topic Re: Event Forwarding Manager Cloud in Portal

Event Forwarding Manager Cloud

itguerreiro — Mon, 26 Sep 2022 18:13:10 GMT

Hello, I'm trying to use the "EventForwarding" configuration to send the logs to my siem, but I'm having problems with the certificate. I entered my company's .crt and .pem certificates, but last step it always complains that the CA is invalid. What could I be doing wrong or what's missing? Thanks!

Re: Event Forwarding Manager Cloud

_Val_ — Tue, 27 Sep 2022 07:17:15 GMT

Could you please share the actual error and more details about the SIEM in use?

Re: Event Forwarding Manager Cloud

itguerreiro — Tue, 27 Sep 2022 12:17:40 GMT

Hi , Thanks for your interaction.

Actually I'm trying to send the logs to my current syslog server, it's not a siem. I tried to follow the step by step of the link https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/Content/Topics-Infinity-Portal/Event-Forwarding.htm?tocpath=Global%20Settings%7CEvent%20Forwarding%7C_____0#Event_Forwarding

But I'm having difficulties in step 3, I tried to insert my company's certificate, but when it goes to CA validate it says it's not valid. It is not very clear in this link the step by step. Could you help me in a more didactic way?

Thanks!!!

Re: Event Forwarding Manager Cloud

PhoneBoy — Tue, 27 Sep 2022 17:48:00 GMT

Is your CA key a root or is it a sub-CA signed by a different CA?
In that case, I suspect you will need to include all the intermediate certificates to ensure we can validate the entire trust chain.

Re: Event Forwarding Manager Cloud

itguerreiro — Tue, 27 Sep 2022 17:55:40 GMT

@PhoneBoy thanks!!

Where do I process the request to download client certificate? I have to sue on my third party. like for example godday, thawte? Or should I do it on my local machine?

Re: Event Forwarding Manager Cloud

itguerreiro — Tue, 27 Sep 2022 18:01:23 GMT

Here's the image of the error I'm having.

Re: Event Forwarding Manager Cloud

Lior_Manor — Tue, 27 Sep 2022 19:09:08 GMT

Hi,

Please send me the details of you Infinity account to liorm@checkpoint.com, and I will have someone take a look and get back to you.

Lior

Re: Event Forwarding Manager Cloud

PhoneBoy — Tue, 27 Sep 2022 21:16:40 GMT

We're talking about the CA key, right?
That comes from whoever the Certificate Authority is, which should be able to provide you the public key along with all the intermediate public certificates you need.

Re: Event Forwarding Manager Cloud

itguerreiro — Wed, 28 Sep 2022 15:36:13 GMT

@PhoneBoy

From what we understand with the command below, the "Private Key" of the CA is needed and we don't have it.

We do have the Public Key as you said, but we haven't identified how to get a Private Key from a CA.

Can we run the command in another way?

openssl x509 -req -in PORTAL.CSR -CA CA.PEM -CAkey CAPRIVATEKEY.key -CAcreateserial -out CERTOUT.CRT -days 825 -sha256

Re: Event Forwarding Manager Cloud

PhoneBoy — Thu, 29 Sep 2022 14:35:43 GMT

Validation of a Certificate Authority does not require private keys.
However, it does require the public keys of any other CA that has signed your CA certificate.
Refer to the following example from this very website you're interacting with me on 🙂

To validate any certificate signed by DigiCert TLS RSA SHA256 2020 CA1, you also need the public key of DigiCert Global Root CA.
Unless your CA is a root, then we need all the public CAs in the certificate chain.