This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guidance and details on the new Check Point CEF gerating solution

Dear ArcSight customers,

In the ongoing effort to improve your experience with the Check Point products, Check Point is introducing a new, modern, Syslog-based log export infrastructure which will be integrated and certified with the standard ArcSight Syslog CEF ArcSight connector. Major features include TLS support, ArcSight-certified CEF formatting integration, and log filtering. The new Check Point Syslog feature will be supported on R77.30 and R80.10, and will replace all previously-released Check Point Syslog-based implementations.

We advise all customers interested in it to refer to the Check Point knowledge base article sk122323 for more information on capabilties and architecture. 

We are currently in the process of finalizing the CEF generation certification of the new Check Point solution and are planning ot complete it soon.

  • 0

    The new Syslog CEF Connector for Check Point seems to be a good thing!

    What I would like to know: Will it still be possible to connect to Check Point R80.10 by opsec connector? And will there be a 64bit opsec connector (or still only 32bit)?

  • 0   in reply to 

    Hello,

    1) Please see Checkpoint KB noted in initial post to get better "picture" on how it will work.
    2) This will not be 64bit OPSEC SmartConnector (32bit version of SmartConnector framework is going EoL soon).

    Regards,

    Marijo

  • 0 in reply to 

    All 32bit are out of support in sometime this year plus the only CP connector that currently support R80 is the syslog. Additionally this one will replace all (it is stated).

  • 0 in reply to 

    https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Check-Point-Syslog/tac-p/1637794/highlight/true#M1185 

     

    Unsupported solution to this issue and can only be done by ppl how know their stuff ;) 
    We tested this approach, however below is NOT a step by step guide

    Works with 32bit connector >=7.7.0

     

    - install 32 bit version of smartconnector to any server/laptop/etc. choose a linux host, so that you will get the 32bit lea binaries for linux, and not windows.
    - select to install a checkpoint connector ... dont add details, just make a generic checkpoint lea connector
    - find the binaries, that are used for the connection ( lea_client, certificate pull, etc), and

    On the 64 bit destination connector(appliance):

    - copy checkpoint binaries to a FRESH Smartconnector 
    - copy agent.properties to the SC
    - run "setup" for Smartconnector, you should be able to see Checkpoint ad_opesc now.

    Hope that helps

    P.S.: SHA2 support was added as Hotfix, and now is part of 7.7.0

    Cheers

    A

  • 0 in reply to 

    As previously announced, the 32bit connectors will be no longer avaialble from end of April'18: this applies to the ArcSight Check Point OPSEC NG connector too.

    Please use the KB on the Check Point site to start your planning processes as necessary.,

  • 0 in reply to 

    For an encrypted solution, is it safe to assume we would use the "SmartConnector for ArcSight CEF Encrypted Syslog (UDP)" connector? Or, are you updating the "SmartConnector for Check Point Syslog" connector to include encryption? I am referring to encryption of event flow between Check Point CLM and the connector. I know the current SmartConnector for Check Point Syslog connector provides for encryption if the connector is used as a forwarder. We need to encrypt the traffic coming from syslog to the ESM.

    Also, it sounds like the new solution has not yet been certified yet by Micro Focus: "We are currently in the process of finalizing the CEF generation certification of the new Check Point solution and are planning ot complete it soon." Is that correct?

    If the solution is not available now, when will it be?

    Thank you for your help!

    -Kathy

  • 0   in reply to 

    Hello Kathy,

    1) To use encryption use Syslog NG SmartConnector (7.8.0 framework), not the one you mentioned.
    2) On the CheckPoint page go to "SIEM Specific instruction" and expand it by clicking on "Show / Hide the section". Here you have guidelines on how to configure the SmartConnector.
    3) If you configure the CheckPoint part (also explained on the link) to output CEF Syslog encrypted then SmartConnector can parse this out-of-the-box, CEF is ArcSight Standard and works immediately (if the source send proper CEF Syslog format).

    Regards,

    Marijo

  • 0 in reply to   

    Thank you, Marijo! We will give this a try. Much appreciated.

    -Kathy

  • 0 in reply to 

    What versions of TLS does the "SmartConnector for Syslog NG Daemon" support? The documentation does not indicate whether or not TLS 1.2 is supported.

    Thanks again!

  • 0

    Hello,

    Is this considered done, the CEF certification? We have tried Check Point r80.10 with the current version of Log Exporter (T30). The CEF mapping seems to differ a lot compared to the previous mapping of the Check Point log (OPSEC-based). So using our current content in ESM built based upon previous mappings are useless if migrating to the CEF-mapping.

    What are you thought about this?

    Regards,
    Tobias