This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Frederic_Kasmir
Participant
‎2017-09-27 12:51 AM
Jump to solution

Does R80.10 support OPSEC?

Hello Guys,

Does someone know for sure if we can still use OPSEC with Smarcenter in R80.10?

We are going to migrate in R80.10 and we are using Splunk to collect Checkpoint logs.

I can't find something write down saying how to configure interaction between R80.10 / Splunk.  Do we have to use syslog? If yes what is the recommended configuration?

Thanks!

Labels
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion
‎2017-09-27 01:59 AM
Jump to solution

R80.10 supports OPSEC and Splunk is an Official OPSEC Partner.

Configure Splunk as shown below and install the Splunk Add-On.

Right-click on Servers > OPSEC Application > Application...

Related:

About the Splunk Add-on for Check Point OPSEC LEA

Install the Splunk Add-on for Check Point OPSEC LEA

Configure the Splunk Add-on for Check Point OPSEC LEA

View solution in original post

6 Replies
Danny
Champion Champion
Champion
‎2017-09-27 01:59 AM
Jump to solution

R80.10 supports OPSEC and Splunk is an Official OPSEC Partner.

Configure Splunk as shown below and install the Splunk Add-On.

Right-click on Servers > OPSEC Application > Application...

Related:

About the Splunk Add-on for Check Point OPSEC LEA

Install the Splunk Add-on for Check Point OPSEC LEA

Configure the Splunk Add-on for Check Point OPSEC LEA

DeletedUser
Not applicable
‎2017-09-27 08:59 AM
Jump to solution

If you follow the links in Danny's excellent reply there is lots of info there to set it up. In addition by default the R80 internal CA supports SHA-256 certificates for the SIC connection. Splunk's LEA client supports SHA-256 since there 4.0.0 release in June 2016. More info is in their release notes history.

hth,

bob

Frederic_Kasmir
Participant
‎2017-09-27 11:19 PM
Jump to solution

Thanks a lot.

It seems pretty clear. I don't know why I have received the message that it's not supported anymore and that we should use syslog.

0 Kudos
Hugo_vd_Kooij
Advisor
‎2017-09-28 04:20 AM
In response to Frederic_Kasmir
Jump to solution

You may need to check your SDK version.

The older SDK versions don't understand SHA256.

I got it working in my lab on a brand new Splunk installation. The trick is to add the SDK files and use the latest version before you start to configure it.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin
‎2017-09-28 02:59 PM
Jump to solution

To answer the more general question of OPSEC in R80.x, yes it is supported, with some limitations:

  • SHA256 CAs are now the default, which means you may need to update your applications to support
  • CPMI is only partially supported (namely you need to use the R80.x API to manage the security policy, but you can still use it to manipulate individual objects)
  • Legacy parts of OPSEC (e.g. CVP and UFP) are no longer supported
PhoneBoy
Admin
Admin
‎2018-08-31 10:01 AM
Jump to solution

Note that going forward, we recommend using Log Exporter guide‌.

Many SIEM integrations now use this (Splunk does), others are in process.

Log Exporter - Splunk Integration Update

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events