This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2019-07-10 05:16 AM

Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

Hi Folks,

I just migrated Smart-1 appliance from R77.30 to R80.20 however after migration observed that SIEM servers could not pickup the logs via LEA. Any help is greatly appreciated.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
6 Replies
Tommy_Forrest
Advisor
‎2019-07-10 05:42 AM

It is possible you'll need to destroy and recreate the connection on the SIEM side.  We've had to do that in the past.

You're on 80.20 so you've got the log exporter stuff built in now.  So why not just Syslog everything?  Check out sk122323.

Here's the cheat sheet (you'd need to run this command on every CMA):

cp_log_export add name McAfee-SIEM domain-server <domainX> target-server 10.10.10.10 target-port 514 protocol udp format syslog

You'll be prompted to restart the exporter and BAM.  Syslog.

We've been very successful with this method on 80.10.

 

 

Timothy_Hall
Legend Legend
Legend
‎2019-07-10 06:44 AM

This is probably related to the deprecation of the SHA1 algorithm that was used with older ICA certificates.  As Tommy said recreating the LEA integration will generate a new certificate using SHA256, hopefully your SIEM servers have updated their OPSEC SDK libraries to support it.  You might wind up needing to upgrade your SIEM to obtain this support if you are running older code.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Blason_R
Leader
Leader
‎2019-07-10 06:57 AM
In response to Timothy_Hall

 This is ESM 10.5 McAfee; dont think this is using SHA1 cert.

Any way will ask the vendor about that as well.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-14 10:59 AM

There's a reason we flag OPSEC objects in the R80.x pre-upgrade verifier.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
HeikoAnkenbrand
Champion Champion
Champion
‎2019-07-14 11:22 AM

Hi @Blason_R,

As @PhoneBoy described it. You should have received a warning when upgrading to R80.20.

I had the same problem with other products.

Solution:

1) Remove  the OPSEC objet in the policy
2) Delete the OPSEC LEA object
3) Install the database on management server
4) Create a new OPSEC LEA object (now this object use SHA256:-)
5) Add the new OPSEC object to the policy
6) Creat the SIC between SIME and management server
7) Install the database on the management server

Tip!

I would use the Log Exporter as @Tommy_Forrest  described it. I often use it with RSA Envision or LogRhythm.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

More read here "R80.10 Syslog Exporter" or see sk122323: Log Exporter - Check Point Log Export

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Blason_R
Leader
Leader
‎2019-07-14 08:56 PM
In response to HeikoAnkenbrand

Yep, I am completely aware of the log_export feature and this is what I suggested to McAfee vendor but I feel he is not aware how to set up listener for CheckPoint in McAfee neither I am SME in McAfee ESM.

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events