This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Kumar_Sambhav
Participant
‎2018-02-12 03:57 AM

R80.10 Opsec Lea issue

Hello,

I want to integrate CheckPoint management server in McAfee SIEM data source object. Mcafee is unable to connect to Checkpoint. CheckPoint server is not listening on port 18184 ( i checked through netstat). Lea settings:

lea_server auth_port 18184
lea_server auth_type sslca
lea_server port 18184
 On McAfee i am getting error: Check Point test connection unsuccessful.  Comm is dead. ( I get this error while establishing sic)

Check Point test connection unsuccessful. The referred entity does not exist in the Certificate Authority. ( this error comes while retrying)

On CheckPoint: OPsec application, sic trust is established. (gets established at first time itself)

Please advice.

FYI: Checkpoint management server is in AWS and McAfee receiver is connecting through VPN.

Also same McAfee receiver is connected with other Check Point management server.

Labels
0 Kudos
7 Replies
AlekseiShelepov
Advisor
‎2018-02-12 04:21 AM

I am not sure how it is for R80.10 version, but this is how it is for R77.X versions:

Configure Check Point LEA with McAfee Enterprise Security Manager (ESM) 

Configuring McAfee SIEM LEA with CLM 

Modify the current configuration file: 

[Expert@HostName]# vi $FWDIR/conf/fwopsec.conf

Comment out the following lines (add the # sign at the beginninig of each line):
# lea_server auth_port 18184
# lea_server port 0

Confirm that the Check Point SIC policy allows 'sslca' for authentication for LEA clients:
[Expert@HostName]# less $CPDIR/conf/sic_policy.conf
The #LEA section should look like the following:
#LEA:
#ANY ; ANY; 18184 ; fwn1_opsec ; fwn1, local_ipcheck

This configuration worked for me in past for a usual management server. I think it is different in your config files now.

The following security rule was required, but it seems that it is already in place.

Source

Destination

Service

srv_McAfee-ESM

CP-MGMT

FW_ica_pull

FW_lea

Bob_Bent
Mod
Mod
‎2018-02-12 10:26 AM
In response to AlekseiShelepov

Have to update the SKs linked to from Aleksei's comment. Looks like they were last updated in 2014 and 2015.

If you're connecting to R80.10 via sslca, then you'll want a LEA client compiled with the OPSEC SHA-256 libraries (see sk109618). The R80.10 default is to accept only SHA-256 connections. From what I understand McAfee ESM supports SHA-256 from version 10.1.0 and possibly from ESM 9.6.1 which says it supports R80. Remember when you use SIC, then you don't need to edit $FWDIR/conf/fwopsec.conf. Would try this configuration first. Can you send a link to the McAfee guide?

If you're connecting to a management server in AWS, then this may require additional config, not sure.

What version is your other management server?

thx,

bob

0 Kudos
Yonatan_Philip
Employee
Employee
‎2018-02-13 12:19 AM

Hello Kumar,

We are currently in the final stages of an EA for a new solution which will replace the old methods for connecting to 3rd party SIEM devices.
The new log exporter solution is an R80.10 hotfix (R77.30 and R80.20 will be added shortly as well) which allows the log server (or management, MDM, MLM, SME, etc.) the ability to directly send out checkpoint logs in a syslog format.
We support UDP and TCP in both clear and encrypted as well as built-in conversion to other formats such as CEF. 
The design is focused on ease of deployment and ease of use and so far has garnered positive feedback from our EA testers. 
If you wish you can reach out to me at (remove) and we can try to test out the hotfix on your environment to see if it resolves your issues.

Best Regards,

 Yonatan 

0 Kudos
Mark_Ciecior
Explorer
‎2018-02-13 10:05 AM
In response to Yonatan_Philip

Hi Yonatan,

This syslog export sounds like exactly what I'm looking for.  When could we expect this hotfix to be generally available?

0 Kudos
Yonatan_Philip
Employee
Employee
‎2018-02-13 10:29 AM
In response to Mark_Ciecior

Hello Mark,

I don't have an official release date to share, but I can say that we are working to have this solution ready before EOQ.
ArcSight's 32bit connector is nearing its end of life and we aim to have the log exporter GA in time for customers to phase in the new solution.

Regards,

 Yonatan 

Kosin_Usuwanthi
Collaborator
‎2018-02-14 12:38 AM
In response to Yonatan_Philip

This tool replace cplog2syslog ?

I found issue too and waiting TAC provide new solution.

0 Kudos
Yonatan_Philip
Employee
Employee
‎2018-02-14 01:27 AM
In response to Kosin_Usuwanthi

Hello Kosin,

Yes, this solution will replace cplog2syslog.

Regards,

 Yonatan 

0 Kudos