3D Security Analysis Report Tool

Version 8.32, for R75.20

Administration Guide

15 February 2012

 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Additional Information
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History
Date 15 February 2012 Description Several improvements

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on 3D Security Analysis Report Tool version 4, for R75.20 Administration Guide).

Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 Benefits ............................................................................................................... 5 What's New ......................................................................................................... 6 Installation ...............................................................................................................7 System Requirements ......................................................................................... 7 Installing SmartConsole ....................................................................................... 7 Installing Server Supplement ............................................................................... 7 Upgrading ............................................................................................................ 8 Getting Started ........................................................................................................9 Customizing Reports ............................................................................................11 Customizing Time Period of Report ....................................................................11 Creating New Reports ........................................................................................11 Adding Queries to Reports .................................................................................12 Editing Queries ...................................................................................................13 Editing Generated Tables and Graphs................................................................14 Editing Generated Reports .................................................................................14 Changing the Report Template ...........................................................................14 Offline Reports ......................................................................................................16 Securing Reports ..................................................................................................18 CPLogLogSender Utility .......................................................................................19 Known Limitations ................................................................................................20

Benefits

Introduction
3D Security Analysis Report Tool takes Check Point PoCs into the next level. The tool generates a comprehensive security analysis report. It automatically integrates security events from different Software Blades: Application Control, URL Filtering, IPS, and DLP. The analysis report is created automatically on a Check Point Microsoft Word document report template. 3D Security Analysis Report Tool accentuates Check Point Added Value, exposing new security risks and suggesting remediations. When a Check Point Security Gateway runs for a while in a PoC environment, inline or Mirror Port, we expect logs and security events to be generated for the active Software Blades. The report gives a comprehensive security analysis that summarizes security events, their risks, and their remediations. This tool offers several out-of-the-box recommended reports. You can customize your own reports. You can add and remove queries. You can create your own Word template. Important - 3D Security Analysis Report Tool is a PoC tool. We highly recommend deploying it only on environments dedicated to PoC. Its deployment can change existing configurations. Therefore, is not recommended for production environments.

Benefits
Shows the value of Check Point 3D Security strategy and the benefits provided by the Software Blades Architecture Visualizes incidents that happen in customer networks, and gives practical recommendations Empowers you with knowledge of new security risks, and improves network security Gives an executive summary for discussion with management Gives detailed results for in-depth discussions with technical points of contact Out-of-the-box reports speed information delivery and accelerate the sales processes Supports customization for specialized reports focused on customer challenges

Introduction

Page 5

What's New

What's New
Bug fix- High Risk URL Filtering events are now being displayed in the Executive Summary section- ( in High and Critical risk Event Summary bar chart). Visual fix- Improved High Risk Applications/Sites Images. Visual fix- Improved tables look Admin Guide update (this document)- System Requirements, Offline Reports and Known Limitations sections updated

Introduction

Page 6

System Requirements

Installation

3D Security Analysis Report Tool has its own version of SmartConsole, and a supplement for the R75.20 SmartEvent Server. Note - If you use R75.20 Mirror Port Kit, this tool is already included. Component SmartConsole SmartEvent supplement Package SmartConsole_983000032_1.exe 3D_ANALYSIS_REPORT_TOOL-MNG-PACK-V08.zip

System Requirements
Component R75.20 Security Management Server with SmartEvent installed MS Office 2003 or 2010, full package, installed on computer with R75.20 SmartConsole (please note that all Office components must be installed) Operating System SecurePlatform Windows

Note - Reports are output to Word. Some of the data is embedded Excel files. The MS Office installation must be at least Word and Excel.

Installing SmartConsole
Install the 3D Security Analysis Report Tool SmartConsole on a Windows computer with MS Office 2003 or 2010. This is a R75.20 SmartConsole. It works with any R75.20 Security Management Server.

To install the GUI of this tool:

1. Put the SmartConsole file on the Windows computer: SmartConsole_983000032_1.exe 2. Double-click the executable.

Installing Server Supplement

Install 3D Security Analysis Report Tool on an existing R75.20 SmartEvent Server dedicated to PoC. When you run the installation script, cpstop and cpstart are run automatically. The tool can be installed on a standalone deployment as well (where Security Gateway, Security Management and SmartEvent running on the same machine). Do not install this tool on a production environment.

To install this tool on a SecurePlatform server:

1. SmartEvent supplement file is located in the tools folder and named: 3D_ANALYSIS_REPORT_TOOL_<ver>.tgz 2. Make a new directory on the SmartEvent Server, under /var, named install. 3. Copy the .tgz file to the server /var/install directory (copy the file in binary mode). 4. Verify that the file transferred correctly by comparing the files MD5: a. In the install directory on the server, run md5sum *.* command b. Verify that MD5 for file 3D_ANALYSIS_REPORT_TOOL-MNG-PACK-V08.tgz is: C8069E2F1D556F286C2028F9B023BF00 c. In the install directory on the server, run: d. tar xvzf 3D_ANALYSIS_REPORT_TOOL_<ver>.tgz e. chmod 777 se_script f. Run: ./se_script

Introduction

Page 7

Upgrading

Upgrading
To upgrade the SmartConsole of this tool from an older version, uninstall the older version and install this version. To upgrade the SmartEvent Server supplement, install this version. It automatically overwrites the older version.

Introduction

Page 8

Upgrading

Getting Started
After you install the new SmartConsole, you have a new button on the SmartEvent console.

To generate a report:
1. Open SmartEvent. 2. Click 3D Security Analysis Report.

3. In the Report Generator View window, select a report.

Getting Started

Page 9

Upgrading

4. Click Generate Word. The report can take several seconds to generate. It opens as a Word document in the background.

Predefined reports have these default sections:

Executive summary - Summarizes main results: number of events, brief list of critical and high events that need special attention, and risks. Findings - Focuses on the security events by Software Blade. Remediation - Recommendations to solve the main security events. Appendix - Gives useful data, such as bandwidth consumption and internet usage statistics.

Getting Started

Page 10

Customizing Time Period of Report

Customizing Reports
The 3D Security Analysis Report Tool out-of-the-box reports are designed for PoCs, built on customer feedback. But if you have unique requirements from a customer, you can fulfill the request with easy customizations.

Customizing Time Period of Report

The default period of time for a report is 30 days.

To change the report period:

1. In the Report Generator View window, click Edit. 2. In the Edit Report window, select the period from the Report Period list. 3. Click Save.

Creating New Reports

If the out-of-the-box reports do not have the required data, you can set up a new report.

To create a new report:

1. In the Report Generator View window, click New > Report - Create a new report. Clone Selected Report - Create a new report based on template and queries of the selected report.

Customizing Reports

Page 11

Adding Queries to Reports

2. In the New Report window, enter a name for the report.

3. In the Report Period list, select the time period. Data from this period is collected when the report generates. 4. Decide if this report is to be based on an existing document: Create a report using an existing document. - Select use the following document as template. Browse to the document. If you want to select an out-of-the-box template, browse to the SmartConsole installation folder. Typically: C:\Program Files (x86)\CheckPoint\SmartConsole\R75.20\PROGRAM\data\ClientGeneratedReports

Create a report on a blank Word document. 5. Add queries to the report ("Adding Queries to Reports" on page 12). 6. Click Save.

Adding Queries to Reports

If you create a new report, you must add queries to the report. (If you do not, there will be no data to show.) You can also add queries to existing reports, to show different data.

To add queries to reports:

1. In the New Report window or Edit Report window, click Add. The Add View window opens.

2. In the View Title field, enter the name of the query that will replace placeholder text: If this report is based on a blank Word document, the title of the query data shows at the end of the document.

Customizing Reports

Page 12

Editing Queries

If this report is based on an existing document, the text in this field must match, case-sensitive, the placeholder text. If the placeholder text does not exist in the document, the query output is added to the end of the document.

3. In the View Type field, define the output type. Valid values: Image - Query results are output as JPG files. Use for Grid (Events tab in SmartEvent), Pie, or Map. Define the Image Width and Image Height in pixels.

Data - Query results are output as embedded Excel files. Use for Grid or Pie. Define an Excel workbook. It can be a blank file, or a file with content and formulas. 3D Security Analysis Report Tool puts collected data on Sheet2. The table or chart shown on the report is on Sheet1. You can change the data or formulas as required. You must save the Excel workbook with Sheet1 visible.

4. In the Query field, click the browse button. Select a query to collect data. You can create a new query if necessary. 5. Click Save.

Editing Queries
You can change a query that you made, or a query that is predefined.

To edit a query:
1. In the Report Generator View window, double-click a report.

Customizing Reports

Page 13

Editing Generated Tables and Graphs

2. In the Edit Report window, select a query.

3. Click Edit.

Editing Generated Tables and Graphs

Some of the tables and graphs in the Word document are embedded Microsoft Excel files.

To edit tables and graphs:

1. Double-click the table or graph. Excel opens. Usually, the Excel file has the table or graph on Sheet1, and the data on the other sheets. 2. To edit the data, open Sheet2 or higher. Change the data there. The table or chart on Sheet1 is updated automatically. 3. To edit the display of the data, edit table or graph properties on Sheet1. 4. Save the Excel file with Sheet1 visible. If another sheet is visible when you save and close Excel, the output to the report will be incorrect. The Report document is updated automatically.

Editing Generated Reports

After 3D Security Analysis Report Tool generates a report, you can edit it. Some data is deliberately left for manually editing: Customer details Report date PoC duration Methodology details

Such data, which you must fix before you deliver the report, is marked in red. If you see unresolved placeholders (text in < > tags): Delete the placeholders, or Edit queries to replace the placeholder with data and generate the report again.

Changing the Report Template

The report Word templates are in the SmartConsole installation folders. The templates have placeholder text. When a report is generated, this text is replaced with the data from the queries. That data is collected,

Customizing Reports

Page 14

Changing the Report Template

analyzed, and manipulated by 3D Security Analysis Report Tool. If you remove or change placeholder text, the generated data is shown at the end of the report. Best Practice: Change the template only for localization (translating text that comes from the template) or formatting (font, color, size). Use the 3D Security Analysis Report Tool editing features to change the data that is shown.

Customizing Reports

Page 15

Changing the Report Template

Offline Reports
You can generate reports from logs, without interacting with the customer environment. For example, if you get logs from a customer, you can use 3D Security Analysis Report Tool to deliver a professional report of the log data. Make sure the logs are exported from the customer's R75.20 Security Gateway running R75.20 Software Blades and managed by an R75.20 Security Management Server. Offline reports generate queries only of activated Software Blades.

Requirements on your local environment:

3D Security Analysis Report Tool on R75.20 environment: Security Management Server with SmartEvent and SmartDashboard. You will import the network logs to this local environment. CPLogLogSender utility (download from the Check Point Solution Center wiki or UserCenter and put in $FWDIR/log), or R75.20 Mirror Port kit Version 2 or higher. 1. Open SmartView Tracker, connected to the Security Management Server that has the logs. 2. Click File > Save As.

To export logs:

3. Name the log file. 4. Click OK. A number of files are created on the Security Management Server, in $FWDIR/log: yourname.log yourname.logaccount_ptr yourname.loginitial_ptr yourname.logLuuidDB

yourname.logptr 5. Copy all of these files to your computer.

To clear event history:

If your local SmartEvent has events from unrelated activities, delete event history with these commands on the server. Skip this only if you import the logs into a clean environment. cpstop $CPDIR/database/postgresql/util/PostgreSQLCmd start $CPDIR/database/postgresql/bin/psql -p 18272 -U cp_postgres postgres -c "drop database events_db" $CPDIR/database/postgresql/util/PostgreSQLCmd stop cpstart

To import logs:
1. On the local Security Management Server, log in and go to $FWDIR/log. 2. Put all the exported files here. 3. Run: chmod 777 CPLogLogSender 4. Run: ./CPLogLogSender -l 200 -i 1 -n forever name.log This can take some time, depending on the number of records the log file contains.

Offline Reports

Page 16

Changing the Report Template

5. Open SmartEvent. Wait until all events are generated. 6. Generate the 3D Security Analysis Report Tool report.

Offline Reports

Page 17

Changing the Report Template

Securing Reports
When the report is ready to deliver, make sure it secure from unauthorized changes or access. 1. Save the Word document as PDF. 2. Set the PDF security for opening and for editing. If you have Adobe Acrobat, set the security options of the Document Properties. We recommend using Password protection. If you use a 3rd Party product (such as primoPDF) to make the PDF, use the features of that application to set a password on the PDF.

It is best if you do not edit the PDF after it is made. To change content for audience or purpose, change the Word document and save it as a new PDF. We recommend that you password protect the Word document and keep it in secure storage (such as a Check Point GO stick).

Securing Reports

Page 18

Changing the Report Template

CPLogLogSender Utility
The CPLogLogSender utility simulates traffic captured in the log file. The utility runs the traffic as though it were live traffic going through the Security Gateway. The Security Gateway logs new events similar to those in the log files. To run the utility, you run a script command with required configuration parameters. Syntax Parameters ./CPLogLogSender l <log_amount> i <interval> n <cycles> <name>.log Parameter l <log_amount> Description Number of logs to send in one batch. Valid value: integer Note - flag is lower-case L. Batch delta time, in seconds. Sends a batch of logs every <interval> seconds. Valid value: small integer Number of cycles to repeat batch sending. Recommended value: forever. Runs until all logs are generated. Name of the generated log

i <interval>

n <cycles>

name Comments

1. Before running the Utility please let the utility privileges by running the fooling command: chmod 777 $FWDIR/log/CPLogLogSender 2. The time it takes to generate the logs depends on the number of log records in the log file. In the example, if the log file has 100,000 records, it will take 100,000 records / 200 seconds = 500 seconds. We recommend around 200 logs per second if you use VMware or a slow computer. If you use a strong computer, you can increase to a higher rate (1,000 - 4,000 or more) to shorten the process time. ./CPLogLogSender l 200 i 1 n forever MYLOGS.log

Example

CPLogLogSender Utility

Page 19

Changing the Report Template

Known Limitations
1. If you run the report on SmartEvent Intro, you must delete empty queries before you generate a report.

Open the Edit Report window of the reports you will use. Select a section with an empty query. Click Remove. Do this for all sections with empty queries. Click Save.

2. During a report generation: Do not use any clipboard options (Copy, Cut, Print Screen) Do not use double screen (screenshots are taken only from main screen and not the secondary screen) It is recommended not to use other application in the background

Known Limitations

Page 20