cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

LEA Connections

Jump to solution

Trying to setup a 3rd party LEA connection to Log Rhythm, has anyone done this yet with R80?  Any issues/gotchas?

Labels (1)
0 Kudos
1 Solution

Accepted Solutions

Re: LEA Connections

Jump to solution

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
8 Replies

Re: LEA Connections

Jump to solution

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: LEA Connections

Jump to solution

Hi Tim

My customer wants to integrate R80 management server with Arcsight over lea.. Is it possible?

Currently they are on R77.30 and arcsight is integrated through Lea mode

Arcsight said to customer that is not supported with R80 version yet.

regards

Mike

0 Kudos

Re: LEA Connections

Jump to solution

Arcsight and R80 worked fine for my customer once we ensured the certificate used for the OPSEC LEA transaction was generated with SHA-1 and not SHA-256 as specified in sk109618.   There was a new OPSEC SDK released by Check Point that supports SHA-256 (sk110425); OPSEC vendors like Arcsight need to recompile their applications with it to permit SHA-256 support.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: LEA Connections

Jump to solution

Hi Tim

Thanks for your reply

Does below command is support for R80 because as per SK article the version supported is till R77.30

[Expert@HostName]# cpca_client set_sign_hash sha1

regards

Mike

0 Kudos

Re: LEA Connections

Jump to solution

Yes that was the command we used on R80.  Need to run that command, set up SIC with Arcsight then set default signing algorithm back to SHA-256.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: LEA Connections

Jump to solution

Hello Tim

I am working with HP team here

can you also share the customer name so I will ask HP team to check confirm from their end.

regards

Mike

0 Kudos

Re: LEA Connections

Jump to solution

I can't name the account in an open post, please contact the Check Point SE for the account Tom Stasko, I have alerted him to this conversation thread.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Employee
Employee

Re: LEA Connections

Jump to solution

Mike,

Feel free to shoot me an email and I can tell you more about the customer and deployment.

tstasko@checkpoint.com

0 Kudos