Table of Contents
Advertisement
Check Point Devices
firewalls, MARS renames this field's value to match the name discovered in the device
configuration, which typically uses the hostname.domain format. For devices that cannot be
discovered, such as Windows and Linux hosts and host applications, MARS uses the provided value.
Reporting IP —Enter the IP address of the interface in the log server from which MARS will pull
•
security event logs. This address represents either a virtual IP address associated with a CLM, an
MLM, or another log server. To learn more about the reporting IP address, its role, and
dependencies, see
Logging Access Type — This value identifies the authentication method to use for LEA traffic,
•
which is the protocol used to pull security logs from the log server. Select ASYMSSLC, CLEAR,
or SSLCA, For more information on the access type, see
Traffic, page
Logging Port — Verify that the port number in the corresponds to the value specified in the
•
LEA_SERVER auth_port line of the
authentication method for configuration discovery is SSLCA and data is passed on port 18184. For
more information on this setting, see
If this log server uses SSLCA or ASYMSSLCA as an authentication method specify values for the
Step 4
following fields (Otherwise, CLEAR is the authentication method for Access Type and LEA Access
Type, and you should skip to
•
Certificate — Either select the previously defined server from the list or click Add to define a new
certificate authority and continue with
•
Client SIC Name — Enter the SIC DN of the OPSEC application for the MARS Appliance. This
value was obtained in
•
Server SIC Name — Enter the SIC DN for the child enforcement module. This value was obtained
in
SmartCenter server or of the CMA. In the case of Provider-1 and SiteManager-1 NGX (R60), this
value is the SIC DN of the MDS that manages the CMA.
To add this child enforcement module to the primary management station, click Submit.
Step 5
To add the primary management station to the MARS database, click Submit.
Step 6
Result: The submit operation records the changes in the database tables. However, it does not load the
changes into working memory of the MARS Appliance. The activate operation loads submitted changes
into working memory.
Click Done to close the Reporting Applications tab and return to the Security and Monitoring Devices
Step 7
list.
Click Activate.
Step 8
Result: Once the MARS Appliance is activated, it connects to the Check Point log modules and retrieves
the traffic and audit logs. MARS also begins to sessionize events generated by this device and its
modules and evaluate those events using the defined inspection and drop rules. Any events published by
the device to MARS before activation can be queried using the reporting IP address of the device as a
match criterion. For more information on the activate action, see
Devices, page
User Guide for Cisco Security MARS Local Controller
4-54
Understanding Access IP, Reporting IP, and Interface Settings, page
4-32.
Step
Define an OPSEC Application that Represents MARS, page
Obtain the Server Entity SIC Name, page
2-27.
file on this log server. The default
fwopsec.conf
Select the Access Type for LEA and CPMI Traffic, page
5):
Add a Check Point Certificate Server, page
4-30. Typically, this value is the SIC DN of the
Chapter 4
Configuring Firewall Devices
Select the Access Type for LEA and CPMI
Activate the Reporting and Mitigation
2-8.
4-32.
4-47.
4-27.
78-17020-01
Advertisement
Table of Contents
Troubleshooting
