Check Point R80 /R81 MDS

Minimum supported version is R80.10 and R81

To add a Check Point MDS R80 or MDS R81, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

1. In the SmartConsole, click Manage & Settings.
2. Under Permissions & Administrators, click Administrators.
3. Click the New icon on the toolbar.
   1. In the Administrator dialog box, in the Enter Object Name field, enter the user name of the administrator.
   2. Select Check Point Password as the Authentication Method, and set a new password.
   3. Select Read Only All as the Permission Profile.
   4. Select the password Expiration that best fits your business standards.
   5. Click OK.
4. Create an OPSEC object for LEA to use for usage logging.
   1. From the toolbar, click Objects.
   2. Select More object types > Server > OPSEC Application > New Application. The OPSEC Application Properties dialog box opens.
   3. In the Name field, enter a name for the OPSEC object.
   4. Click New to add data collector information. Follow the on-screen instructions.
   5. In the Client Entities box, select LEA.
   6. Click the Communication button.
      • Enter a one-time password and then confirm it. This password will be used again in the Administration module during setup for authentication.
      • Click Initialize. The Trust State should be “Initialized but trust not established.” This status will change once SIP establishes communication with the log server.
      • Click Close.
   7. Click the LEA Permissions tab, and select Hide all confidential log fields.
   8. Click OK.
5. Set the API retrieval permissions.
   1. In the Multi-Domain menu, click Blades.
   2. In Management API, click Advanced Settings.
   3. Select either All IP Addresses or All IP addresses that can be used for GUI clients.Click Me! a. Management server only (default) - API server will accept scripts and web service requests only from the Security Management Server. You must open a command line interface on the server and use the mgmt_cli utility to send API requests. This should not be selected b. All IP addresses that can be used for GUI clients - API server will accept scripts and web service requests from the same devices that are allowed access to the Security Management Server. The FireMon Data Collector will need to be added to the GUI clients list (below) for this option. c. All IP addresses - API server will accept scripts and web-service requests from any device. FireMon DC being attached to the GUI Client list is not needed.
   4. Click OK.

6. Click OK on the SmartConsole message dialog box.
7. On the toolbar, click Publish.
8. Click Publish on the SmartConsole message dialog box to publish the changes.
9. Restart the Management API server using the command api restart.

Step 2: Onboard the Device in the Administration Module

1. On the toolbar, click Device > Management Stations.
2. Click Create, and then click Check Point > MDS R80 or MDS R81.

3. General Properties section.

1. In the Name box, type the name of the device as you want to see it in SIP.
2. In the Description box, type an optional description of the device being added.
3. In the Management IP Address box, type the IP address of the device.
4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

6. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
7. By default, the Automatically Retrieve Configuration check box is selected.
8. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.

4. Device Settings section.

   Authentication

   • Enter the Username used for SmartDashboard.

   • Enter the Password and then Re-enter Password for the user name.
   • The Port used for authentication is 18190 by default.
   • Select an authentication Method from the list. Select asym_sslca.
   • The API Port used is 443 by default.
   • Enter the Domain Name. For a CMA managed by MDS, it is necessary to specify a domain name or UUID to retrieve security policy information.
   • Enter the OPSEC Application Name.
   • Enter the One Time Password that you created earlier, and then re-enter it.

   OPSEC Certificate for FireMon Data Collector

   • The OPSEC Distinguished Name and OPSEC Certificate information fields will auto-populate after clicking save.
5. Monitoring section.

• Select the Enable LEA Change Monitoring check box to enable this type of monitoring. Additional fields will appear with default settings entered.
  • Port 18184 is used to establish a LEA connection between the data collector and Check Point management server. SIP uses log export API (LEA) to connect to a Check Point log server.
  • Log Reconnect Timeout is set to a default value of 180 seconds.
  • Log Update Interval is set to a default value of 10 minutes.
  • The Authentication Method selected is SSL_OPSEC.

6. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

• Set the Scheduled Retrieval Time to fit your requirements.

• Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

• The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

7. Advanced Settings section.
   • Set the Device Charset Encoding type for retrievals.
   • To store only the previously modified policy, select the Store only the previously modified policy check box.

   • Configuration Retrieval Timeout is set to a default value of 120 seconds.

   • Configuration Retrieval API Limit for Large Configs (number of records/ lines per call) is set to 500 by default . Adjust this only if you are seeing retrieval timeout .

8. Click Save.

Devices being managed will be listed in the Discovered Devices section.

Step 3: Install Database

The final step is to log back into the MDS and perform a database install. This will push the certificate generated via OPSEC to all log servers.

• From the MDS CLI, on the toolbar, click the Settings icon and then click Install database.