- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- OPSEC/Lea Connection to QRadar
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OPSEC/Lea Connection to QRadar
I just need a sanity check here. I have a customer with multiple VSs running on some 21ks. For reasons too lengthy to go into on this thread they are moving all VSs to physical clusters. I moved the first VS to a 6800 cluster last weekend.
The customer has QRadar setup to the customer's CMA with an OPSEC/Lea connection. They are telling me they are not seeing logs from the new cluster, but still see all of the old logs as they would expect. All logs are visible in the log server including the new hardware cluster.
I am fairly certain on this, but this customer is making me doubt myself. If you have an OPSEC/Lea connection to a log server, there is no way to filter which logs are sent, right? Or which FW logs are sent. It has to be something on the QRadar side that is filtering I would think.
Am I mistaking here? Or is there something that I'm missing which is obvious?
Thanks,
Paul
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paul,
Hope you are doing fine, best way to prove this is to make a packet capture via tcpdump on your management server filtering by the QRadar sensor and the LEA port used.
By the way, I strongly recommend you to use Log Exporter from Check Point if possible. I've used it a couple of times and it works really well with QRadar.
Regards,
https://www.linkedin.com/in/federicomeiners/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paul,
Hope you are doing fine, best way to prove this is to make a packet capture via tcpdump on your management server filtering by the QRadar sensor and the LEA port used.
By the way, I strongly recommend you to use Log Exporter from Check Point if possible. I've used it a couple of times and it works really well with QRadar.
Regards,
https://www.linkedin.com/in/federicomeiners/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the OpSec LEA connection is completely encrypted, a capture will not do him much good.
Fully agree on the Log Exporter though
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I though the packet capture to prove that traffic being properly sent to the SIEM, at the network level.
Maybe the SIEM is refusing connections since it's using another non standard LEA port.
https://www.linkedin.com/in/federicomeiners/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So there is traffic accepted...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to those that have replied. We are going to use Log Exporter. Not sure why QR is not seeing the new physical cluster logs, but at this point it doesn't matter. Log Exporter is a much better solution.
