https://community.checkpoint.com/t5/Firewall-and-Security-Management/QRadar-Integration/m-p/24855#M98378 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>Our customer has MDS environment. They have MDS-HA and MLM and integrated to the QRadar. We will upgrade environment from R77.30 to the R80.10.&nbsp;</P><P></P><P>I just wonder that is there any problem with Qradar? I know Check Point use SHA256 for opsec. We need to change this to SHA-1. After this will everything work normally?&nbsp;</P><P></P><P>Thanks.</P><P></P><P>Kind Regards,</P><P>Kasim Gokbel</P></BODY></HTML> Wed, 24 Jan 2018 12:35:21 GMT Kasim_Gokbel 2018-01-24T12:35:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/QRadar-Integration/m-p/24855#M98378 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>Our customer has MDS environment. They have MDS-HA and MLM and integrated to the QRadar. We will upgrade environment from R77.30 to the R80.10.&nbsp;</P><P></P><P>I just wonder that is there any problem with Qradar? I know Check Point use SHA256 for opsec. We need to change this to SHA-1. After this will everything work normally?&nbsp;</P><P></P><P>Thanks.</P><P></P><P>Kind Regards,</P><P>Kasim Gokbel</P></BODY></HTML> Wed, 24 Jan 2018 12:35:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/QRadar-Integration/m-p/24855#M98378 Kasim_Gokbel 2018-01-24T12:35:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/QRadar-Integration/m-p/24856#M98379 <HTML><HEAD></HEAD><BODY><P>I haven't done the Q-Radar integration, just Alert Logic, but there was a thread earlier referring to&nbsp;<A class="link-titled" href="https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/t_DSM_guide_Checkpoint_firewall1_OPSECLEA.html#t_dsm_guide_checkpoint_firewall1_opseclea" title="https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/t_DSM_guide_Checkpoint_firewall1_OPSECLEA.html#t_dsm_guide_checkpoint_firewall1_opseclea" rel="nofollow noopener noreferrer" target="_blank">IBM Knowledge Center</A>&nbsp;for this subject.</P><P>Of interest may be also this thread:&nbsp;<A href="https://community.checkpoint.com/message/12894-lea-port-not-listening" target="_blank">https://community.checkpoint.com/message/12894-lea-port-not-listening</A>&nbsp;.</P></BODY></HTML> Fri, 21 Jun 2019 09:12:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/QRadar-Integration/m-p/24856#M98379 Vladimir 2019-06-21T09:12:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/QRadar-Integration/m-p/24857#M98380 <HTML><HEAD></HEAD><BODY><P>Hi, yes, we use QRADAR and just went through this. It is working. We did use SHA256 and it did work. SHA 256 did not work for our Symantec Managed Services Appliance (LCP3.0) and we had to switch to SHA1 but QRADAR worked fine. Below is how we configured the LEA settings for QRADAR. Good Luck:&nbsp;</P><P></P><P>Log Source Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(Our CP Log Server Name)</P><P>Log Source Desc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Checkpoint Log Server<BR />Log Source Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Checkpoint</P><P>Protocol&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OPSEC/LEA</P><P>Log Source IDentifier&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (the ip address of our log server)&nbsp;</P><P>Server IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(also the ip of our log server)&nbsp;</P><P>Server Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;18184</P><P>Use Server IP for Log Source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Checked</P><P>Statistics Report Interval&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;600</P><P>Authentication Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sslca</P><P>OpSEC App Obj SIC Attr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;The DN path of your OPSEC application Object</P><P>Log Source SIC Attribute&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;The DN path of your logging server&nbsp;</P><P>Specify Certificate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Checked</P><P>Certificate Authority IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;IP of your management server</P><P>Pull Certificate Password&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;the shared / trusted SIC secret you specified in OBSEC object</P><P>OPSEC Application&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Just the name of the application ( I used the short non-DN name of the OPSEC Object)</P><P>Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Checked</P><P>Target Collector&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;which QRADAR appliance do you want to reach out to the Log Server</P><P>Coalescing Events&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Checked</P><P>Store Event Payload&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Checked</P><P>Log Source Extension&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;I left this blank</P><P>Select QRadar Groups&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Check the group you want.&nbsp;</P><P></P><P>This site was helpful:<BR /><A class="link-titled" href="https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/t_DSM_guide_Checkpoint_firewall1_OPSECLEA.html#t_dsm_guide_checkpoint_firewall1_opseclea" title="https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/t_DSM_guide_Checkpoint_firewall1_OPSECLEA.html#t_dsm_guide_checkpoint_firewall1_opseclea">IBM Knowledge Center</A>&nbsp;</P></BODY></HTML> Wed, 24 Jan 2018 13:23:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/QRadar-Integration/m-p/24857#M98380 Justin_Hickey 2018-01-24T13:23:38Z