Monthly Archives: January 2022

Checkpoint Log Exporter and MCAS

A customer wanted to start using Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) and for this they had to ensure that the log files are sent to Microsoft. After a lot of reading and a lot of trial-and-error I finally got it working.

We initially assumed that we could send this in the Syslog format, but this didn't work for us.

This step-by-step plan is for the most part about the configuration of the Checkpoint firewall and not about the Microsoft Defender for Cloud Apps part. I don't have access to the customer's Azure environment, so I can't visually support this or explain it in detail. In any case, I will also put links for more detailed information.

Step 1.

First I created a firewall rule, so that the log files are actually allowed to go out.
Syslog is still included, but in principle this is not necessary because the files are sent over https.

Step 2.

Creating a Log Exporter rule on the Checkpoint Management Server is especially important because here you indicate in which format you want to send the logs to the Microsoft Log Collector. In this link there is very extensive information about what you can set, we have chosen to send everything to the Log Collector. For this we used the following command:
cp_log_export add name FW3-LOG target-server 20.71.xx.xx target-port 443 protocol tcp format cef

With the command cp_log_export show you can check your settings.

This makes the log export active immediately and the log files are sent over https to the specified IP address.
I used to have Syslog as format here and it didn't work well with the Log Collector and the MDCA together. After we changed this to the CEF format and also changed the settings on the Azure side to CEF and changed the docker instance of the Log Collector, we saw all relevant information come in, such as which cloud apps, (source) IP addresses are used. This is the information my customer wants to see and they are happy.

Step 3.

In Azure you also have to specify a configuration. Unfortunately I don't have access to the customer environment in Azure, so I can only say that here (Microsoft) can learn more about provisioning from the Azure side.
What you definitely need is a Log Collector, there you send the information that comes from the Checkpoint to the Microsoft Defender for Cloud Apps environment of your company or customer.

Unlock VM in Proxmox

Today I created a new VM in Proxmox, but I made a mistake and so I wanted it to powerdown and then delete it. So I type in the console of the VM the command: sudo halt
The server indicates that it is going to the halt state and I then want to shut down the server completely in the GUI via the Stop command and then remove it, but no matter what I try, nothing works. In the logging I suddenly saw the message below.

trying to acquire lock...
TASK ERROR: can't lock file '/var/lock/qemu-server/lock-103.conf' - got timeout

So I went looking for where this is coming from and one reason is that for example there is a backup process going on right at that moment, preventing it from getting a lock and powerdown on the VM. You can solve this in the following way.

Log into the host server's CLI and then enter the following command to get the PID of the correct server. You can also see this via the GUI.

cat /etc/pve/.vmlist

If we got the correct PID from the VM then run the command below and then the lock is removed.

qm unlock <VMID>