This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
egas84
Participant
‎2022-10-12 02:41 AM
Jump to solution

OPSEC/LEA will be discontinued or not

Hi all,

I saw a long time ago that the OPSEC/LEA protocol was going to be discontinued. Is it confirmed? Are there dates?

 

Regards, 

Edgar

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2022-10-17 06:56 AM
Jump to solution

OPSEC and LEA are still supported with all the currently supported versions. There is no solid decommission date, although I cannot promise it will not happen.

Most importantly, you should be able to achieve your goals via Log Exporter, as already mentioned. The info is there, it is just a matter of parsing it, as @PhoneBoy said.

If you share with us which SIEM you are using, we might have better info for you.

View solution in original post

17 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-10-12 02:45 AM
Jump to solution

sk117087: How to Configure and Troubleshoot OPSEC shows it is supported in all current versions up to R81.10. BUt we also have sk122323: Log Exporter - Check Point Log Export

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
egas84
Participant
‎2022-10-12 03:16 AM
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht , 

Thanks.

R81.10 is not the latest version?

I can't use the log exporter for now, hence my question.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-10-12 04:25 AM
In response to egas84
Jump to solution

R81.20 is EA - so R81.10 is the latest version.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-12 03:09 AM
Jump to solution

What is your use case for OPSEC?

Log Exporter & APIs should be the preference where available.

CCSM R77/R80/ELITE
0 Kudos
egas84
Participant
‎2022-10-12 03:30 AM
In response to Chris_Atkinson
Jump to solution

We use it to send the log to SIEM.

The problem is that SIEM is not able to "separate" the logs of each instance of fw, that is, it creates only one source in the siem (with the Ip/host of the log manager) and puts the logs of all the instances of fw in that source log, instead of creating one log source per FW instance.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-12 03:36 AM
In response to egas84
Jump to solution

For SIEM use cases Log Exporter is the modern & preferred approach. Please see sk122323 for more info.

CCSM R77/R80/ELITE
egas84
Participant
‎2022-10-12 03:39 AM
In response to Chris_Atkinson
Jump to solution

Unfortunately I can't use the log exporter for the reason I mentioned above.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-12 03:43 AM
In response to egas84
Jump to solution

You should speak with the SIEM vendor about a parser for Check Point, most major SIEMs already support it.

Which SIEM is it and I will enquire if it is one we have a working partnership with to assist?

CCSM R77/R80/ELITE
Roman_Russland
Explorer
‎2022-12-20 10:27 PM
In response to egas84
Jump to solution

We've had the same issue when trying to switch from OPSEC to syslog! 
I don't know if all firewalls have to run R81.10 in Order for syslog to work properly?! Currently only a few of our fw run R81.10. Most are R80s

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-21 02:29 AM
In response to Roman_Russland
Jump to solution

Which SIEM?

Log Exporter was introduced in R80.x and the security logs are exported from the management 

CCSM R77/R80/ELITE
0 Kudos
Roman_Russland
Explorer
‎2022-12-21 02:37 AM
In response to Chris_Atkinson
Jump to solution

Hello Chris,
IBM QRadar. While configuring OPSEC is a pain in the butt, it works. Trying with Syslog gave us strange logs. They were incomplete, and not separable from each other.  
We went back to OPSEC then.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-12 09:07 AM
Jump to solution

As I'm pretty sure we use LEA in the product still, LEA hasn't been formally deprecated...yet.
However, I can say there are no plans to extend LEA further and existing integrations via LEA may break at some point in the future.
All formal integration efforts with SIEMs done in the last few years were with Log Exporter, not LEA.
If you require a precise commitment on our support for LEA and/or (better) support for a specific SIEM in Log Exporter, I recommend reaching out to your local Check Point office.

_Val_
Admin
Admin
‎2022-10-17 06:56 AM
Jump to solution

OPSEC and LEA are still supported with all the currently supported versions. There is no solid decommission date, although I cannot promise it will not happen.

Most importantly, you should be able to achieve your goals via Log Exporter, as already mentioned. The info is there, it is just a matter of parsing it, as @PhoneBoy said.

If you share with us which SIEM you are using, we might have better info for you.

egas84
Participant
‎2022-10-18 06:02 AM
In response to _Val_
Jump to solution

sorry all for delay. i am using QRadar.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-18 06:04 AM
In response to egas84
Jump to solution

QRadar is supported by Log Exporter and I'm aware of customers who use the same.

CCSM R77/R80/ELITE
0 Kudos
egas84
Participant
‎2022-10-18 06:09 AM
In response to Chris_Atkinson
Jump to solution

Yes I know. I have several clients using log exporter and qradar. in this case the customer has its FW at R80.40 and ibm said it only supports up to R80.20. I think it's weird but...

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-18 07:57 AM
In response to egas84
Jump to solution

R80.20 sounds about right in terms of the first version where we supported it.
It should be supported in later versions unless there's been changes on the QRadar end since then.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events