This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Justin_Hickey
Collaborator
‎2018-01-16 04:15 PM
Jump to solution

LEA port not listening

I have a Checkpoint Log Server that is the center point of logs for 6 firewalls. I've setup a LEA connection to that server from a SOC log collection appliance, TCP 18186, which works fine, and another one to a QRadar SIEM 18185 which doesn't work at all. I've restarted services and rebooted, the LogServer just wont listen on the port. I've confirmed this with netstat. Attached is the fwopsec file from the Checkpoint logs server. Any help is appreciated. 

Thanks,

Justin

Preview file
18 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-01-16 09:28 PM
Jump to solution

My question is: why do you need to use multiple LEA ports?

Particularly when they are both unauthenticated?

The only place I've seen two different LEA ports used is when one of them is authenticated, the other is not. 

Something like in this SK: Configuring a Log Server R76 and lower to work with both SmartEvent component and an OPSEC LEA serve... 

I don't believe you can do two unauthenticated LEA ports.

https://community.checkpoint.com/people/bbent09791668-5ef8-377b-845e-545aff695211‌?

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2018-01-16 09:28 PM
Jump to solution

My question is: why do you need to use multiple LEA ports?

Particularly when they are both unauthenticated?

The only place I've seen two different LEA ports used is when one of them is authenticated, the other is not. 

Something like in this SK: Configuring a Log Server R76 and lower to work with both SmartEvent component and an OPSEC LEA serve... 

I don't believe you can do two unauthenticated LEA ports.

https://community.checkpoint.com/people/bbent09791668-5ef8-377b-845e-545aff695211‌?

Justin_Hickey
Collaborator
‎2018-01-17 04:36 AM
In response to PhoneBoy
Jump to solution

Thanks for the reply Dameon. I didn't realize that I could point two log sources at the same LEA instance. When you say "unauthenticated", I mean, they do exchange certificates and SIC information. Would you say they are still unauthenticated in that instance ?

Thanks again,

Justin

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-17 08:52 AM
In response to Justin_Hickey
Jump to solution

I mean unauthenticated.

This is based on what it says in sk89620 and the screenshot of your fwopsec.conf says.

You probably want to change the line to auth_port instead of just port if you want SIC authentication Smiley Happy

Note that LEA has been multi-threaded (and able to support multiple endpoints connecting) since R77.

DeletedUser
Not applicable
‎2018-01-17 09:15 AM
In response to PhoneBoy
Jump to solution

What Dameon said 🙂 Would just add that if both do SIC, then there's no need for the fwopsec.conf edits. Use the defaults and have them connect on the same port 18184. Will simplify things when you do an upgrade.

Justin_Hickey
Collaborator
‎2018-01-17 11:46 AM
In response to PhoneBoy
Jump to solution

Thanks for the many responses. Couldn't get it to work on 18184. I did a tcpdump and currently traffic between log and management server exist on that port. I got it work with 18186 but most of the pertinent fields come across as *** Confidential *** . I'm assuming perhaps checkpoint doesn't like to send this info across the wire in the clear ?

Going to try 18184 again.

0 Kudos
Ni_c
Contributor
‎2018-01-17 08:17 AM
Jump to solution

We had a similar issue long back for R80 management. At that time the issue was fixed after restatting the QRadar services only after make sure of the authentication type and port on both QRadar and log server are same. 


0 Kudos
Justin_Hickey
Collaborator
‎2018-01-17 12:10 PM
Jump to solution

Second try worked with 18184, going to change my other log source as well. Thanks for all the help. I haven't worked on Checkpoints for 10+ years back when they were on Nokias so I am more than a little rusty.

This guide was helpful on the QRADAR side.

https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/t_DSM_guide_Checkpoint_firewall1_OPSECLEA.htm...

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-17 12:25 PM
In response to Justin_Hickey
Jump to solution

Great to hear Smiley Happy

I still have a few Nokia boxes at my house from back in the days when I worked there.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events