cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

QRadar Integration

Hi All,

Our customer has MDS environment. They have MDS-HA and MLM and integrated to the QRadar. We will upgrade environment from R77.30 to the R80.10. 

I just wonder that is there any problem with Qradar? I know Check Point use SHA256 for opsec. We need to change this to SHA-1. After this will everything work normally? 

Thanks.

Kind Regards,

Kasim Gokbel

Tags (2)
2 Replies
Vladimir
Pearl

Re: QRadar Integration

I haven't done the Q-Radar integration, just Alert Logic, but there was a thread earlier referring to IBM Knowledge Center for this subject.

Of interest may be also this thread: https://community.checkpoint.com/message/12894-lea-port-not-listening .

0 Kudos
Highlighted

Re: QRadar Integration

Hi, yes, we use QRADAR and just went through this. It is working. We did use SHA256 and it did work. SHA 256 did not work for our Symantec Managed Services Appliance (LCP3.0) and we had to switch to SHA1 but QRADAR worked fine. Below is how we configured the LEA settings for QRADAR. Good Luck: 

Log Source Name                           (Our CP Log Server Name)

Log Source Desc                            Checkpoint Log Server
Log Source Type                             Checkpoint

Protocol                                           OPSEC/LEA

Log Source IDentifier                      (the ip address of our log server) 

Server IP                                         (also the ip of our log server) 

Server Port                                      18184

Use Server IP for Log Source         Checked

Statistics Report Interval                 600

Authentication Type                         sslca

OpSEC App Obj SIC Attr                 The DN path of your OPSEC application Object

Log Source SIC Attribute                 The DN path of your logging server 

Specify Certificate                            Checked

Certificate Authority IP                     IP of your management server

Pull Certificate Password                 the shared / trusted SIC secret you specified in OBSEC object

OPSEC Application                      Just the name of the application ( I used the short non-DN name of the OPSEC Object)

Enabled                                           Checked

Target Collector                                which QRADAR appliance do you want to reach out to the Log Server

Coalescing Events                           Checked

Store Event Payload                        Checked

Log Source Extension                     I left this blank

Select QRadar Groups                     Check the group you want. 

This site was helpful:
IBM Knowledge Center 

0 Kudos