Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Julie_Paul
Employee
Employee
Jump to solution

LEA Connections

Trying to setup a 3rd party LEA connection to Log Rhythm, has anyone done this yet with R80?  Any issues/gotchas?

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
8 Replies
Timothy_Hall
Legend Legend
Legend

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mike_Swaminatha
Employee Alumnus
Employee Alumnus

Hi Tim

My customer wants to integrate R80 management server with Arcsight over lea.. Is it possible?

Currently they are on R77.30 and arcsight is integrated through Lea mode

Arcsight said to customer that is not supported with R80 version yet.

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend

Arcsight and R80 worked fine for my customer once we ensured the certificate used for the OPSEC LEA transaction was generated with SHA-1 and not SHA-256 as specified in sk109618.   There was a new OPSEC SDK released by Check Point that supports SHA-256 (sk110425); OPSEC vendors like Arcsight need to recompile their applications with it to permit SHA-256 support.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Mike_Swaminatha
Employee Alumnus
Employee Alumnus

Hi Tim

Thanks for your reply

Does below command is support for R80 because as per SK article the version supported is till R77.30

[Expert@HostName]# cpca_client set_sign_hash sha1

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend

Yes that was the command we used on R80.  Need to run that command, set up SIC with Arcsight then set default signing algorithm back to SHA-256.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mike_Swaminatha
Employee Alumnus
Employee Alumnus

Hello Tim

I am working with HP team here

can you also share the customer name so I will ask HP team to check confirm from their end.

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend

I can't name the account in an open post, please contact the Check Point SE for the account Tom Stasko, I have alerted him to this conversation thread.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Thomas_Stasko
Employee Alumnus
Employee Alumnus

Mike,

Feel free to shoot me an email and I can tell you more about the customer and deployment.

tstasko@checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events