that you created on your Check Point device in Step 13 by typing the following command:
    scp root@qradar_ip:RootCA.pem log_exporter.p12 $EXPORTERDIR/targets/<deployment_name>/certs/
  16. Type the following commands:
    chmod +r RootCA.pem
    chmod +r log_exporter.p12
    cp_log_export add name <deployment_name>  target-server <QRadar_host_IP> protocol tcp target-port <port_from_log_source_config> format leef encrypted true ca-cert $EXPORTERDIR/targets/<deployment_name>/certs/RootCA.pem client-cert $EXPORTERDIR/targets/<deployment_name>/certs/log_exporter.p12 client-secret <password_for_p12>

    For more information about TLS configuration, see your Check Point documentation (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#TLS Configuration).

What to do next

Add a log source in QRadar by using the TLS Syslog protocol. For more information, see TLS Syslog log source parameters for Check Point and Adding a log source.