Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Patrick_Tuttle1
Collaborator
Jump to solution

Log Exporter & Qradar TLS

Hello CheckMates;

Wondering if anyone has gotten the Log Exporter to work with Qradar and TLS Authentication.  We have been at this on and off for days using sk122323 and it will not authenticate.

We see "TcpTlsSender::MakeConnection: ckpSSL_Connect failed error: unknown"  There is an SK with this error but simply points to a cert problem.

We have an ongoing case with Check Point and IBM.  IBM has confirmed the configuration on their end is good.  Check Point TAC, we are still waiting for an update.

IBM claims this setup has not been tested with IBM & Check Point yet, but working with us on the problem anyway. 

We are using the Qradar appliance to do all the openssl commands following what's in the Log Exporter sk122323

Any advice / direction would be appreciated.

-pat

 

 

0 Kudos
1 Solution

Accepted Solutions
Patrick_Tuttle1
Collaborator

Hello;

Yes I'm happy to say that IBM finally figured it out.  I was using the Check Point sk122323 to generate the certs on the Qradar device. At that time IBM did not have any specific documentation on TLS Authentication.  The solution was to generate the RootCA using a bogus IP, NOT the IP of Qradar as the RootCA.  I used Qrader default gateway IP as the RootCA. Not sure if using any other IP would work as well?  Initially I was using the IP of Qradar for the RootCA as well as the same IP for the SyslogServer.  this case was open with Check Point and IBM for 5 Months before this was discovered.  Still does not seem correct to Me but it works.  I did go and generate certs with our internal MS certificate authority.  These certs work for everything else but could not get those to work either.  IBM could not either.  

IBM is supposed to have a doc on it by now but I have not gone back to look for it.

View solution in original post

24 Replies
PhoneBoy
Admin
Admin

Can you PM me the relevant SR?

0 Kudos
OlegY
Employee
Employee

Hello Patrick,

My name is Oleg, I'm from RnD. I will try to help you. 

From security reason SSL protocol can't send more informative errors, so to understand what is the problem please send me  tcpdump between your device and Qradar.

oyakovle@checkpoint.com

Regards,

Oleg.

 

0 Kudos
Patrick_Tuttle1
Collaborator

Thanks for the response.  After running tcpdump  the one thing that stands out is "Certificate unknown error (46)"  this was following the sk and doing self sign for RootCA.pem on Qradar appliance using it's openssl.  I then tried to deploy internal certificates using our Microsoft CA.  I know get "unable to get local issuer certificate"  I don't think this works at all.  When making a configuration change on Qradar most of the time the cert does not import correctly and I have to move it to a new directory in order for it to be seen using this command:

"cpopenssl s_client -connect x.x.x.x:6514 -showcerts"

I think the problem is more on the Qradar side or some steps are being missed on either side.

Seems to Me that IBM and Check Point need to get together on this.  Check Point TAC cannot tell me this has been tested and working and neither can IBM.  IBM hasn't even produced any documents specific to TLS Authentication and wants to record our sessions so they can produce a doc on how to set it up.  I think we are using the wrong SIEM..... come up with 

Using Log Exporter without certs and sending to Qradar works fine.  So for now this is what e are using.

0 Kudos
OlegY
Employee
Employee

I'm, sorry to hear that you didn't succeed to configure  TLS with QRadar. I will try to force integration with IBM team. Keep follow after sk122323 to updates.

I can recommend for TLS to work with CP application on SPLUNK.

 

0 Kudos
OlegY
Employee
Employee

Hi Patrick,

Can you redirect IBM guys that you had deal with to me  to force the suitable TLS solution?

Regards,

Oleg.

0 Kudos
Patrick_Tuttle1
Collaborator

Thanks Oleg.

I'll pm you with the info I have.

0 Kudos
Patrick_Tuttle1
Collaborator

Just wanted to update on this.  The problem still there.  No resolutin from either side however Check Point has re-produced this problem....

Quote form TAC:

"Our development team was also able to reproduce the issue in their lab and tried their best to find the root cause. They think the issue is on IBM and they need to investigate this on their side. Our RnD is also doing their best to push your IBM case to get a root cause on this issue. Please check with IBM and get back to us in case of further investigation needed from Checkpoint side".

 

I ask what's wrong with this picture????

Why can't these 2 Companies work together.  If Check Point is able to see the same problem We see, then I would think at a higher level this would be addressed and leave the Customer out of it until a fix is found on either party.  Not make the Customer chase cases and provide debugs for Months!!!!.

Maybe its just me.....

 

0 Kudos
Shay_Hibah
Employee Alumnus
Employee Alumnus

Hey @Patrick_Tuttle1 

My name is Shay and I am the team leader who is responsible for Log Exporter.

First and foremost, I am sorry to see your frustration regarding the TLS feature when working with QRadar platform.

Your task was handled by my team over the last month where we wanted to verify that our side functionates as expected.

Therefore, we also create our own environment and reproduced the issue you are facing with.

As you, we found out that something was broken when working with QRadar, functionality that had to be worked.

As a result, I suspected that something on IBM side was changed.

At this point I did 2 things:

  1. Although it is not under Check Point domain, I debugged QRadar server to get more specifically errors regarding the issue in order to see if someone else (not necessarily Check Point customer) faced with the same issue. I did found out similar cases but no result could be found.
  2. In addition, I contacted IBM team about it and it seems that they should release a new documentation about TLS configuration on their side.

I must admit and agree with you that this is frustrating and therefore I tried to push your case by myself.

The information given to me is that every team on IBM have internal tools that can be ran on your environment and validate the TLS configuration.

I want you to know that we are doing our best to push this case further from our side but since it seems to be an issue with QRadar side, all we can do is to try escalating this issue more and more.

I will keep monitoring it from our side and hope to have any updates soon.

Shay

0 Kudos
Patrick_Tuttle1
Collaborator

Hi Shay and thanks very much for all the detail and efforts.  I sent this along to IBM as well as the case notes but again this type problem should be handled at a partnership level and leave the Customer out of it.  

 

-pat

0 Kudos
simonemanto
Participant

Hello Patrick

I'm experiencing the same issue while sending logs to a Qradar server (everything works fine if I send the logs to a linux syslog server); did you find a solution for the issue? Are you able to send logs to qradar using TLS?

 

Thanks.

0 Kudos
Patrick_Tuttle1
Collaborator

Hello;

Yes I'm happy to say that IBM finally figured it out.  I was using the Check Point sk122323 to generate the certs on the Qradar device. At that time IBM did not have any specific documentation on TLS Authentication.  The solution was to generate the RootCA using a bogus IP, NOT the IP of Qradar as the RootCA.  I used Qrader default gateway IP as the RootCA. Not sure if using any other IP would work as well?  Initially I was using the IP of Qradar for the RootCA as well as the same IP for the SyslogServer.  this case was open with Check Point and IBM for 5 Months before this was discovered.  Still does not seem correct to Me but it works.  I did go and generate certs with our internal MS certificate authority.  These certs work for everything else but could not get those to work either.  IBM could not either.  

IBM is supposed to have a doc on it by now but I have not gone back to look for it.

simonemanto
Participant

Great!!!

Thanks Patrick it worked.

 

Thanks again.

0 Kudos
Patrick_Tuttle1
Collaborator

That's great glad it worked. 

I did go through IBM website this morning and found they have published a doc.

https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_dsm_guide_Checkpoint_tls_en...

-pat

0 Kudos
the_rock
Legend
Legend

Hi Patrick,

 

My colleague and I are trying to do same process just on a different vendor...when you say used bogus IP, are you referring to bogus external IP or something else?

 

Thanks in advance!

0 Kudos
simonemanto
Participant

As Common Name (CN) insert an IP address like 192.168.0.1 (not the real IP of the Qradar but a completely different IP address).

0 Kudos
the_rock
Legend
Legend

Can we use say qradar default gateway IP? Or say if qradar ip is 192.168.50.100, are you saying that CN name can be say 192.168.50.105 if .105 is not used? Should we put in same IP for server side cert as well?

0 Kudos
simonemanto
Participant

Just to have a simple configuration; this is what I've done:

CA certificate - CN 192.168.0.1

Server Certificate - CN 192.168.0.2

Client Certificate - CN 192.168.0.3

0 Kudos
the_rock
Legend
Legend

Sorry to be annoying about this, but, did you use qradar default gateway as CA cert CN or just 3 random IPs from same subnet that are not in use?  Thanks a lot!

0 Kudos
simonemanto
Participant

No, there's no relation between the IP address defined in the CN and the IP addresses of the Qradar and your network; so when you create the certificate you can choose IP addresses completely different (random if you prefer).

 

the_rock
Legend
Legend

Thanks very much, we are just trying that now, Will update with the results!

0 Kudos
OlegY
Employee
Employee

Because Log Exporter use Check Point SSL infrastructure  there is important point that CA address must be real and accessible at least from exporter device.

I don't think that it's right to put just bogus IP. As a fact  Patrick used real default gateway IP.

0 Kudos
the_rock
Legend
Legend

Hi Oleg,

 

My colleague and I actually tried using default gateway as a matter of fact and it never worked.

0 Kudos
OlegY
Employee
Employee

I'm glad, that you have better solution. Please update is it worked with not valid IP.

 

the_rock
Legend
Legend

THANKS A LOT MAN!! You really saved the day, I really appreciate your help, thank you sooo much!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events