Scribd
Upload
113 views

Check Point App For Splunk: User Guide

Uploaded by

Wesly Sibagariang
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
113 views

Check Point App For Splunk: User Guide

Uploaded by

Wesly Sibagariang
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

14 November 2018

CHECK POINT
APP FOR SPLUNK

User Guide
Classification: [Restricted]
© 2018 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page https://www.checkpoint.com/copyright/ for a list of our trademarks.
Refer to the Third Party copyright notices
https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/ for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page
https://www.checkpoint.com/products-solutions/certified-check-point-solutions/.

More Information
Visit the Check Point Support Center https://supportcenter.checkpoint.com.

Latest Version of this Document


Open the latest version of this document in a Web browser
https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm.

Download the latest version of this document in PDF format


http://downloads.checkpoint.com/dc/download.htm?ID=70463.
To learn more, visit the Check Point Support Center
https://supportcenter.checkpoint.com.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on Check Point App
for Splunk User Guide.

Revision History
Date Description
14 November 2018 First release of this document
Contents
Important Information ...................................................................................................... 3
Introduction ....................................................................................................................... 5
Prerequisite .................................................................................................................. 5
Installation ........................................................................................................................ 6
Installing the Jumbo Hotfix .......................................................................................... 7
Installing Log Exporter ................................................................................................. 9
Installing the Check Point App for Splunk ................................................................. 10
Deployment ..................................................................................................................... 12
Deploying Log Exporter - Part 1 ................................................................................. 12
Setting Up a New Data Input on Splunk ..................................................................... 13
Deploying Log Exporter - Part 2 ................................................................................. 16
Compatibility ............................................................................................................... 16
Known Limitations .......................................................................................................... 17
CHAPTER1

Introduction
In This Section:
Prerequisite .......................................................................................................... 5

Check Point brings you an advanced and real-time threat analysis and reporting tool for Splunk.
The Check Point App for Splunk allows you to respond to security risks immediately and gain
network true insights.
You can collect and analyze millions of logs from all Check Point technologies and platforms
across networks, Cloud, Endpoints and Mobile.
This app uses the Check Point Log Exporter to seamlessly send logs from your Check Point log
server to your Splunk server. For more details, see Check Point sk122323
http://supportcontent.checkpoint.com/solutions?id=sk122323.
Main features include:
• Compatibility with Common Information Model (CIM)
• Compatibility with Splunk Enterprise Security
• Integrated with Check Point SmartEvent dashboards (e.g., General Overview, Threat
Prevention and the new Cyber Attack View)

Prerequisite
Install Splunk Common Information Model (CIM) from Splunkbase
https://splunkbase.splunk.com/app/1621/ to support Splunk CIM format.

Check Point App for Splunk User Guide | 5


CHAPTER2

Installation
In This Section:
Installing the Jumbo Hotfix .................................................................................... 7
Installing Log Exporter .......................................................................................... 9
Installing the Check Point App for Splunk ............................................................ 10

Before you install the Check Point App on your Splunk servers, you must install Log Exporter on
your Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or
SmartEvent Server.
Workflow:
1. Install the Jumbo Hotfix.
2. Install Log Exporter.
3. Install the Check Point App for Splunk.

Check Point App for Splunk User Guide | 6


Installation

Installing the Jumbo Hotfix


Install the Jumbo Hotfix (Take 5 or higher for R80.20 / Take 56 or higher for R80.10 / Take 292 or
higher for R77.30) on your Check Point server via CPUSE.
To download the Jumbo Hotfix:
• R80.20 - See sk137592 http://supportcontent.checkpoint.com/solutions?id=sk137592.
• R80.10 - See sk116380 http://supportcontent.checkpoint.com/solutions?id=sk116380.
• R77.30 - See sk106162 http://supportcontent.checkpoint.com/solutions?id=sk106162.
Note - After you install the Jumbo Hotfix, the server automatically reboots.

To install the Jumbo Hotfix:


1. Connect to your server through the Gaia portal:
https://<server_ip>:<gaia_port(default:443)>
2. On the left menu, under Upgrades (CPUSE), click Status and Actions.

Check Point App for Splunk User Guide | 7


Installation

3. Click Import Package, browse to the Jumbo Hotfix file, and click Import.

4. Click Showing Recommended packages and select All.

5. Right click on the Jumbo Hotfix file and select Install Update.
For more information on CPUSE, refer to sk92449
http://supportcontent.checkpoint.com/solutions?id=sk92449.

Check Point App for Splunk User Guide | 8


Installation

Installing Log Exporter


Install the Log Exporter bundle on your Check Point server via CPUSE.

Version Date File Name


R80.10 06 Check_Point_R80.10_Log_Exporter_T41_sk122323_FULL.tgz
November
2018

R77.30 06 Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz
November
2018

Note - Log Exporter is part of R80.20 Jumbo Hotfix Take 5 or higher. You do not need to install an
additional bundle for it.

To install Log Exporter:


1. Connect to your server through the Gaia portal:
https://<server_ip>:<gaia_port(default:443)>
2. On the left menu, under Upgrades (CPUSE), click Status and Actions.
3. Click Import Package, browse to the Log Exporter bundle, and click Import.
4. Click Showing Recommended packages and select All.
5. Right click on the Log Exporter package and select Install Update.
For more information on Log Exporter installation, see the Installation section in sk122323
http://supportcontent.checkpoint.com/solutions?id=sk122323.

Check Point App for Splunk User Guide | 9


Installation

Installing the Check Point App for Splunk


Install the Check Point App for Splunk on your Splunk servers. If you have a distributed
environment, you must install it on each Splunk machine (forwarder, indexer, and search head).
Note - After you install the app, you are prompted to restart the machine.

Version Date File Name


1.0.0 13 November 2018 TA-check-point-app-for-splunk.tgz

To install the app:


1. Go to https://splunkbase.splunk.com/app/4293/ and download the Check Point App for Splunk
tgz file.
2. Log in to your Splunk machine via WebUI: http://<splunk_server_ip>:8000
3. On the Apps left panel, click the Manage Apps icon .

4. Click Install app from file and select the TA-checkpoint-app-for-splunk.tgz file.

Check Point App for Splunk User Guide | 10


Installation

5. Click Upload and wait until you receive a success notification.


After you install the app, you can find it in the Apps panel on your Splunk home page.

Check Point App for Splunk User Guide | 11


CHAPTER3

Deployment
In This Section:
Deploying Log Exporter - Part 1 ........................................................................... 12
Setting Up a New Data Input on Splunk ................................................................ 13
Deploying Log Exporter - Part 2 ........................................................................... 16
Compatibility ....................................................................................................... 16

Deploying Log Exporter - Part 1


To configure a new target (Splunk server) for the logs:
On the Check Point server, run:
cp_log_export add name <name> [domain-server <domain-server>] target-server
<target-server> target-port <target-port> protocol <tcp | udp> format splunk
read-mode <raw | semi-unified>
Example:
cp_log_export add name my_exporter target-server 192.168.1.1 target-port
12001 protocol tcp format splunk read-mode semi-unified

On Multi-Domain Server/Multi-Domain Log Server:


1. The domain-server argument is mandatory. You can use 'mds' as the value for domain-server
to export Multi-Domain Server level audit logs.
2. This creates a new target directory with the unique name specified in the <name> parameter
under $EXPORTERDIR/targets/< name>.
Note - On a Multi-Domain Server environment, there is an EXPORTERDIR for each domain.
3. Set the target configuration parameters with the connection details:
• IP Address
• Port
• Protocol
• Format
• Read-mode - The recommended read-mode is semi-unified. Semi-unified mode ensures
you receive complete data.
The deployment described above exports the logs in clear text. To send the logs over an encrypted
connection, refer to the “TLS Configuration” section in sk122323
http://supportcontent.checkpoint.com/solutions?id=sk122323.
Note - After you configure the target (Splunk server), you must configure the data input on the
Splunk side before you export logs from your Check Point server.

Check Point App for Splunk User Guide | 12


Deployment

To modify an existing target for the logs to work with Splunk format:
On the Check Point server, run:
cp_log_export set name <name> format splunk read-mode <raw | semi-unified>
Example:
cp_log_export set name my_exporter format splunk read-mode semi-unified

Setting Up a New Data Input on Splunk


To configure a new data input for the logs:
1. On the Splunk WebUI, click Settings in the upper toolbar.

Check Point App for Splunk User Guide | 13


Deployment

2. Under Data, select Data Inputs.

3. Select the relevant protocol (TCP/UDP) based on what you configured in Log Exporter.

Check Point App for Splunk User Guide | 14


Deployment

4. Click New Local TCP/UDP.

5. Configure the port number you configured as <target-port> on the Log Exporter.
6. Configure the allowed incoming connections that Splunk should accept.

7. Click Select and enter cp_log as the source type.

8. Click Review to make sure your configuration is correct.


9. Click Submit.
For more information on Data Inputs on Splunk, refer to Splunk documentation - Configure your
inputs https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Configureyourinputs.

Check Point App for Splunk User Guide | 15


Deployment

To modify an existing data input for the logs:


1. On the Splunk WebUI, click Settings in the upper toolbar.
2. Under Data, select Data Inputs.
3. Select the relevant protocol (TCP/UDP) based on what you configured in Log Exporter.
4. Click the port number you want to modify.
5. Change the sourcetype to cp_log.
6. Click Save.

Deploying Log Exporter - Part 2


The last step is to start the export process on your Check Point Server:
Run:
cp_log_export restart name <name>
You now can see the exported logs on your Splunk WebUI.

Compatibility
• Splunk compatibility: 6.5 or later.
• CIM compatibility: 4.5 or later.

Check Point App for Splunk User Guide | 16


CHAPTER4

Known Limitations
• Updates can be sent for each Check Point log. A complete log is sent after each update.
• Check Point logs may contain tables (for example: match table). When exporting Check Point
data, tabular data is combined into the same log.
• For complete Check Point blades mapping to CIM, see the table below.

Check Point Blades CIM Data Model


IOS profile, Device Alert

Application Control Application Control

DLP Data Loss Prevention

MTA, Anti-Spam Email

IPS, WIFI Network, Cellular Network Intrusion Attack

Threat Emulation, Anti-Virus, Anti-Bot, Threat Extraction, Malware


Anti-Malware, Anti-Ransomware, Anti-Exploit, Forensics,
OS Exploit, Application, Text Message, Network Access,
Zero Phishing

Firewall Network Traffic

VPN, Mobile Network Session

URL Filtering Web

When you use Splunk format, Log Exporter replaces these characters:

Original Character Exported Characters


| ;

= \=

\n Space

Check Point App for Splunk User Guide | 17

You might also like