Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Frederic_Kasmir
Participant
Jump to solution

Does R80.10 support OPSEC?

Hello Guys,

Does someone know for sure if we can still use OPSEC with Smarcenter in R80.10?

We are going to migrate in R80.10 and we are using Splunk to collect Checkpoint logs.

I can't find something write down saying how to configure interaction between R80.10 / Splunk.  Do we have to use syslog? If yes what is the recommended configuration?

Thanks!

1 Solution

Accepted Solutions
Danny
Champion Champion
Champion

R80.10 supports OPSEC and Splunk is an Official OPSEC Partner.

Configure Splunk as shown below and install the Splunk Add-On.

Right-click on Servers > OPSEC Application > Application...

Related:

About the Splunk Add-on for Check Point OPSEC LEA

Install the Splunk Add-on for Check Point OPSEC LEA

Configure the Splunk Add-on for Check Point OPSEC LEA

View solution in original post

6 Replies
Danny
Champion Champion
Champion

R80.10 supports OPSEC and Splunk is an Official OPSEC Partner.

Configure Splunk as shown below and install the Splunk Add-On.

Right-click on Servers > OPSEC Application > Application...

Related:

About the Splunk Add-on for Check Point OPSEC LEA

Install the Splunk Add-on for Check Point OPSEC LEA

Configure the Splunk Add-on for Check Point OPSEC LEA

DeletedUser
Not applicable

If you follow the links in Danny's excellent reply there is lots of info there to set it up. In addition by default the R80 internal CA supports SHA-256 certificates for the SIC connection. Splunk's LEA client supports SHA-256 since there 4.0.0 release in June 2016. More info is in their release notes history.

hth,

bob

Frederic_Kasmir
Participant

Thanks a lot.

It seems pretty clear. I don't know why I have received the message that it's not supported anymore and that we should use syslog.

0 Kudos
Hugo_vd_Kooij
Advisor

You may need to check your SDK version.

The older SDK versions don't understand SHA256.

I got it working in my lab on a brand new Splunk installation. The trick is to add the SDK files and use the latest version before you start to configure it.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin

To answer the more general question of OPSEC in R80.x, yes it is supported, with some limitations:

  • SHA256 CAs are now the default, which means you may need to update your applications to support
  • CPMI is only partially supported (namely you need to use the R80.x API to manage the security policy, but you can still use it to manipulate individual objects)
  • Legacy parts of OPSEC (e.g. CVP and UFP) are no longer supported
PhoneBoy
Admin
Admin

Note that going forward, we recommend using Log Exporter guide‌.

Many SIEM integrations now use this (Splunk does), others are in process.

Log Exporter - Splunk Integration Update

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events