How it Works
Juniper
Loading...
Q
R
S
Loading...
Loading...
SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1
User Manual
228 pgs1.08 Mb0

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1, Security Threat Response Manager User Manual

Security Threat Response Manager
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000
www.juniper.net
Part Number: 530-025608-01, Revision 1
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to chang e without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publicati on without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Configuring DSMs
Release 2008.2 Copyright © 2008, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History June 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
2
1 About This Guide 1 3 Overview 3 5 3Com 8800 Series Switch 5 7 Ambiron TrustWave ipAngel 7 9 Apache HTTP Server 9 11 Apple Mac OS X 11 13 Array Network SSL VPN 13 15 F5 Networks BigIP 15 17 Blue Coat SG 17 19 Check Point FireWall-1 19 25 Check Point Provider-1 25 29 Cisco ACS 29 31 Cisco ASA 31 33 Cisco CatOS for Catalyst Switches 33 35 Cisco CSA 35 37 Cisco FWSM 37 39 Cisco IDS/IPS 39 41 Cisco NAC Device 41 43 Cisco IOS 43 45 Cisco Pix 45 47 Cisco VPN 3000 Concentrator 47 49 CyberGuard Firewall/VPN Appliance 49 51
1
Enterasys Dragon 51 55 Enterasys Matrix Router 55 57 Enterasys Matrix N-Series 57 59 Extreme Networks ExtremeWare 59 61 ForeScout CounterACT 61 63 Fortinet FortiGate 63 65 Generic Authorization Server 65 69 Generic Firewall 69 73 IBM AIX 5L 73 75 IBM Proventia Management SiteProtector 75 77 ISS Proventia 77 79 Juniper DX Application Acceleration Platform 79 81 Juniper EX-Series Ethernet Switch 81 83 Juniper NetScreen IDP 83 85 Juniper Networks Secure Access 85 89 Juniper Infranet Controller 89 91 Juniper NetScreen Firewall 91 93 Juniper NSM 93 95 Juniper Router 95 97 Juniper Steel-Belted RADUIS 97 99 Linux DHCP 99 101 Linux IPtables 101 103 Linux Login Messages 103
2
105 McAfee Intrushield 105 107 McAfee ePolicy Orchestrator 107 109 MetaInfo MetaIP 109 111 Microsoft Exchange Server 111 113 Microsoft DHCP Server 113 115 Microsoft IAS Server 115 117 Microsoft IIS 117 119 Microsoft SQL Server 119 121 Microsoft Windows Security Event Log 121 123 Niksun 123 125 Nokia Firewall 125 129 Nortel ARN 129 131 Nortel Application Switch 131 133 Nortel Contivity 5000 133 135 Nortel Contivity Firewall/VPN 135 137 Nortel Switched Firewall 5100 137 141 Nortel Switched Firewall 6000 141 145 Nortel VPN Gateway 145 147 OpenBSD 147 149 Open Source SNORT 149 151 Oracle Audit Records 151 155 Oracle DB Listener 155 159
3
ProFTPd 159 161 Samhain 161 165 Secure Computing Sidewinder 165 167 Sun Solaris 167 169 Sun Solaris DHCP 169 171 SonicWALL 171 173 Sun Solaris Sendmail 173 175 Sourcefire Intrusion Sensor 175 177 Squid Web Proxy 177 179 Symantec SGS 179 181 Symantec System Center 181 183 Symark PowerBroker 183 185 Tipping Point Intrusion Prevention System 185 187 TippingPoint X505/X506 Device 187 189 TopLayer 189 191 Trend Micro InterScan VirusWall 191 193 Tripwire 193 195 Universal DSM 195 207 Vericept Content 360 DSM 207 209 Supported DSMs 209
4
ABOUT THIS GUIDE
The Configuring DSMs Guide provides you with information for configuring sensor devices (DSMs) and integrating the DSMs with STRM or STRM Log Management.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application, system, device, or network.
Warning Information that alerts you to potential personal
injury.
Technical Documentation
Documentation Feedback
You can access technical documentation, technical notes, and release notes directly from the Juniper networks Support Web site at
www.juniper.net/support/.
http://
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be
sure to include the following information with your comments:
Document name
Document part number
Page number
Software release version
Configuring DSMs
2 ABOUT THIS GUIDE
Requesting Support
Open a support case using the Case Management link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,
Canada, or Mexico) or 1-408-745-9500 (from elsewher e).
Configuring DSMs
1
OVERVIEW
You can configure STRM or STRM Log Management to log and correlate events received from external sources such as security equipment (for example, firewalls), and network equipment (for example, switches and routers). Device Support Modules (DSMs) allows you to integrate STRM or STRM Log Management with these external devices. Unless otherwise noted, all references to STRM refer to both STRM and STRM Log Management.
You can configure the Event Collector to collect security events from various types of security devices in your network. The Event Collector gathers events from local and remote devices. The Event Collector then normalizes and bundles the events and sends the events to the Event Processor.
All events are correlated and security and policy offenses are created based on correlation rules. These offenses are displayed is the Offense Manager. For more information on the Offense Manager interface, see the STRM Users Guide.
Note: Before you configure STRM to collect security information from devices, you must set-up your deployment, including off-site sources or targets, using the deployment editor. For more information on the deplo yment editor, see the STRM Administration Guide.
To config ure STRM to receive events from devices, you must:
Step 1 Configure the device to send events to STRM. Step 2 Configure STRM to receive events from specific devices. For more information,
see the Managing Sensor Devices Guide.
Configuring DSMs Guide
2
3COM 8800 SERIES SWITCH
A STRM 3Com 8800 Series Switch DSM accepts events using syslog. STRM records all relevant status and network condition events. Before configuring a 3Com 8800 Series Switch device in STRM, you must configure your device to send syslog events to STRM.
To configure the device to send syslog events to STRM:
Step 1 Log in to the 3Com 8800 Series Switch interface. Step 2 Enable the information center.
info-center enable
Step 3 Configure the host with the IP address of your STRM system as the loghost, the
severity level threshold value as informational, and the output language to English.
info-center loghost <ip_address> facility <severity> language english
Where:
<ip_address> is the IP address of your STRM system. <severity> is the facility severity.
Step 4 Configure the ARP and IP information modules to log.
info-center source arp channel loghost log level informational info-center source ip channel loghost log level informational
You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a 3Com 8800 Series Switch, you must select the 3Com 8800 Series Switch option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
Configuring DSMs Guide
3
AMBIRON TRUSTWAVE ipANGEL
A STRM Ambiron TrustWave ipAngel DSM accepts events using syslog. STRM records all Snort-based events from the ipAngel console.
Before you configure STRM to integrate with ipAngel, you must forward your cache and access logs to your STRM system. For information on forwarding device logs to STRM, see your vendor documentation.
You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a ipAngle device, choose one of the following options, depending on which version of STRM you are using:
Select ATW IpAngel from the Sensor Device Type drop-down list box.
Select Ambiron T rustW ave ipAngel Intrusion Prevention System (IPS) from
the Sensor Device Type drop-down list box.
For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
Configuring DSMs Guide
4
APACHE HTTP SERVER
A STRM Apache HTTP Server DSM accepts Apache events using syslog. Y ou can integrate Apache versions 1.3 and above with STRM. STRM records all relevant HTTP status events.
Note: The procedure in this section applies to Apache DSMs operating on a Unix/Linux platforms only.
Before you configure STRM to integrate with Apache, you must:
Step 1 Open the Apache configuration file. Step 2 Add the following below the log format definitions:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" qradar
Step 3 Add the following line below the LogFormat entry to write to syslog:
CustomLog “|/usr/bin/logger -t httpd -p <facility>.<priority>” qradar
Where:
<facility> is a syslog facility, for example, local0. <priority> is a syslog priority, for example, info or notice.
For example:
CustomLog “|/usr/bin/logger -t httpd -p local1.info” qradar
Note: Verify that the hostname lookups is disabled. To verify, enter
HostnameLookups off
Step 4 Open the syslog.conf file. Step 5 Add the following line:
<facility>.<priority> <TAB><TAB>@<host>
Where:
<facility> is the syslog facility , for example, local0. This value must match the
value entered in Step 3.
<priority> is the syslog priority, for example, info or notice. This value must
match the value entered in Step 3.
<TAB> indicates you must press the TAB key. <host> indicates the STRM managed host.
Configuring DSMs Guide
10 APACHE HTTP SERVER
Step 6 Restart syslog:
Step 7 Restart Apache.
/etc/init.d/syslog restart
You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Apache device, you must select the Open Source Apache Webserver option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
For more information on Apache, see http://www.apache.org/.
Configuring DSMs Guide
5
APPLE MAC OS X
A STRM Apple Mac OS X DSM accepts events using syslog. STRM records all relevant firewall, web server access, web server error, privilege escalation, and informational events.
Before you configure STRM to integrate with Mac OS X, you must:
Step 1 Log in as a root user. Step 2 Open the /etc/syslog.conf file. Step 3 Add the following line to the top of the file. Make sure all other lines remain intact:
*.*@<IP address>
Where <IP address> is the IP address of the STRM system.
Step 4 Save and exit the file. Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are
enforced:
sudo killall - HUP syslogd
You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Mac OS X server, you must select the Mac OS X option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
See your Mac OS X documentation for more information.
Configuring DSMs Guide
6
ARRAY NETWORK SSL VPN
The STRM Array Networks SSL VPN DSM collects events from an ArrayVPN appliance using syslog. For details of configuring ArrayVPN appliances for remote syslog, please consult Array Networks documentation.
Once you configure syslog to forward events to STRM, you are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Array Networks SSL VPN device, choose one of the following options:
If you are using STRM 6.0, you must select ArrayNetworks SSL VPN from the
Sensor Device Type drop-down list box.
If you are using STRM 6.0.1 and above, you must select Array Networks SSL
VPN Access Gateway from the Sensor Device Type drop-down list box.
For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
Configuring DSMs Guide
7
F5 NETWORKS BIGIP
The STRM F5 Networks BigIP DSM collects events from a BigIP load balancer using syslog. For details on configuring remote syslog with th e BigIP switch, please consult the vendor documentation.
Once you configure syslog to forward events to STRM, you are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a F5 Network BigIP device, you must select the F5 Networks BigIP option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
Configuring DSMs Guide
8
BLUE COAT SG
A STRM Blue Coat SG DSM accepts syslog events from a Blue Coat SG Appliance. STRM records all relevant and available information from the event. Before configuring a Blue Coat SG device in STRM, you must configure your device to send syslog to STRM.
For more information regarding your Blue Coat SG Appliance, see your vendor documentation.
To configure your Blue Coat SG device to send syslog to STRM:
Step 1 Using a web browser, log in to the Blue Coat Management Console. Step 2 From the menu, select Access Logging > General > Default > Default Logging. Step 3 Make sure the Enable Access Logging check box is selected. Step 4 Select the Protocol you wish to use for logging to STRM. Click Edit. Step 5 From the Default Logging Policy option, select Streaming, which is used for
streaming protocols.
Step 6 Click Apply. Step 7 From the menu, select Access Logging > Formats > Streaming. Step 8 Click Edit. Step 9 Make sure that the W3C Extended File Format (ELFF) string is enabled with the
default:
c-ip date time c-dns cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query c-starttime x-duration c-rate c-status c-playerid c-playerversion c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe c-hostexever c-os c-osversion c-cpu filelength filesize avgbandwidth protocol transport audiocodec videocodec channelURL sc-bytes c-bytes s-pkts-sent c-pkts-received c-pkts-lost-client c-pkts-lost-net c-pkts-lost-cont-net c-resendreqs c-pkts-recovered-ECC c-pkts-recovered-resent c-buffercount c-totalbuffertime c-quality s-ip s-dns s-totalclients s-cpu-util x-cache-user x-cache-info x-client-address
Configuring DSMs Guide
18 BLUE COAT SG
Note: The Format tab allows you to create a format to use for your log facilities. Although several log formats ship with the SGOS software, STRM requires that the streaming log format use the default ELFF log format.
Step 10 Make sure the Multiple-valued header policy option is set to Log last header. Click
OK.
Step 11 Click Apply. Step 12 Configure the log format:
a From the menu, select Access Logging > Logs. b Click the General Settings tab. c Using the Log: drop-down list box, select streaming. d Verify the Log Format is set to squid.
Note: STRM requires that the Squid log format be selected to ensure that the ELFF formatted logs are properly transferred to STRM in the expected Squid format.
Step 13 Configure the host you wish to send logs:
a From the menu, select Access Logging > Logs. b Click the Upload Client tab. c Using the Log: drop-down list box, select streaming. d From the Client type drop-down list box, select Custom Client. e Click Settings. f For the host to which you wish to send logs to STRM, configure the host and
port. The STRM default for syslog is 514.
g Click Ok. h In the Save the log file parameter, make sure the text file option is selected.
Step 14 Configure the appropriate access:
a From the menu, select Access Logging > Logs. b Click the Upload Schedule tab. c Using the Log: drop-down list box, select streaming. d In the Upload the access log parameter, make sure the continuously option is
selected.
e Click Apply.
You are now ready to configure the sensor device within the STRM Console. To configure STRM to receive events from a Blue Coat SG device, you must select the Blue Coat SG Appliance option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
Configuring DSMs Guide
9
CHECK POINT FIREWALL-1
You can configure STRM to integrate with a Check Point FireWall-1 device using one of the following methods:
Integrating Check Point FireWall-1 Using Syslog
Integrating CheckPoint FireWall-1 Using OPSEC
Note: Depending on your Operating System, the procedures for the Check Point FireWall-1 device may vary. The following procedures are based on the Check Point SecurePlatform Operating system.
Integrating Check Point FireWall-1 Using Syslog
Step 1 Enter the following command to access the Check Point console as an expert
Step 2 Enter your expert console password. Press Enter. Step 3 Open the following file:
Step 4 Add the following lines:
This section describes how to ensure that the STRM Check Point FireWall-1 DSMs accepts FireWall-1 events using syslog.
Note: If Check Point SmartCenter is installed on Microsoft Windows, you must use the Integrating CheckPoint FireWall-1 Using OPSEC method.
Before you configure STRM to integrate with a Check Point FireWall-1 device:
user:
expert
A password prompt appears.
/etc/rc.d/rc3.d/S99local
$FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &
Where:
<facility> is a Syslog facility , for example, local3. <priority> is a Syslog priority, for example, info.
For example:
Configuring DSMs Guide
20 CHECK POINT FIREWALL-1
$FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &
Step 5 Save and close the file. Step 6 Open the syslog.conf file. Step 7 Add the following line:
< Where: < value entered in Step 4. < match the value entered in Step 4. < <
Step 8 Save and close the file. Step 9 Depending on your operating system, enter the following command to restart
syslog:
facility>.<priority> <TAB><TAB>@<host>
facility> is the syslog facility, for example, local3. This value must match the
priority> is the syslog priority, for example, info or notice. This value must
TAB> indicates you must press the TAB key. host> indicates the STRM managed host.
In Linux: In Solaris:
service syslog restart /etc/init.d/syslog start
Step 10 Enter the following command:
nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &
Where:
<facility> is a Syslog facility, for example, local3. This value must match the
value entered in Step 4.
<priority> is a Syslog priority, for example, info. This value must match the
value entered in Step 4. You are now ready to configure the sensor device within the STRM interface. To
configure STRM to receive events from a Check Point Firewall-1 device using syslog, choose one of the following options:
If you are using STRM 6.0, select CheckPoint Firewall-1 Devices via Syslog
from the Sensor Device Type drop-down list box.
If you are using STRM 6.0.1 and above, select CheckPoint Firewall-1 from the
Sensor Device Type drop-down list box.
For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
For more information regarding Check Point FireWall-1, see the Check Point FireWall-1 documentation.
Configuring DSMs Guide
Integrating CheckPoint FireWall-1 Using OPSEC 21
Integrating CheckPoint FireWall-1 Using OPSEC
Enabling CheckPoint
Firewall-1 and STRM
Step 1 Reconfigure Check Point FireWall-1 SmartCenter. See Reconfiguring CheckPoint
Step 2 Verify and change, if necessary, the OPSEC communication configuration. Step 3 In the STRM interface, configure the OPSEC LEA protocol.
This section describes how to ensure that the STRM Check Point FireWall-1 DSM accepts FireWall-1 events using Open Platform for Security (OPSEC).
Note: The method used for integrating Check Point Firewall-1 into STRM using OPSEC is dependent on the version of STRM you are running.
This section includes the following information:
Enabling CheckPoint Firewall-1 and STRM
Reconfiguring CheckPoint FireWall-1 SmartCenter
This section describes how to enable CheckPoint Firewall to integrate with STRM. To enable Check Point FireWall-1 and STRM integration:
FireWall-1 SmartCenter.
To configure STRM to receive events from a Check Point device using OPSEC LEA, you must select the LEA option from the Protocol drop-down list box when configuring your protocol configuration. For more information, see Configuring Protocols in Managing Sensor Devices.
Step 4 Configure the sensor device within the STRM interface.
Reconfiguring
CheckPoint
FireWall-1
SmartCenter
Step 1 Create a host object:
To configure STRM to receive events from an Check Point Firewall-1 device using OPSEC, you must select CheckPoint Firewall-1 from the Sensor Device Type drop-down list box and LEA::<protocol_name> from the Protocol Configuration drop-down list box.
For more information on configuring sensor devices, see Managing Sensor Devices Guide.
This section describes how to reconfigure the Check Point FireWall-1 SmartCenter. In the Check Point FireWall-1 SmartCenter, create a host object representing the STRM system. The leapipe is the connection between the Check Point FireWall-1 and STRM.
To reconfigure the Check Point FireWall-1 SmartCenter:
a Open the Check Point SmartDashboard GUI b Select Manage > Network Objects > New > Node > Host. c Enter in the appropriate information in the Name, IP Address, and Comment
(optional) text fields for your host.
d Click OK.
Configuring DSMs Guide
22 CHECK POINT FIREWALL-1
e Select Close.
Step 2 To create the OPSEC connection:
a Select Manage > Servers and OPSEC applications > New > OPSEC
b Enter the appropriate information in the Name and Comment (optional) text
Note: The name you enter must be different than the name entered in Step 1 c.
c From the Host drop-down list box, select the host object you created in Step 1. d From Application Properties drop-down list box, select User Defined as the
e From Client Entries drop-down list box, select LEA. f Click Communication to generate a Secure Internal Communication (SIC)
g Enter an activation key. h Click OK. i Click Close.
Application Properties.
fields.
vendor.
certificate.
Step 3 Select Policy > Install > OK to install the Security Policy on your firewall.
Verifying or Changing the OPSEC Communications Configuration
Changing the Default
Port on which
OPSEC LEA
Communicates
Step 1 At the command-line prompt of your Check Point SmartCenter Server, enter the
Step 2 Depending on your Check Point SmartCenter Server’s operating system, open the
This section describes how to modify your Check Point FireWall-1 configuration to allow OPSEC communications on non-standard ports, and in a clear text, un-authenticated stream.
This section includes the following information:
Changing the Default Port on which OPSEC LEA Communicates
Configuring OPSEC LEA for Un-Encrypted Communications
To change the default port on which OPSEC LEA communicates (that is, port
18184):
following command to stop the firewall services:
cpstop
following file:
In Linux: In Windows:
$FWDIR\conf\fwopsec.conf %FWDIR%\conf\fwopsec.conf
The default contents of this file are as follows:
Configuring DSMs Guide
Verifying or Changing the OPSEC Communications Configuration 23
# The VPN-1/FireWall-1 default settings are: # # sam_server auth_port 0 # sam_server port 18183 # # lea_server auth_port 18184 # lea_server port 0 # # ela_server auth_port 18187 # ela_server port 0 # # cpmi_server auth_port 18190 # # uaa_server auth_port 19191 # uaa_server port 0 #
Step 3 Change the default lea_server auth_port from 18184 to another port number. Step 4 Remove the hash (#) mark from that line.
For example:
lea_server auth_port 18888 # lea_server port 0
Step 5 Save and close the file. Step 6 Start the firewall services by entering the following command:
Configuring OPSEC
LEA for
Un-Encrypted
Communications
Step 1 At the command-line prompt of your Check Point SmartCenter Server, stop the
Step 2 Depending on your Check Point SmartCenter Server’s operating system, open the
Step 3 Change the default lea_server auth_port from 18184 to 0. Step 4 Change the default lea_server port from 0 to 18184. Step 5 Remove the hash (#) marks from both lines.
cpstart
To configure the OPSEC LEA protocol for un-encrypted communications:
firewall services by entering the following command:
cpstop
following file:
In Linux: In Windows:
$FWDIR\conf\fwopsec.conf %FWDIR%\conf\fwopsec.conf
For example:
lea_server auth_port 0 lea_server port 18184
Configuring DSMs Guide
24 CHECK POINT FIREWALL-1
Step 6 Step 7 Start the firewall services by entering the following command:
Save and close the file.
cpstart
You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Check Point Firewall-1 device using OPSEC, select CheckPoint Firewall-1 from the Sensor Device Type drop-down list box.
For more information on configuring sensor devices, see Managing Sensor Devices Guide.
For more information on configuring your Check Point Firewall-1, see your vendor documentation.
Configuring DSMs Guide
Loading...
+ 198 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use