Security Products: Challenge, Accessibility, Approach to test

January 19, 2023

We are often asked by our clients to setup security firewalls and networking products in a lab environment using popular emulators like EVE-NG or GNS3 etc. It is always not easy to find ways to emulate different security network products, but we are able to find workarounds to setup them in our lab environment. Network emulation requires virtual devices like routers, switches, and PCs to replicate in real time environment and analyse traffic coming through the devices. Vendors provides access to these images in different ways like ISO images, free software downloads or get access to their licensed versions. We have successfully worked on the following products: Sophos XG, Snort IDS & IPS, Juniper SRX Next Gen, Check Point, Symantec (SEPM), Symantec EDR, Trend Micro (Deep Security Manager), McAfee ePO, Cisco Umbrella Reporting, Cisco Firepower, Cisco ASA, Fortinet, Cisco Meraki, WatchGuard, Microsoft DHCP, Suricata and so on.

Some of the common use cases we have used these emulations in our lab for our clients include:

  1. Use this setup in a lab environment to create real time traffic and attacks for testing purpose and analyze various logs such as System event log, Anti-Malware event, Application Control event, Firewall event log, Integrity Monitoring log event, Intrusion Prevention event log, Log Inspection event, Web Reputation event. These logs can be ingested into various Log Management platforms like Splunk, Sumo Logic, Graylog, LogRhythm and so on in Syslog, CEF and JSON formats for further investigation
  2. Run the OS that emulates real behaviour of network hardware to create and test Threat Hunting rules like SIGMA and Vulnerabilities using OVAL
  3. Simulate a network with several network devices for Penetration testing
  4. Developing integrations with different TIP, SOAR and SIEM platforms. This will help us to demonstrate proof of concept (POC) and use cases that are possible with an integration or analyze the feasibility of an integration with a TIP, SOAR and SIEM platform

In this blog, we will demonstrate the first use case using Check Point Firewall as an example. This blog will cover the following:

  1. Deployment/Installing and Setting up Check Point firewall on a server
  2. Configuring and setting up a test network, using Check Point management server
  3. Creating policies, generating traffic and capturing Logs
  4. Finally Parsing and mapping Logs

1. Deployment/Installing and Setting up Check Point firewall on a server

  1. 1.1. Download the ISO Images – for Check Point, routers, switches, and virtual PCs and have access to a VMware Workstation and WinSCP (SFTP Client). Check Point ISO file can be downloaded from the website You can find several places to download the images for Routers, Switches and Virtual PCs, make sure that the images you download are compatible with Check Point
  2. 1.2. Install EVE-NG in a VMware workstation To setup Lab Environment for Check Point, you need to have access to a VMware Workstation, EVE-NG (Network Emulator) and WinSCP (SFTP Client). EVE-NG can be downloaded here and WinSCP can be downloaded here.
  3. 1.2.1. Network Emulator (EVE-NG) will be installed in VMware workstation and the Network settings will be set to Bridged mode to obtain IP address from DHCP
  4. 1.2.2. EVE-NG provides a Web UI which can be used to create your test environment with different routers, switches and Virtual PC’s
  5. 1.3. Setup Check Point firewall
  6. 1.3.1. Install WinSCP which is used to copy file between a local computer and to the VMware Workstation where we installed EVE-NG in the previous step using FTP, SFTP
  7. 1.3.2. Establish Connection between WinSCP and EVE-NG by entering EVE-NG IP address, Port, Username and Password
  8. 1.3.3. Create a Directory in EVE-NG and give permissions to transfer the files
  9. 1.3.4. Copy the ISO images to Directory in EVE-NG from local system
  10. 1.3.5. Once Images are copied to EVE-NG, Right click in the Web UI and you will be presented with an option to select all these images in Node
  11. 1.3.6. The next step is to select Management cloud from the network which will provide internet access to all the images (Bridges, Switch, Check Point Firewall, Virtual PC’s etc.)
  12. 1.4. Configure network topology In this step, we simulate a typical network which contains Firewall, routers, switches, Virtual PC’s to generate traffic and create logs.
  13. 1.4.1. Using Web UI, we will now connect all the images to create test environment
  14. 1.4.2. Images will be enabled and Connected to Management Cloud for Internet Access
  15. 1.4.3. Multiple Virtual PC’s (VPC) and Windows system image can be connected to Check Point firewall through Layer 2 Switches (SW, SW2)

Given below is a test network topology which contains the following devices: two Switches SW1 and SW2, PCs (Virtual PC’s and Windows) and a router R1. PCs are used to run commands like ping to generate traffic.

Sample Network Topology

2. Configuring and setting up a test network, using Check Point management server

2.1. Initial Check Point Image Configurations

Firewall will be configured with Static IP address, DNS, and User Credentials to access Web-UI. For the purpose of this BLOG, we chose Standalone Deployment where both Security Management and Security Gateway will be installed in same machine.

2.2. Configuring Check Point Gaia Portal

Gaia Portal is an advanced, web-based interface for Gaia platform configuration. Almost all system configuration tasks can be done through this interface.

  1. 2.2.1. Check Point Gaia portal can be accessed by using Static IP address configured in the Firewall Image
  2. 2.2.2. Add Static route in Check Point Network Management with Next hop as Default
  3. 2.2.3. Check Point Interfaces will be Enabled and assigned Security Zones
  4. 2.2.4. Virtual PC’s can be connected to Check Point Server using Switches and configured to access all the Internal and External Zones

Given below is a screen capture of Gaia Portal to accomplish the system configuration that are listed above.

Check Point Gaia Portal

Given below is a screen capture of SmartConsole Application.

SmartConsole Application

3. Creating policies, generating traffic, and capturing Logs

  1. 3.1. Enable Blades

Check Point offers Multiple Blades which is to enforce security policies and will help an organization to Monitor the incoming/outgoing traffic and Protect from External Attacks.

All the Software Blades can be activated in the Gateway Network Security Settings for which corresponding Security policies will be created. Once Enabled, Changes must be published and installed.

Given below is a screen capture to activate Blades which can be accessed from Check Point Gateway settings.

Blades Activation

Security Policies are a collection of rules and settings that control network traffic and Implement company requirement for protection. It provides access to resources with packet inspection.

All policies related to activated blades can be created in Security Policies Tab. Source, Destination, Services, Action, Gateways can be defined in the Rule and assigned to the required Virtual PC.

Check Point solution provides following types of Security Policies:

Given below is a screen capture where Security Policies can be configured and installed.

Configuring Policies

Traffic can be generated by ICMP, Brute force sample attack, accessing malicious sites, and downloading sample malware files. Associated policy will act as per the action defined in it.

To Collect the logs, we need to enable Syslog feature in the Check Point server, Logs can be collected in SmartConsole Dashboard by enabling SmartEvent Server and Log Indexing in the Gateway Management Settings.

Check Point can be configured to send logs to Third party Log Management system products like, LogRhythm’s, Graylog, Splunk etc. using Check Point feature – CP Log Exporter.

Log Manager IP address, Input Port number, Log format can be defined in Log Exporter to receive logs in Log Management Dashboard.

Given below is a screen capture to enable SmartEvent Server and SmartEvent Correlation Unit.

Enable Logging

3.5. Check Point provides following logs

4.1. Understanding and analysing raw logs

4.2. Log Management Parsing Flow

Log Management Input

Configuration file (toml)

Workflow Sequence

Logs parsing and Source Mapping

4.3. Source Mapping

Given below is RAW Threat Log Message which is sent from Firewall to Log Management System.The Fields that are Highlighted in below Image are mapped into common field names of the target Log Management System.

table { border-collapse: collapse; width: 100%; margin: 20px 0; border-radius: 8px; font-family: 'DM Sans', sans-serif; /* Webflow-friendly font */ font-size: 14px; color: #1a313f; } th, td { padding: 8px 20px; border: 1px solid rgba(255, 255, 255, 0.2); text-align: left; } th { font-weight: bold; background-color: rgb(26 49 63); color: #FFF; } tr:nth-child(odd) { background-color: rgba(0, 0, 0, 0.05); /* Added subtle banding for visual clarity */ }
RAW field Name Example Values Source mapping Notes
Timestamp2022-10-31 15:12:33event_received_timeDate/time that the event was received by the reporting host.
risk_actionAccess deniedalert_signatureVendor-provided Alert text description
ip_address172.16.14.42source_ipIPv4 and IPv6 addresses
application_typeTrojan Wormalert_categoryThe type of application process
application_hash85dd6f8edf142f53746a51d11dcba853104bb0207cdf2d6c3529917c3c0fc8dfhash_sha256SHA256 hash value
DescriptionMessageevent_descriptionDescription associated with the message
event_time2022-10-31 15:10:57event_createdDate/time that the event was created
end_time2022-10-31 15:10:57event_endDate/time that event concluded
domain_nameDefault,Groupuser_domainAD or LDAP domain

Given below is an image how Logs would be after Parsing and Source mapping is completed which helps in analysing the traffic captured by Check Point.

Source Mapping

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

BLOGS AND RESOURCES

Latest Articles

RansomHub Revealed: Threats, Tools, and Tactics

December 9, 2024

The Rise of INTERLOCK Ransomware

November 13, 2024

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

October 23, 2024