cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
quanglnh
Ivory

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone,

 

I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.

I was create a host object for LogRhythm SIEM with it IP.

I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.

sic1.PNG

sic2.PNG

Now i need to provide the information below on LogRhythm SIEM :

  • opsec_sic_name "OPSEC_APP_SIC_DN"
  • lea_server ip IP_ADDRESS
  • lea_server auth_port 18184
  • lea_server auth_type sslca
  • lea_server opsec_entity_sic_name "LOG_SERVER_DN"
  • opsec_sslca_file "C:\checkpoint_config\opsec.p12"

 

"OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?

"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?
"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :

sic3.PNG

is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ?

 

Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!

0 Kudos
11 Replies
Admin
Admin

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Log Server DN would appear on the object for your log server in SmartConsole, which could theoretically not be your Smart-1 server.
0 Kudos
quanglnh
Ivory

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Hi PhoneBoy,

Thanks for your response, but i'm not really understand what you try to say. Smart-1 server manage all my gateways and by default the gateways send log to Smart-1 server, right ? I don't configure any orther external log server. All i has done is add gateways to Smart-1, Install policy from Smart-1 to gateways. Then, i login SmartConsole to Smart-1 and see logs from gateways. So Smart-1 should be my log server ?
0 Kudos
Admin
Admin

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

In your case, the Log Server would be the Smart-1 server.
The relevant DN should show on the relevant object in SmartConsole.

In any case, Log Exporter is how we are integrating with SIEMs going forward.
Nice to know we have official support in EA.
0 Kudos

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Why not use cp log exporter? As for what I can see the SIEM is on your internal network, you could send the traffic cleartext there is no need for the TLS method. See SK122323.
Regards, Maarten
0 Kudos
quanglnh
Ivory

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Dear Maarten_Sjouw,

Thanks for your response, i will check the sk you refer and give it a try. Have a nice day!

0 Kudos
Employee+
Employee+

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Hi,

In the last few weeks we developed new integration with LogRhythm, based on the log exporter.

If you want, we can add you to the EA program so you will enjoy simple and improved integration between Check Point and LR.

We will contact you personally about it.

 

Thanks!

Dan.

 

0 Kudos
quanglnh
Ivory

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Dear Dan_Zada,

 

Yes, it would be great. Please add me to it. I have both Check Point and LogRhythm in my System and i really want to make it work together.

0 Kudos
Employee
Employee

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Hi @quanglnh 

I added you to our EA program.

I just sent a message with more information about it - please check your CheckMates inbox.

 

Regards,

Shay

0 Kudos
quanglnh
Ivory

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Thanks alot,

 

I hope we can solve this issue soon!

0 Kudos

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Shay

We‘re in the same boat - it would be great if you can add me also to the EA to provide me some additional informations.

Thank you.

Roland

0 Kudos
Employee+
Employee+

Re: Checkpoint OPSEC LEA with LogRhythm SIEM

Hi @Roland_Wyss 

I will ask the relevant people from my group to contact you.

0 Kudos