Checklist and Tips for installing the Checkpoint NG iRecorder.

Document ID : KB000054348
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This is a high level overview of the steps needed to install the Checkpoint NG iRecorder.

Solution:

This is a high level overview of the steps needed to install the Check Point NG iRecorder.

Check Point OPSEC setup

  • The Check Point Management Server must be setup to accept an LEA OPSEC connection created for the Audit iRecorder. Create a new LEA OPSEC application. You can do this by accessing the SmartDashboard, take the options Manage-> Servers and OPSEC Applications. See your Check Point documentation for more information on how to create a new OPSEC application.
  • There are several entries within the OPSEC Application Properties screen that are important:

    • Make sure in the OPSEC Application Properties window that the Host Selected is the host where the Audit iRecorder is installed.

    • Make sure in the OPSEC Application Properties window only the LEA is checked.

    • Click on the "Communication..." button to setup a secure link for the Check Point iRecorder.

      • Enter in the Activation Key information and make sure that Initialize is selected. The Trust state will change to, "Initialized but trust not established". If the iRecorder has already been installed in the past, the "Trust state" may already be established. If you are reinstalling the iRecorder you must "Reset" or recreate the SIC communication or the iRecorder will fail to communicate with Checkpoint.

    • Within the OPSEC Application Properties window, v erify the information in the DN box. This information should begin with CN. It is important that this information matches information on the Audit iRecorder machine. The files which hold this information on the Audit iRecorder machine are the
      Program Files\CA\SharedComponents\iTechnology\cpconfig\<machine_name>.cn and the <machine_name>.cfg file.
      This DN information can be viewed at a later time when you edit the OPSEC object.

Audit Check Point NG iRecorder Install

  • Install the Audit iRecorder software either on a separate machine or on the Check Point Firewall machine itself. The machine that the iRecorder is installed on must be able to connect via the network to the machine that is running the Check Point Log Manager. It is recommended that the iRecorder is installed on a separate machine in order to distribute resource loads.

    • During the Audit iRecorder installation you must provide the following information:

      • The IP Address of the Check Point Management Server.

      • The Host name of the same Check Point Management Server.

      • The Port that the Check Point LEA is listening on (default is port 18184)

      • The object name that was used when the OPSEC connection was made on the Check Point SmartDashboard.

      • The authentication key that was used to initialize the LEA Object.

        • The above steps can be repeated by pressing the Add/Change button to create up to 10 LEA connections.
          Note: The connections are IP based. Therefore, there cannot be two OPSEC LEA connections from one iRecorder to the same IP address. The IP address uniquely identifies an OPSEC connection.

Check Point post iRecorder install

  • On the Check Point SmartDashboard, Select, "Policy" -> "Install" to push down the rules and database or take the option to "Install Database" to just install the database.

    • Make sure that the Log Manager Host name is selected when installing the policy or database.

Manual Installation and Troubleshooting

The Checkpoint iRecorder certificates and configuration can be manually configured if there are problems with the GUI install.

Please refer to the Checkpoint documentation for details on fw putkey.

If you require instructions on manually pulling the OPEC object from Checkpoint, please refer to the Checkpoint iRecorder guide.

The configuration for OPSEC communication on the firewall is located in the <FWDIR>\conf\fwopsec.conf file.

To manually Configure for SSL_OPSEC:

    • fw putkey -opsec -ssl [iRecorder machine IPAddress]

    • setup the password

    • Stop the iGateway service

    • Go to the iTechnology folder

    • opsec_putkey -port fw -ssl [Check Point Server machine IPAddress]

    • The password that was used on the Check Point side earlier will need to be entered.

    • Go into the iTechonology\cpconfig directory and open the [Server host name].cfg file.
      Note: There should be a .cfg file for each of your connections.

    • Open the [machinename].cfg file. The cfg file contains all the information needed for the LEA connection.

      • Verify or change the lea_server auth_type to ssl_opsec
      • Verify the CN information in this file matches the information from the OPSEC Application properties window.

  • Verify that there are two additional files in the iTechnology\cpconfig directory.

    • [Server host name].cn
    • [Server host name].p12

  • Go to the iTechnology folder and verify two additional files are in place for each connection.

    • CheckPointNG[Server host name].conf
    • CheckPointNG[Server host name].dll

  • Restart the iGateway service.

Audit Policy Manager

  • Create or use the default policies and select the policies you want to activate.

  • Activate the policies to be sent to the Audit client machine where the iRecorder is installed. If you are configuring the iRecorder to send to a remote iRouter then the policy would be applied to the remote iRouter machine.

Tips

The Audit iRecorder for Checkpoint should connect directly to the Check Point Log Manager. Normally the Audit iRecorder should not be connected to the Check Point Enforcement Point and the Enforcement Point should not be in between the Check Point Log Manager and the Audit iRecorder.

Checkpoint logs are only collected when the Checkpoint application is online.

The iRecorder can be installed on any supported node as long as the iRecorder can reach he Check Point Log Manager through the network. It is recommended that the iRecorder be installed on a separate machine than Check Point server itself.