cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Blason_R
Silver

Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

Hi Folks,

I just migrated Smart-1 appliance from R77.30 to R80.20 however after migration observed that SIEM servers could not pickup the logs via LEA. Any help is greatly appreciated.

 

6 Replies

Re: Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

It is possible you'll need to destroy and recreate the connection on the SIEM side.  We've had to do that in the past.

You're on 80.20 so you've got the log exporter stuff built in now.  So why not just Syslog everything?  Check out sk122323.

Here's the cheat sheet (you'd need to run this command on every CMA):

cp_log_export add name McAfee-SIEM domain-server <domainX> target-server 10.10.10.10 target-port 514 protocol udp format syslog

You'll be prompted to restart the exporter and BAM.  Syslog.

We've been very successful with this method on 80.10.

 

 

Re: Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

This is probably related to the deprecation of the SHA1 algorithm that was used with older ICA certificates.  As Tommy said recreating the LEA integration will generate a new certificate using SHA256, hopefully your SIEM servers have updated their OPSEC SDK libraries to support it.  You might wind up needing to upgrade your SIEM to obtain this support if you are running older code.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Blason_R
Silver

Re: Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

 This is ESM 10.5 McAfee; dont think this is using SHA1 cert.

Any way will ask the vendor about that as well.

0 Kudos
Admin
Admin

Re: Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

There's a reason we flag OPSEC objects in the R80.x pre-upgrade verifier.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Re: Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

Hi @Blason_R,

As @PhoneBoy described it. You should have received a warning when upgrading to R80.20.

I had the same problem with other products.

Solution:

1) Remove  the OPSEC objet in the policy
2) Delete the OPSEC LEA object
3) Install the database on management server
4) Create a new OPSEC LEA object (now this object use SHA256:-)
5) Add the new OPSEC object to the policy
6) Creat the SIC between SIME and management server
7) Install the database on the management server

Tip!

I would use the Log Exporter as @Tommy_Forrest  described it. I often use it with RSA Envision or LogRhythm.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

More read here "R80.10 Syslog Exporter" or see sk122323: Log Exporter - Check Point Log Export

Tags (1)
0 Kudos
Highlighted
Blason_R
Silver

Re: Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

Yep, I am completely aware of the log_export feature and this is what I suggested to McAfee vendor but I feel he is not aware how to set up listener for CheckPoint in McAfee neither I am SME in McAfee ESM.

 

 

0 Kudos