Friday, May 28, 2010

Configuring SSH login mail alert on checkpoint secureplatform..


I once SSH login alert presented the way to send mail alert after successful login by ssh to any Linux-based machine , including Checkpoint firewalls. Now, thanks to folks at cpug.orgthat draw my attention to it, I will show how to get mail Alert on ANY rule in the security rulebase of the firewall, and also simplified script using Checkpoint version Of the sendmail.
First , rules alerts – on any rule in the Security Rulebase you can set in its Track column toMail . Now all hits
On such rule will be sending mail alerts to specified recipient(s) through the specified mail server (Checkpoint doesn't have a mail server of its own) . So, if you create rule that allows access by SSH you can set in Track Mail and each time this rule is used to access the firewall mail will be sent. Now how to configure mail server settings, you do it in
Policy -> Global Properties -> Log and Alert -> Alert Commands , check " Send mail alert to SmartviewView Monitor" and "Run mail alert script" . In the "Run mail alert script" field set to the string of form:
internal_sendmail -s [subject of the mail] -t [ip of mail server to receive mail goes here] -f [from_who_field_in_mail] [to_whom_send_this_mail]
e.g. internal_sendmail -s SSH_login_alert -t 63.161.169.140 -f yurisk@yurisk.info president@whitehouse.gov

The mail you get on such alert looks like:
 6Jan2010  7:29:55 accept fw-tokyo  >External mail rule: 2; rule_uid: {85A905A7-951E-4100-A23A-E280FAAA1D29}; SmartDefense profile: Default_Protection; service_id: ssh; src: my-management-host; dst: fw-tokyo  ; proto: tcp; product: VPN-1 & FireWall-1; service: ssh; s_port: 47145; 
NOTE. Some don'ts
- You can't send to multiple recepients;
- You can't send using IP of the firewall for the mail server
- The mail server you specify should be the one accepting mails for the recepient's address or be doing
mail relay without authentication. And no, Checkpoint sendmail doesn't support authentication.

No comments: