Skip to content

Latest commit

 

History

History
64 lines (55 loc) · 3.21 KB

README.md

File metadata and controls

64 lines (55 loc) · 3.21 KB
Raw

Distributed IPS solutions

Check Point configuration

Log Exporter

  • The package Log exporter T35 sk122323 must be installed to enable syslog export. In the next Check Point OS relase the Log Exporter should be integrated by default.
  • The Log Exporter can be installed on the management node of Check Point solution. Log Exported
  • Connect to the Check Point management node through SSH or chose “Open Terminal” web menu. Enter the expert mode.
  • Configure the Check Point CPlog.
#cp_log_export add name Extreme target-server “ip address of Site Engine” target-port 514 protocol udp format generic
  • Edit the log exporter configuration file.
#cd /opt/CPrt-R80/log_exporter/targets/Extreme(name of the export Name)/
#vi targetConfiguration.xml
  <is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
  <!-- Destination section defines the properties of the export target -->
  <destination type="syslog"> <!-- Target output type -->
    <ip>X.X.X.X</ip><!--the ip of the syslog server-->
    <port>514</port><!--the port on which the syslog is listening to-->
  • is_enabled needs to be true
  • ip is your Site Engine server
  • port shoul be 514
  <filter filter_out_by_connection="true">
                <field  name="product">
  • filter_out_by_connection should be true
  • Reboot is required to start the log exporter package.

IPS Inspection configuration

  • Clone an Threat Profile (For example optimized to Extreme Networks). Create Profile
  • Example of Profile configuration. General Policy Profile IPS additional Profile IPS Updates Profile Anti-Bot Profile Anti-Virus
  • Create the Threat rule with your profile created previously. You can restrict DIPS reaction to one or more IP Subnet or to user group. You can use the name of the rule in Extreme Connect match conditions = Services. The Track must be set to Log to generate the syslog message. Threat Rule

Extreme Connect configuration

  • Check Point Log Exporter will inform the Extreme Connect by syslog messages. DIPS services
  • regex = malware_rule_name="Extreme\sControl\sDisconnect".+?protection_type="protection".+?resource="$threatName".+?src="$threatIpAddress"
  • The regex does match only if the threat rule name is Extreme Control Disconnect.
  • You may add more regex rules if the reaction should match other syslog messages. DIPS configuration
  • The module must be Module enabled = True

Support

The software is provided as-is and Extreme Networks has no obligation to provide maintenance, support, updates, enhancements, or modifications. Any support provided by Extreme Networks is at its sole discretion.

Issues and/or bug fixes may be reported on The Hub.

Be Extreme