Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

Hi Folks,

I just migrated Smart-1 appliance from R77.30 to R80.20 however after migration observed that SIEM servers could not pickup the logs via LEA. Any help is greatly appreciated.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
6 Replies
Tommy_Forrest
Advisor

It is possible you'll need to destroy and recreate the connection on the SIEM side.  We've had to do that in the past.

You're on 80.20 so you've got the log exporter stuff built in now.  So why not just Syslog everything?  Check out sk122323.

Here's the cheat sheet (you'd need to run this command on every CMA):

cp_log_export add name McAfee-SIEM domain-server <domainX> target-server 10.10.10.10 target-port 514 protocol udp format syslog

You'll be prompted to restart the exporter and BAM.  Syslog.

We've been very successful with this method on 80.10.

 

 

Timothy_Hall
Legend Legend
Legend

This is probably related to the deprecation of the SHA1 algorithm that was used with older ICA certificates.  As Tommy said recreating the LEA integration will generate a new certificate using SHA256, hopefully your SIEM servers have updated their OPSEC SDK libraries to support it.  You might wind up needing to upgrade your SIEM to obtain this support if you are running older code.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Blason_R
Leader
Leader

 This is ESM 10.5 McAfee; dont think this is using SHA1 cert.

Any way will ask the vendor about that as well.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

There's a reason we flag OPSEC objects in the R80.x pre-upgrade verifier.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
HeikoAnkenbrand
Champion Champion
Champion

Hi @Blason_R,

As @PhoneBoy described it. You should have received a warning when upgrading to R80.20.

I had the same problem with other products.

Solution:

1) Remove  the OPSEC objet in the policy
2) Delete the OPSEC LEA object
3) Install the database on management server
4) Create a new OPSEC LEA object (now this object use SHA256:-)
5) Add the new OPSEC object to the policy
6) Creat the SIC between SIME and management server
7) Install the database on the management server

Tip!

I would use the Log Exporter as @Tommy_Forrest  described it. I often use it with RSA Envision or LogRhythm.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

More read here "R80.10 Syslog Exporter" or see sk122323: Log Exporter - Check Point Log Export

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Blason_R
Leader
Leader

Yep, I am completely aware of the log_export feature and this is what I suggested to McAfee vendor but I feel he is not aware how to set up listener for CheckPoint in McAfee neither I am SME in McAfee ESM.

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events