This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paul_Warnagiris
Advisor
‎2020-01-10 12:34 PM
Jump to solution

OPSEC/Lea Connection to QRadar

I just need a sanity check here.  I have a customer with multiple VSs running on some 21ks.  For reasons too lengthy to go into on this thread they are moving all VSs to physical clusters.  I moved the first VS to a 6800 cluster last weekend.  

The customer has QRadar setup to the customer's CMA with an OPSEC/Lea connection.  They are telling me they are not seeing logs from the new cluster, but still see all of the old logs as they would expect.  All logs are visible in the log server including the new hardware cluster. 

I am fairly certain on this, but this customer is making me doubt myself.  If you have an OPSEC/Lea connection to a log server, there is no way to filter which logs are sent, right? Or which FW logs are sent.  It has to be something on the QRadar side that is filtering I would think.  

Am I mistaking here?  Or is there something that I'm missing which is obvious?


Thanks,
Paul

0 Kudos
1 Solution

Accepted Solutions
FedericoMeiners
Advisor
‎2020-01-11 09:28 PM
Jump to solution

Paul,

Hope you are doing fine, best way to prove this is to make a packet capture via tcpdump on your management server filtering by the QRadar sensor and the LEA port used.

By the way, I strongly recommend you to use Log Exporter from Check Point if possible. I've used it a couple of times and it works really well with QRadar.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2020-01-10 03:27 PM
Jump to solution

You're correct, you can't really filter logs with LEA.
0 Kudos
Paul_Warnagiris
Advisor
‎2020-01-20 03:58 PM
In response to PhoneBoy
Jump to solution

This is what we are going to do. Thanks for your time.
0 Kudos
FedericoMeiners
Advisor
‎2020-01-11 09:28 PM
Jump to solution

Paul,

Hope you are doing fine, best way to prove this is to make a packet capture via tcpdump on your management server filtering by the QRadar sensor and the LEA port used.

By the way, I strongly recommend you to use Log Exporter from Check Point if possible. I've used it a couple of times and it works really well with QRadar.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-12 10:23 PM
In response to FedericoMeiners
Jump to solution

Federico,
As the OpSec LEA connection is completely encrypted, a capture will not do him much good.

Fully agree on the Log Exporter though
Regards, Maarten
0 Kudos
FedericoMeiners
Advisor
‎2020-01-13 07:35 AM
In response to Maarten_Sjouw
Jump to solution

Thanks for the information Maarten 🙂
I though the packet capture to prove that traffic being properly sent to the SIEM, at the network level.
Maybe the SIEM is refusing connections since it's using another non standard LEA port.
____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-13 09:53 AM
In response to FedericoMeiners
Jump to solution

The point was: "They are telling me they are not seeing logs from the new cluster, but still see all of the old logs as they would expect."
So there is traffic accepted...
Regards, Maarten
0 Kudos
Paul_Warnagiris
Advisor
‎2020-01-20 04:00 PM
In response to Maarten_Sjouw
Jump to solution

Thanks to those that have replied.  We are going to use Log Exporter.  Not sure why QR is not seeing the new physical cluster logs, but at this point it doesn't matter.  Log Exporter is a much better solution.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top