cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted

Does R80.10 support OPSEC?

Jump to solution

Hello Guys,

Does someone know for sure if we can still use OPSEC with Smarcenter in R80.10?

We are going to migrate in R80.10 and we are using Splunk to collect Checkpoint logs.

I can't find something write down saying how to configure interaction between R80.10 / Splunk.  Do we have to use syslog? If yes what is the recommended configuration?

Thanks!

Labels (1)
Tags (2)
1 Solution

Accepted Solutions
Danny
Pearl

Re: Does R80.10 supports OPSEC?

Jump to solution

R80.10 supports OPSEC and Splunk is an Official OPSEC Partner.

Configure Splunk as shown below and install the Splunk Add-On.

Right-click on Servers > OPSEC Application > Application...

Related:

About the Splunk Add-on for Check Point OPSEC LEA

Install the Splunk Add-on for Check Point OPSEC LEA

Configure the Splunk Add-on for Check Point OPSEC LEA

6 Replies
Danny
Pearl

Re: Does R80.10 supports OPSEC?

Jump to solution

R80.10 supports OPSEC and Splunk is an Official OPSEC Partner.

Configure Splunk as shown below and install the Splunk Add-On.

Right-click on Servers > OPSEC Application > Application...

Related:

About the Splunk Add-on for Check Point OPSEC LEA

Install the Splunk Add-on for Check Point OPSEC LEA

Configure the Splunk Add-on for Check Point OPSEC LEA

Re: Does R80.10 supports OPSEC?

Jump to solution

If you follow the links in Danny's excellent reply there is lots of info there to set it up. In addition by default the R80 internal CA supports SHA-256 certificates for the SIC connection. Splunk's LEA client supports SHA-256 since there 4.0.0 release in June 2016. More info is in their release notes history.

hth,

bob

Re: Does R80.10 supports OPSEC?

Jump to solution

Thanks a lot.

It seems pretty clear. I don't know why I have received the message that it's not supported anymore and that we should use syslog.

0 Kudos

Re: Does R80.10 supports OPSEC?

Jump to solution

You may need to check your SDK version.

The older SDK versions don't understand SHA256.

I got it working in my lab on a brand new Splunk installation. The trick is to add the SDK files and use the latest version before you start to configure it.

0 Kudos
Admin
Admin

Re: Does R80.10 support OPSEC?

Jump to solution

To answer the more general question of OPSEC in R80.x, yes it is supported, with some limitations:

  • SHA256 CAs are now the default, which means you may need to update your applications to support
  • CPMI is only partially supported (namely you need to use the R80.x API to manage the security policy, but you can still use it to manipulate individual objects)
  • Legacy parts of OPSEC (e.g. CVP and UFP) are no longer supported
Admin
Admin

Re: Does R80.10 support OPSEC?

Jump to solution

Note that going forward, we recommend using Log Exporter guide‌.

Many SIEM integrations now use this (Splunk does), others are in process.

Log Exporter - Splunk Integration Update

0 Kudos