This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Julie_Paul
Employee
Employee
‎2016-04-25 03:04 PM
Jump to solution

LEA Connections

Trying to setup a 3rd party LEA connection to Log Rhythm, has anyone done this yet with R80?  Any issues/gotchas?

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2016-04-25 06:13 PM
Jump to solution

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
8 Replies
Timothy_Hall
Legend Legend
Legend
‎2016-04-25 06:13 PM
Jump to solution

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mike_Swaminatha
Employee Alumnus
Employee Alumnus
‎2017-02-01 03:59 AM
Jump to solution

Hi Tim

My customer wants to integrate R80 management server with Arcsight over lea.. Is it possible?

Currently they are on R77.30 and arcsight is integrated through Lea mode

Arcsight said to customer that is not supported with R80 version yet.

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-02-01 04:41 AM
In response to Mike_Swaminatha
Jump to solution

Arcsight and R80 worked fine for my customer once we ensured the certificate used for the OPSEC LEA transaction was generated with SHA-1 and not SHA-256 as specified in sk109618.   There was a new OPSEC SDK released by Check Point that supports SHA-256 (sk110425); OPSEC vendors like Arcsight need to recompile their applications with it to permit SHA-256 support.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Mike_Swaminatha
Employee Alumnus
Employee Alumnus
‎2017-02-01 04:54 AM
Jump to solution

Hi Tim

Thanks for your reply

Does below command is support for R80 because as per SK article the version supported is till R77.30

[Expert@HostName]# cpca_client set_sign_hash sha1

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-02-01 05:01 AM
In response to Mike_Swaminatha
Jump to solution

Yes that was the command we used on R80.  Need to run that command, set up SIC with Arcsight then set default signing algorithm back to SHA-256.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mike_Swaminatha
Employee Alumnus
Employee Alumnus
‎2017-02-01 05:00 AM
Jump to solution

Hello Tim

I am working with HP team here

can you also share the customer name so I will ask HP team to check confirm from their end.

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-02-01 06:35 AM
In response to Mike_Swaminatha
Jump to solution

I can't name the account in an open post, please contact the Check Point SE for the account Tom Stasko, I have alerted him to this conversation thread.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Thomas_Stasko
Employee Alumnus
Employee Alumnus
‎2017-02-01 08:55 AM
In response to Mike_Swaminatha
Jump to solution

Mike,

Feel free to shoot me an email and I can tell you more about the customer and deployment.

tstasko@checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events