Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Common Issues with CheckPoint Firewall Log Integration

Issue

How to resolve common issues with Check Point firewall log integration in NetWitness Platform.


Resolution

The topics below address common issues involving CheckPoint firewall log integration in NetWitness Platform.

1. Checkpoint Admin needs to setup the following configuration within CheckPoint.

Modify the file $FWDIR/conf/fwopsec.conf to have the following information making sure that the lines are not commented out (with "#" at start of line):

lea_server auth_port 18184
lea_server auth_type sslca
lea_server port 0 

2. Customer Firewall must not block the necessary TCP ports between the NetWitness Log Collector and the Check Point device in both directions.

TCP port 18210 (ica pull) is required only for the duration of the Certificate pull.
TCP port 18211 (ica push), FYI only, shouldn't be required for SA integration.
TCP port 18184 (FW_lea) is required to pull logs.

It can be confirmed whether or not a port is open by issuing one of the following commands from the Log Collector:

# telnet <Checkpoint_ip> 18184
# curl <Checkpoint_ip>:18184
​​​​​​For additional information, see the CheckPoint Firewall  integration guide .

3. Running Checkpoint service in debug.

The 'NwCheckpointProcess' program is used by the NwLogCollector to collect events from Check Point servers using the OPSEC LEA API.  It can also be used as a command-line utility to probe a Check Point server, verify connectivity, debug connection problems, observe raw data. It is located in the /usr/sbin directory.

The following command can be entered from a NwLogCollector to output the standard and error outputs to text files. See the Note below before running the command:

/usr/sbin/NwCheckpointProcess --config cpfw.cfg --count 10 --start --debug --odebug >chkpt1.txt 2>chkpt2.txt

This command will connect to the server, and starting from the beginning of the current log file return 10 events. 

Because the command outputs was redirected to chkpt1.txt file, that's where the events will be stored.  Any standard error (stderr) messages are redirected to the file chkpt2.txt.

Note: Before running the command create the configuration file 'cpfw.cfg'.  The contents of this file should contain the following 6 lines, substituting your own values:

ip=192.168.1.254
name=cpfw
sdn=cn=cp_mgmt,o=cpfw.cpfw.rsa.net.ckbe7u
cdn=CN=NEXTGEN,O=cpfw.cpfw.rsa.net.ckbe7u
cen=NEXTGEN
kfp=/etc/netwitness/ng/truststore/checkpoint_cpfwseclogs.p12

Refer to the table below to understand the parameter names.

  • Column 1: IP
  • Column 2: IP address of the Check Point server.

  • Column 1: NAME
  • Column 2: Name of the Check Point server.

  • Column 1: SDN
  • Column 2: Server Distinguished Name.

  • Column 1: CDN
  • Column 2: Client Distinguished Name.

  • Column 1: CEN
  • Column 2: Client Entity Name.

  • Column 1: KFP
  • Column 2: Key File Path (p12 certificate).  The default location is /etc/netwitness/ng/truststore.

 

All of these must have been configured in NetWitness Platform and the cert must have been pulled.

The --debug flag can be used to obtain additional debug information, and the --odebug flag can be used to output OPSEC error messages to standard error. 

Running /usr/sbin/NwCheckpointProcess --help, will show the help page.

4. Certificate .p12 file should exist in /etc/netwitness/ng/truststore directory.

If Key file is missing, attempt to retrieve the certificate file from the command-line with the command below.

/opt/netwitness/opseclea32/bin/opsec_pull_cert -h <checkpoint_ip> -n <object_name> -p <password>:256

The -p flag refers to the one-time-password given in the Check Point SmartDashboard when defining this entity.

Note: If Check Point thinks the one-time-password has been used, then the Check Point Admin will need to do something such as delete the entity and recreate, in order to be able to use the same password again.

5. NwCheckpointProcess needs to resolve the hostname of the Log Collector whilst trying to collect Checkpoint logs.

If NwCheckpointProcess debug output reports are unable to resolve the hostname of the Log Collector, confirm the hostname appears in the NetWitness Log Collector files.

In the /etc/hosts file, the line should appear as follows:

127.0.0.1 <hostname> localhost.localdomain localhost

 

In the /etc/sysconfig/network file, the line should appear as follows:

HOSTNAME=<hostname>

The hostname should have been properly set using the NwConsole command when the appliance was set up, which should update these two files, but this is not always the case.

6. Checkpoint connection successful but no logs are collected.

If the NetWitness Log Collector Check Point event source is set with "Collect Logs From" = Now, and there are no new messages arriving to the Checkpoint device, then NwCheckpointProcess will not get any logs.  Wait until the Checkpoint device receives new messages.

You can monitor by issuing the following command where the NwCheckPointProcess will run until two new messages have been received before returning to the command prompt: 

# /usr/sbin/NwCheckpointProcess --config cpfw.cfg --count 2 --end

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Log Collector
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS / AlmaLinux
O/S Version: 7 / 8.9

Approval Reviewer Queue

Technical approval queue