https://www.linkedin.com/pub/naomi-rampersad/2/2a7/359
LAB Environment Details:-
McAfee SIEM
Using McAfee ENMELM_VM4_250 (VM deployment containing all in
one single ESM, Single Receiver – ELM).
Version = 9.4.0
Hostname = McAfee-ENMELM-VM4
IP address = 172.31.254.101/24 (shared by ESM/ELM and
Receiver)
Gateway = 172.31.254.1
DNS = 8.8.8.8/4.4.4.4
Checkpoint – GAIA R77.20
MDM – 172.31.254.111
CMA-1 172.31.254.112
CMA-2 172.31.254.113
MLM - 172.31.254.115
CLM11 172.31.254.221
CLM22 172.31.254.222
Gw-1 172.31.254.118
Gw-2 172.31.254.119
Default Gateway - 172.31.254.1
Create an OPSEC Application on CMA-1
1. Log in to the Check Point user interface.
2. Expand the OPSEC Applications tree node and right-click
on the OPSEC Application category.
3. Select “New OPSEC Application”.
4. Enter a name for the OPSEC Application. SIEM_East
5. Select a host from the “Host” field and select the
network object that represents the McAfee Event
Receiver. If the object does not exist, create one by clicking
the “New” button and entering the IP
of the Receiver. 172.31.254.101
6. Leave the “Vendor” field as the default selection “User
Defined”.
7. Select the “LEA” checkbox in the “Client Entries” section
8. Click on the “Communication” button, located near the
bottom of the dialog.
9. Enter and confirm your one-time password. abc123
10. Click the “Initialize” button. This will initialize the
certificate and you will see the message
“Initialized but trust not established.”
11. Close the “Communication” dialog
12. Click “OK” on the OPSEC Application Process dialog.
13. Perform an Install DB on both CMA-1 and CLM11
NO CHANGES WERE MADE TO
$FWDIR/CONF/FWOPSEC.CONF OR $CPDIR/CONF/SIC_POLICY.CONF FILES ANYWHERE (MDM/CMA
or MLM/CLM)
On CMA-1
On CLM11
On McAfee ESM
Create the Check Point Data sources in a parent child
relationship. Create the Primary CMA as the
Parent data source, and then add the CLM as a child to the
Primary CMA data source
Data Source Creation
After successfully logging into the McAfee ESM console the
data source will need to be added to a
McAfee Receiver in the ESM hierarchy.
1. Select the Receiver you are applying the data source
setting to.
2. Select Receiver properties.
3. From the Receiver Properties listing, select “Data
Sources”.
4. Select “Add Data Source”.
OR
1. Select the Receiver you are applying the data source
setting to.
2. After selecting the Receiver, select the “Add Data
Source” icon.
Parent Data Source Screen Settings
1. Data Source Vendor – Check Point
2. Data Source Model – Check Point (ASP)
3. Data Format – Default
4. Data Retrieval – Default
5. Name – user-defined name of the CMA. CMA-1_Managerment_Server
6. IP Address – The IP address of the CMA. 172.31.254.112
7. Event Collection Type – Select Audit and Log events.
8. Port – 18184 (Default)
Steps 9-12 are only needed if authentication and or
encryption are being used.
9. Use Authentication – checked
10. Application Name – Name of the OPSEC Application Object
created in CP. SIEM_East
11. Activation Key – SIC abc123
12. Use Encryption – checked
13. Options – Advanced settings leave default unless having
connection issues. Auto detect
14. Connect – Tests the connection to the OPSEC LEA service
and pulls the certificate. Should be successful
After Parent is successfully added create the child data
sources CLM.
1. Select the parent data source from the Receiver
Properties Data Sources screen
2. Select “Add Child Data Source”.
OR
3. Select the Parent data source from the device Tree.
4. Select the “Add Data Source” icon.
Child Data Source Screen Settings Log server / CLM
1. Name – user-defined name of the CLM. CLM11
2. IP Address – IP address of the CLM. 172.31.254.221
3. Device Type – Log Server / CLM
4. Event Collection Type – Select Audit and Log events.
5. Parent Report Console – The user-defined name of the CMA
that the CLM is managed by.
Automatic Selection – CMA-1_Management_Server
6. Distinguished Name – DN of CLM. Found from grep sic_name
$FWDIR/conf/objects_5_0.C on the CMA
7. Connect – Tests the connection. Should be successful
Add Checkpoint CMA-1 as a Parent Data Source