Stonesoft SMC

To use a Stonesoft SMC management station, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

You must enable the application programming interface (API) for the Stonesoft Management Center (SMC) in the Management Client. You can do this in the properties of the Management Server that handles the requests from the external applications or scripts.

The API clients that use SMC API must also be defined in the Management Client and given the appropriate permissions. You can define the API clients and their permissions using API Client elements. In addition, you must allow SMC API connections from the IP addresses of the API clients to the Management Server.

To establish these connections, complete the following steps.

  1. Log in to the data collector and run the following commands:

openssl genrsa > privkey.pem

openssl req -new -x509 -key privkey.pem -out cacert.pem

The output will be two files:

  • privkey.pem—the private key file
  • cacert.pem—the certificate generated using the private key

After entering the second command, you will be asked to provide additional information. The Common Name is where you enter the Host Name of the server. This Common Name or Host Name will be needed for upcoming configuration steps. You must use the same Common Name or Subject Alternative Name in both the application server and SSL Certificate or the application server and distributed data collectors will lose connection.

  1. Copy both saved files to the computer that the SMC management client is installed on.

For SMC versions prior to 6.0

  1. In the device interface, click Monitoring > System Status.
  2. Expand the Servers list, right-click Management Server and then click Properties.
  3. On the Management Server - Properties dialog box, select the SMC API tab.
  4. Select the Enable check box.
  5. Verify that the host name entered in step 1 is displayed in the Host Name box.
  6. At the Server Credentials box, click Select....
  7. In the Select Element dialog box, click the new server and then click Select. If no server is listed, then do the following:
    1. Click Tools > New > Server Credentials.
    1. In the Server Credentials Properties dialog box:
      • Type a Name for the properties.
      • Click Import for both the Private Key and Certificate. These are the files you created and saved in steps 1 and 2 above.
      • Click OK. You will return to the Select Element dialog box.
    2. Click the server name, and then click Select.
  1. Click OK.
  2. To create a new API Client Element, click Configuration > Configuration> Administration.
  3. Right-click Access Rights > New > API Client.
  4. On the API Client Properties dialog box:
    1. Click the General tab.
    2. Type a unique name for the device in the Name box.
    3. Click Generate Authentication Key. Write down the key. You will need this information for a later step.
    4. To define the API Client's permissions, click the Permissions tab.
    5. Select Unrestricted Permissions (Superuser).
    6. Click OK.
  5. Restart the SMC service on the Stonesoft server for the changes to take effect using the service sgMgtServer –full-restart command.

For SMC versions 6.0 and above

If these steps differ from what you see in the Stonesoft UI, please refer to Stonesoft help documentation for how to configure SMC API.

  1. In the device interface, click Configuration > User Authentication.

  2. In the User Authentication options, expand Other Elements > Certificates, right-click on Pending Certificate Requests and select New Pending Certificate Request.

  3. Enter a Name and Common Name (CN) for the request, and click OK.

  4. Right-click on the certificate request and select Self-Sign.

  5. Enter a Name for the server credentials and click OK.

  6. When asked if you want to remove the certificate request, click Yes.

  7. Click Configuration > Security Engine.

  8. In the Security Engine options, open Network Elements > Servers, right-click on Management Server and select Properties.

  9. In the SMC API tab of Management Server - Properties, click Select, select the name of the server credentials created in step 7 above, and click Select.

  10. Click OK to close the Management Server properties.

  11. Click Configuration > Administration > Access Rights > API Clients.

  12. Right-click on API Clients and select New API Client.

  13. In the General tab, enter the server credentials name, copy the authentication key, and click OK.
  14. Copy the key to a temporary location because you cannot get the same key again from the API client settings.

If the key is lost before you enter it into the Administration module, you must generate a new key.

  1. In the Permissions tab, select Unrestricted Permissions and select the Superuser role.

  2. Click OK.

Setup Syslog Forwarding

  1. In the device interface, click Monitoring > System Status.
  2. Expand the Servers list and right-click Log Server, and then click Properties.
  3. Click the Log Forwarding tab, and then click Add.
  4. In the LogServer - Properties dialog box, right-click on each cell of the row to add the appropriate settings:
    1. Target Host: the data collector to send the syslog messages to

    If the data collector is not listed, you'll need to add it. Navigate to Tools > New > Host Properties. Complete the Name and IPv4 fields in the dialog box, and click OK. Select the new entry and then click OK.

    1. Service: UDP
    2. Port: 514
    3. Format: CEF
    4. Data Type: FW
    5. Filter: Empty Filter
  5. Click OK.
  6. Verify that each firewall rule in the different policies are set up to log correctly:
    1. Right-click in the "logging" cell of the firewall rule and click Edit Logging. This will open the Logging - Select Rule Options dialog box.
    2. Select the Override Settings Inherited from Continue Rule(s) check box.
    3. Change the Log Level to Stored from the list.
    4. Change the Connection Closing to Normal Log from the list.
    5. Click OK.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Management Stations.
  1. Click Create, and then click Forcepoint > Stonesoft SMC.
  1. General Properties section.
  1. In the Name box, type the name of the device as you want to see it in Security Manager.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.

If SMC API was configured with a host name (instead of an IP address), it must also be configured in the Advanced section.

  1. In the Data Collector box, type the IP address of the data collector that will collect data from this device.
  2. In the Central Syslog Server box, type the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in Security Manager.
  1. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.
  1. Device Settings section.
Retrieval
  • By default, the Protocol for retrieval is HTTPS, and the Port is 8082.
  • For Domain, leave blank for a Shared Domain, otherwise enter a named domain.

Credentials

  • Authentication Key—type the authentication key that you generated earlier.
  • Re-enter Authentication Key—retype the key entered above.
  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.

    • Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled. If enabled, the Management IP Address must be populated.
    • If a host name was set for the SMC API host name (instead of an IP address), it must also be configured here. Enter the API Host Name if an API host name was specified in the SMC, if not leave this field blank.
    • Select the Allow Weak SSL Keys check box to allow weak SSL encryption keys to be used by the SMC server during retrieval.
  2. Click Save.
    Devices being managed will be listed in the Discovered Devices section.