Adding devices managed by a Check Point Security Manager Server console

Content

The Check Point Security Management Server (CPSMS) adapter is based on the CPMI OPSEC SDK API library.

Compatibility for CPMI connections

CPMI connections are compatible with later versions only.

The cpsms_client application, included with the CPSMS adapter, can communicate with any version of VPN-1 that is released after NGX R60.

Configuration requirements for CPSMS

Two configuration requirements must be available for CPSMS. These requirements are available by default when CPSMS is installed; however, you must ensure that these requirements are retained.

The CPSMS client application, cpsms_client, is in the CPSMS adapter. The cpsms_client application establishes an asymmetric authentication method through a Secure Internal Communication (SIC) channel with CPSMS. The authentication method that is initiated by the cpsms_client is established by using the OPSEC_SSLCA symmetric authentication method.

The authentication method is translated into configuration requirements.

The following configuration requirements must be available for CPSMS.

• 18190 is the default listening port for CPMI.
• Secure Internal Communication (SIC) is configured on enabled on the firewall management server to allow the cpsms_client application to communicate with CPSMS.

If you cannot use 18190 as a listening port for CPMI, then the CPSMS adapter port number must be similar to the value listed in the $FWDIR/conf/fwopsec.conf file for CPMI on CPSMS. For example, cpmi_server auth_port 18190.

To allow the cpsms_client to communicate with Check Point Management Server, the $CPDIR/conf/sic_policy.conf on CPSMS must use the following line, at minimum:

# OPSEC applications default

ANY    ; SAM_clients ; ANY   ; sam    ; sslca, local, sslca_comp
# sam proxy
ANY    ; Modules, DN_Mgmt ; ANY; sam    ; sslca

ANY    ; ELA_clients ; ANY   ; ela    ; sslca, local, sslca_comp
ANY    ; LEA_clients ; ANY   ; lea    ; sslca, local, sslca_comp
ANY    ; CPMI_clients; ANY   ; cpmi   ; sslca, local, sslca_comp

Adding devices managed by a Check Point Security Manager Server console

Use Configuration Source Management to add all devices from a Check Point Security Manager Server (CPSMS) console to QRadar Risk Manager.

Before you begin

You must obtain the OPSEC Entity SIC name, OPSEC Application Object SIC name, and the one-time password for the Pull Certificate password before you begin this procedure. For more information, see your CPSMS documentation.

Note: The Device Import feature is not compatible with CPSMS adapters.

About this task

You must add credentials and a network group before you add your network device.

You need to repeat this procedure for each CPSMS that you want to contact to initiate discovery of its managed firewalls.

Procedure

1. Click the Admin tab.
2. On the navigation menu, click Plug-ins .
3. On the Risk Manager pane, click Configuration Source Management .
4. On the navigation menu, click Credentials .
5. On the Network Groups pane, click Add a new network group (+) .
6. Type a name for the network group, and click OK .
7. Type the IP address of your CPSMS device, and click Add (+).

Note: Ensure that the addresses that you add appear in the Network address box beside the Add address box.

8. On the Credentials pane, click Add a new credential set (+).
9. Type a name for the credential set, and click OK.
10. Select the name of the credential set that you created.
11. Type a valid username and password for the device.
12. Type the OPSEC Entity SIC name of the CPSMS that manages the firewall devices that will be discovered. For example:

CN=cp_mgmt_vm230-cpsms2-gw3,O=vm226-CPSMS..bs7ocx
13. Type the OPSEC Application Object SIC name that was created, using the Check Point SmartDashboard application, on the CPSM. For example:

CN=cpsms230,O=vm226-CPSMS..bs7ocx
14. Obtain the OPSEC SSL Certificate:

1. Click Get Certificate.
2. In the Certificate Authority IP field, type the IP address.
3. In the Pull Certificate Password field, type the one-time password for the OPSECApplication.
4. Click OK.

15. Click OK.
16. Click Discover From Check Point SMS, and then enter the CPSMS IP address.
17. Click OK.

What to do next

After you add all the required devices you can backup your devices and then view them in the topology.