Check Point R80 /R81 CMA

Minimum supported version is R80.10 and R81

To add a Check Point R80 CMA or R81 CMA, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

1. In the SmartConsole, click Manage & Settings.
2. Under Permissions & Administrators, click Administrators.

3. Click the New icon on the toolbar.
   1. In the Administrator dialog box, in the Enter Object Name field, enter the user name of the administrator.
   2. Select Check Point Password as the Authentication Method, and set a new password.
   3. Select Read Only All as the Permission Profile.
   4. Select the password Expiration that best fits your business standards.
   5. Click OK.
4. Create an OPSEC object for LEA to use for usage logging.
   1. From the toolbar, click Objects.
   2. Select More object types > Server > OPSEC Application > New Application. The OPSEC Application Properties dialog box opens.
   3. In the Name field, enter a name for the OPSEC object.
   4. Click New to add data collector information. Follow the on-screen instructions.
   5. In the Client Entities box, select LEA.
   6. Click the Communication button.
      • Enter a one-time password and then confirm it. This password will be used again in the Administration module during setup for authentication.
      • Click Initialize. The Trust State should be “Initialized but trust not established.” This status will change once SIP establishes communication with the log server.
      • Click Close.
   7. Click the LEA Permissions tab, and select Show all log fields.
   8. Click OK.
5. Set the API retrieval permissions.
   1. For CMA, in the Manage & Settings menu, click Blades.
   2. In Management API, click Advanced Settings.
   3. Select either All IP Addresses or All IP addresses that can be used for GUI clients.Click Me! a. Management server only (default) - API server will accept scripts and web service requests only from the Security Management Server. You must open a command line interface on the server and use the mgmt_cli utility to send API requests. This should not be selected b. All IP addresses that can be used for GUI clients - API server will accept scripts and web service requests from the same devices that are allowed access to the Security Management Server. The FireMon Data Collector will need to be added to the GUI clients list (below) for this option. c. All IP addresses - API server will accept scripts and web-service requests from any device. FireMon DC being attached to the GUI Client list is not needed.
   4. Click OK.
6. Define a GUI Client.
   1. Click Manage & Settings > Permissions & Administrators > Administrators > New.
   2. Click Add.
   3. Define the GUI clients (trusted hosts) using the IP address of the data collector.
   4. Click OK.
7. Add a GAIA user.
   1. Log into MDS GAIA console.
   2. Navigate to User Management > Users > Add.
   3. Enter a Login Name and Password.
   4. Select a role that is read only.
   5. Shell: select /etc/cli.sh.
   6. Access Mechanism: select Clish Access.
   7. Click OK.
8. Click OK on the SmartConsole message dialog box.
9. On the toolbar, click Publish on the SmartConsole message dialog box to publish the changes.
10. From the SSH console, restart the Management API server using the command api restart.

Step 2: Onboard the Device in the Administration Module

1. On the toolbar, click Device > Management Stations.
2. Click Create, and then click Check Point > CMA R80 or CMA R81.

3. General Properties section.

1. In the Name box, type the name of the device as you want to see it in SIP.
2. In the Description box, type an optional description of the device being added.
3. In the Management IP Address box, type the IP address of the device.
4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

6. In the Syslog Match Name box, type the syslog match name (optional).
7. By default, the Automatically Retrieve Configuration check box is selected.
8. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.

4. Device Settings section.

   Authentication

   1. Enter the Username used for SmartConsole.
   2. Enter the Password and then Re-enter Password for the user name.
   3. The Port used for authentication is 18190 by default.
   4. Select an authentication Method from the list. Select asym_sslca.
   5. The API Port used is 443 by default.
   6. Enter the Domain Name. For CMA's managed by MDS, it is necessary to specify a domain name or UUID to retrieve security policy information.
   7. Enter the OPSEC Application Name.
   8. Enter the One Time Password that you created earlier, and then re-enter it.

   OPSEC Certificate for FireMon Data Collector

   • The OPSEC Distinguished Name and OPSEC Certificate information fields will auto-populate after clicking save.

GAIA Retrieval Configuration

• Select Retrieve Routes Through GAIA API to enable this functionality.

5. Monitoring section.

• Due to Check Point deprecating CPMI connectivity, Enable Change Monitoring is not enabled. If you enable change monitoring, the Change Monitoring Method will be set to LEA audit logs since using CPMI may be unpredictable.

6. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. Additional required fields will appear when enabled.

• Set the Scheduled Retrieval Time to fit your requirements.

• Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. Additional required fields will appear when enabled.

• The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

Application / Site Retrieval

• Object Request Limit: The maximum number of application site objects to return per request.

• Retrieve without User Data: Select to help resolve a known Check Point API issue that results in an HTTP 500 error when attempting to retrieve user data. Enabling will trigger an Event Log message indicating that the user data could not be retrieved, but the retrieval will continue and normalize. If this option is not enabled, the retrieval will fail.

7. Advanced Settings section.
   • Set the Device Charset Encoding type for retrievals.
   • The Policy Package Names to Ignore feature should only be set under the direction of a FireMon engineer. Please contact your SE or Support before using this feature.
   • Select the Fail Retrieval on Package Failure check box to allow retrieval failure if some packages retrieve but any individual packages do not, which may indicate a problem with the object in the Check Point database.
   • Select the Fail Retrieval on Policy Failure check box to allow retrieval failure is some policies retrieve but any individual policies do not, which may indicate a problem with the object in the Check Point database.
   • If utilizing, complete the Advanced CLISH Retrieval Settings section.
     1. Select the Enable CLISH Retrieval check box.
     2. Enter the CLISH Username and CLISH Password that was created in the GAIA console.
   • Select the Automatically Update SSH Keys check box to allow the data collector to automatically update the SSH key for a device when a conflict occurs
   • Select the Suppress Route Change Notifications check box to treat all routes as dynamic.
8. Automation section.
   • For Policy Install, select the Install Changes on Gateways check box to install changes on gateways when the commit flag is set to true.

If not selected, policy changes will still commit to the CMA but not automatically be pushed to any connected (child) devices.

9. Click Save.

Devices being managed will be listed in the Discovered Devices section.

Step 3: Install Database

The final step is to log back into the CMA and perform a database install. This will push the certificate generated via OPSEC to all log servers.

• From the CMA CLI, on the toolbar, click the Settings icon and then click Install database.