Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
egas84
Participant
Jump to solution

OPSEC/LEA will be discontinued or not

Hi all,

I saw a long time ago that the OPSEC/LEA protocol was going to be discontinued. Is it confirmed? Are there dates?

 

Regards, 

Edgar

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

OPSEC and LEA are still supported with all the currently supported versions. There is no solid decommission date, although I cannot promise it will not happen.

Most importantly, you should be able to achieve your goals via Log Exporter, as already mentioned. The info is there, it is just a matter of parsing it, as @PhoneBoy said.

If you share with us which SIEM you are using, we might have better info for you.

View solution in original post

17 Replies
G_W_Albrecht
Legend
Legend

sk117087: How to Configure and Troubleshoot OPSEC shows it is supported in all current versions up to R81.10. BUt we also have sk122323: Log Exporter - Check Point Log Export

CCSE CCTE CCSM SMB Specialist
0 Kudos
egas84
Participant

Hi @G_W_Albrecht , 

Thanks.

R81.10 is not the latest version?

I can't use the log exporter for now, hence my question.

 

0 Kudos
G_W_Albrecht
Legend
Legend

R81.20 is EA - so R81.10 is the latest version.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

What is your use case for OPSEC?

Log Exporter & APIs should be the preference where available.

CCSM R77/R80/ELITE
0 Kudos
egas84
Participant

We use it to send the log to SIEM.

The problem is that SIEM is not able to "separate" the logs of each instance of fw, that is, it creates only one source in the siem (with the Ip/host of the log manager) and puts the logs of all the instances of fw in that source log, instead of creating one log source per FW instance.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

For SIEM use cases Log Exporter is the modern & preferred approach. Please see sk122323 for more info.

CCSM R77/R80/ELITE
egas84
Participant

Unfortunately I can't use the log exporter for the reason I mentioned above.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

You should speak with the SIEM vendor about a parser for Check Point, most major SIEMs already support it.

Which SIEM is it and I will enquire if it is one we have a working partnership with to assist?

CCSM R77/R80/ELITE
Roman_Russland
Explorer

We've had the same issue when trying to switch from OPSEC to syslog! 
I don't know if all firewalls have to run R81.10 in Order for syslog to work properly?! Currently only a few of our fw run R81.10. Most are R80s

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Which SIEM?

Log Exporter was introduced in R80.x and the security logs are exported from the management 

CCSM R77/R80/ELITE
0 Kudos
Roman_Russland
Explorer

Hello Chris,
IBM QRadar. While configuring OPSEC is a pain in the butt, it works. Trying with Syslog gave us strange logs. They were incomplete, and not separable from each other.  
We went back to OPSEC then.

0 Kudos
PhoneBoy
Admin
Admin

As I'm pretty sure we use LEA in the product still, LEA hasn't been formally deprecated...yet.
However, I can say there are no plans to extend LEA further and existing integrations via LEA may break at some point in the future.
All formal integration efforts with SIEMs done in the last few years were with Log Exporter, not LEA.
If you require a precise commitment on our support for LEA and/or (better) support for a specific SIEM in Log Exporter, I recommend reaching out to your local Check Point office.

_Val_
Admin
Admin

OPSEC and LEA are still supported with all the currently supported versions. There is no solid decommission date, although I cannot promise it will not happen.

Most importantly, you should be able to achieve your goals via Log Exporter, as already mentioned. The info is there, it is just a matter of parsing it, as @PhoneBoy said.

If you share with us which SIEM you are using, we might have better info for you.

egas84
Participant

sorry all for delay. i am using QRadar.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

QRadar is supported by Log Exporter and I'm aware of customers who use the same.

CCSM R77/R80/ELITE
0 Kudos
egas84
Participant

Yes I know. I have several clients using log exporter and qradar. in this case the customer has its FW at R80.40 and ibm said it only supports up to R80.20. I think it's weird but...

0 Kudos
PhoneBoy
Admin
Admin

R80.20 sounds about right in terms of the first version where we supported it.
It should be supported in later versions unless there's been changes on the QRadar end since then.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events