Table of Contents
Advertisement
Check Point Devices
3.
4.
5.
6.
To perform this task, you need a Check Point user account with administrative privileges. This account
must be able to create a new host, define OPSEC application, define and install new policies, and access
the settings of each managed Check Point component.
After completing this task, you should have collected the following information:
•
•
•
To bootstrap the Check Point devices, perform the following procedures:
•
•
•
•
•
•
Add the MARS Appliance as a Host in Check Point
Representing the MARS Appliance in Check Point enables the following supporting tasks:
•
•
User Guide for Cisco Security MARS Local Controller
4-26
web interface. When a session is established between the MARS Appliance and the Check Point
management server, the appliance publishes this SIC to the management server to ensure
non-repudiation of the appliance.
Obtain the server SIC DN of the Check Point management server. You specify this sever SIC in the
MARS web interface. The MARS Appliance validates the server SIC DN against the SIC published
to the appliance by the management server during session setup. This validation ensures
non-repudiation of the server.
Create the policies to permit SIC traffic between the defined host (MARS Appliance), the Check
Point management server, and any remote servers. After you identify the devices, you must verify
that the network services they use for SIC-based management and reporting are permitted on the
reporting device. To enable these traffic flows, you must verify or update the policies that enable the
SIC traffic to flow between each reporting device and the MARS Appliance. Once you have updated
these policies, you must install the policies.
Define the log settings to push the correct events to the defined host. You must ensure that all of the
security, firewall, user authentication, and audit events are logged and configured to be published
to the MARS Appliance.
Install the policies. Once the policies are defined, you must update the Check Point components with
the policies. Policy installation include an object database push that make the Check Point modules
aware of the OPSEC Application representing the MARS Appliance. Without this step, the modules
will not forward any log information via LEA.
The Client and server SIC DNs.
If you are defining a CMA for Provider-1 or SiteManager-1 NG FP3 or NG AI (R55), then you must
have the virtual IP address (VIP) for each CMA and CLM managed by the MDS. Only Provider-1
and SiteManager-1 NGX (R60) requires the physical IP addresses of the MDS and MLM servers.
Any CLMs, instead of CMAs, to which security logs are being sent. If logs are being sent to CLMs,
LEA is only supported using clear text.
Add the MARS Appliance as a Host in Check Point, page 4-26
Define an OPSEC Application that Represents MARS, page 4-27
Obtain the Server Entity SIC Name, page 4-30
Select the Access Type for LEA and CPMI Traffic, page 4-32
Create and Install Policies, page 4-34
Verify Communication Path Between MARS Appliance and Check Point Devices, page 4-36
Generate a client SIC DN for the MARS Appliance.
Define policies to allow SIC and syslog traffic between the Check Point components and the MARS
Appliance.
Chapter 4
Configuring Firewall Devices
78-17020-01
Advertisement
Table of Contents
Troubleshooting
