- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello CheckMates;
Wondering if anyone has gotten the Log Exporter to work with Qradar and TLS Authentication. We have been at this on and off for days using sk122323 and it will not authenticate.
We see "TcpTlsSender::MakeConnection: ckpSSL_Connect failed error: unknown" There is an SK with this error but simply points to a cert problem.
We have an ongoing case with Check Point and IBM. IBM has confirmed the configuration on their end is good. Check Point TAC, we are still waiting for an update.
IBM claims this setup has not been tested with IBM & Check Point yet, but working with us on the problem anyway.
We are using the Qradar appliance to do all the openssl commands following what's in the Log Exporter sk122323
Any advice / direction would be appreciated.
-pat
Hello;
Yes I'm happy to say that IBM finally figured it out. I was using the Check Point sk122323 to generate the certs on the Qradar device. At that time IBM did not have any specific documentation on TLS Authentication. The solution was to generate the RootCA using a bogus IP, NOT the IP of Qradar as the RootCA. I used Qrader default gateway IP as the RootCA. Not sure if using any other IP would work as well? Initially I was using the IP of Qradar for the RootCA as well as the same IP for the SyslogServer. this case was open with Check Point and IBM for 5 Months before this was discovered. Still does not seem correct to Me but it works. I did go and generate certs with our internal MS certificate authority. These certs work for everything else but could not get those to work either. IBM could not either.
IBM is supposed to have a doc on it by now but I have not gone back to look for it.
Can you PM me the relevant SR?
Hello Patrick,
My name is Oleg, I'm from RnD. I will try to help you.
From security reason SSL protocol can't send more informative errors, so to understand what is the problem please send me tcpdump between your device and Qradar.
Regards,
Oleg.
Thanks for the response. After running tcpdump the one thing that stands out is "Certificate unknown error (46)" this was following the sk and doing self sign for RootCA.pem on Qradar appliance using it's openssl. I then tried to deploy internal certificates using our Microsoft CA. I know get "unable to get local issuer certificate" I don't think this works at all. When making a configuration change on Qradar most of the time the cert does not import correctly and I have to move it to a new directory in order for it to be seen using this command:
"cpopenssl s_client -connect x.x.x.x:6514 -showcerts"
I think the problem is more on the Qradar side or some steps are being missed on either side.
Seems to Me that IBM and Check Point need to get together on this. Check Point TAC cannot tell me this has been tested and working and neither can IBM. IBM hasn't even produced any documents specific to TLS Authentication and wants to record our sessions so they can produce a doc on how to set it up. I think we are using the wrong SIEM..... come up with
Using Log Exporter without certs and sending to Qradar works fine. So for now this is what e are using.
I'm, sorry to hear that you didn't succeed to configure TLS with QRadar. I will try to force integration with IBM team. Keep follow after sk122323 to updates.
I can recommend for TLS to work with CP application on SPLUNK.
Hi Patrick,
Can you redirect IBM guys that you had deal with to me to force the suitable TLS solution?
Regards,
Oleg.
Thanks Oleg.
I'll pm you with the info I have.
Just wanted to update on this. The problem still there. No resolutin from either side however Check Point has re-produced this problem....
Quote form TAC:
"Our development team was also able to reproduce the issue in their lab and tried their best to find the root cause. They think the issue is on IBM and they need to investigate this on their side. Our RnD is also doing their best to push your IBM case to get a root cause on this issue. Please check with IBM and get back to us in case of further investigation needed from Checkpoint side".
I ask what's wrong with this picture????
Why can't these 2 Companies work together. If Check Point is able to see the same problem We see, then I would think at a higher level this would be addressed and leave the Customer out of it until a fix is found on either party. Not make the Customer chase cases and provide debugs for Months!!!!.
Maybe its just me.....
Hey @Patrick_Tuttle1
My name is Shay and I am the team leader who is responsible for Log Exporter.
First and foremost, I am sorry to see your frustration regarding the TLS feature when working with QRadar platform.
Your task was handled by my team over the last month where we wanted to verify that our side functionates as expected.
Therefore, we also create our own environment and reproduced the issue you are facing with.
As you, we found out that something was broken when working with QRadar, functionality that had to be worked.
As a result, I suspected that something on IBM side was changed.
At this point I did 2 things:
I must admit and agree with you that this is frustrating and therefore I tried to push your case by myself.
The information given to me is that every team on IBM have internal tools that can be ran on your environment and validate the TLS configuration.
I want you to know that we are doing our best to push this case further from our side but since it seems to be an issue with QRadar side, all we can do is to try escalating this issue more and more.
I will keep monitoring it from our side and hope to have any updates soon.
Shay
Hi Shay and thanks very much for all the detail and efforts. I sent this along to IBM as well as the case notes but again this type problem should be handled at a partnership level and leave the Customer out of it.
-pat
Hello Patrick
I'm experiencing the same issue while sending logs to a Qradar server (everything works fine if I send the logs to a linux syslog server); did you find a solution for the issue? Are you able to send logs to qradar using TLS?
Thanks.
Hello;
Yes I'm happy to say that IBM finally figured it out. I was using the Check Point sk122323 to generate the certs on the Qradar device. At that time IBM did not have any specific documentation on TLS Authentication. The solution was to generate the RootCA using a bogus IP, NOT the IP of Qradar as the RootCA. I used Qrader default gateway IP as the RootCA. Not sure if using any other IP would work as well? Initially I was using the IP of Qradar for the RootCA as well as the same IP for the SyslogServer. this case was open with Check Point and IBM for 5 Months before this was discovered. Still does not seem correct to Me but it works. I did go and generate certs with our internal MS certificate authority. These certs work for everything else but could not get those to work either. IBM could not either.
IBM is supposed to have a doc on it by now but I have not gone back to look for it.
Great!!!
Thanks Patrick it worked.
Thanks again.
That's great glad it worked.
I did go through IBM website this morning and found they have published a doc.
-pat
Hi Patrick,
My colleague and I are trying to do same process just on a different vendor...when you say used bogus IP, are you referring to bogus external IP or something else?
Thanks in advance!
As Common Name (CN) insert an IP address like 192.168.0.1 (not the real IP of the Qradar but a completely different IP address).
Can we use say qradar default gateway IP? Or say if qradar ip is 192.168.50.100, are you saying that CN name can be say 192.168.50.105 if .105 is not used? Should we put in same IP for server side cert as well?
Just to have a simple configuration; this is what I've done:
CA certificate - CN 192.168.0.1
Server Certificate - CN 192.168.0.2
Client Certificate - CN 192.168.0.3
Sorry to be annoying about this, but, did you use qradar default gateway as CA cert CN or just 3 random IPs from same subnet that are not in use? Thanks a lot!
No, there's no relation between the IP address defined in the CN and the IP addresses of the Qradar and your network; so when you create the certificate you can choose IP addresses completely different (random if you prefer).
Thanks very much, we are just trying that now, Will update with the results!
Because Log Exporter use Check Point SSL infrastructure there is important point that CA address must be real and accessible at least from exporter device.
I don't think that it's right to put just bogus IP. As a fact Patrick used real default gateway IP.
Hi Oleg,
My colleague and I actually tried using default gateway as a matter of fact and it never worked.
I'm glad, that you have better solution. Please update is it worked with not valid IP.
THANKS A LOT MAN!! You really saved the day, I really appreciate your help, thank you sooo much!
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
21 | |
12 | |
7 | |
6 | |
4 | |
4 | |
4 | |
3 | |
3 | |
2 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY