This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
quanglnh
Participant
‎2019-09-09 03:14 AM

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone,

 

I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.

I was create a host object for LogRhythm SIEM with it IP.

I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.

sic1.PNG

sic2.PNG

Now i need to provide the information below on LogRhythm SIEM :

  • opsec_sic_name "OPSEC_APP_SIC_DN"
  • lea_server ip IP_ADDRESS
  • lea_server auth_port 18184
  • lea_server auth_type sslca
  • lea_server opsec_entity_sic_name "LOG_SERVER_DN"
  • opsec_sslca_file "C:\checkpoint_config\opsec.p12"

 

"OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?

"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?
"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :

sic3.PNG

is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ?

 

Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!

Reply
21 Replies
PhoneBoy
Admin
Admin
‎2019-09-09 04:29 PM

Log Server DN would appear on the object for your log server in SmartConsole, which could theoretically not be your Smart-1 server.
0 Kudos
Reply
quanglnh
Participant
‎2019-09-09 09:05 PM
In response to PhoneBoy

Hi PhoneBoy,

Thanks for your response, but i'm not really understand what you try to say. Smart-1 server manage all my gateways and by default the gateways send log to Smart-1 server, right ? I don't configure any orther external log server. All i has done is add gateways to Smart-1, Install policy from Smart-1 to gateways. Then, i login SmartConsole to Smart-1 and see logs from gateways. So Smart-1 should be my log server ?
0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-09-11 05:02 PM
In response to quanglnh

In your case, the Log Server would be the Smart-1 server.
The relevant DN should show on the relevant object in SmartConsole.

In any case, Log Exporter is how we are integrating with SIEMs going forward.
Nice to know we have official support in EA.
0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
‎2019-09-10 04:46 AM
In response to PhoneBoy

Why not use cp log exporter? As for what I can see the SIEM is on your internal network, you could send the traffic cleartext there is no need for the TLS method. See SK122323.
Regards, Maarten
0 Kudos
Reply
quanglnh
Participant
‎2019-09-10 06:29 PM
In response to Maarten_Sjouw

Dear Maarten_Sjouw,

Thanks for your response, i will check the sk you refer and give it a try. Have a nice day!

0 Kudos
Reply
Dan_Zada
Employee+
Employee+
‎2019-09-10 06:42 AM

Hi,

In the last few weeks we developed new integration with LogRhythm, based on the log exporter.

If you want, we can add you to the EA program so you will enjoy simple and improved integration between Check Point and LR.

We will contact you personally about it.

 

Thanks!

Dan.

 

0 Kudos
Reply
quanglnh
Participant
‎2019-09-10 06:31 PM
In response to Dan_Zada

Dear Dan_Zada,

 

Yes, it would be great. Please add me to it. I have both Check Point and LogRhythm in my System and i really want to make it work together.

0 Kudos
Reply
Shay_Hibah
Employee+
Employee+
‎2019-09-11 01:26 AM
In response to quanglnh

Hi @quanglnh 

I added you to our EA program.

I just sent a message with more information about it - please check your CheckMates inbox.

 

Regards,

Shay

0 Kudos
Reply
quanglnh
Participant
‎2019-09-11 01:30 AM
In response to Shay_Hibah

Thanks alot,

 

I hope we can solve this issue soon!

0 Kudos
Reply
startoff
Participant
‎2019-09-12 09:48 PM
In response to Shay_Hibah

Hi Shay

We‘re in the same boat - it would be great if you can add me also to the EA to provide me some additional informations.

Thank you.

Roland

0 Kudos
Reply
Dan_Zada
Employee+
Employee+
‎2019-09-14 11:45 PM
In response to startoff

Hi @startoff 

I will ask the relevant people from my group to contact you.

0 Kudos
Reply
Scott_Chambers
Participant
‎2019-12-17 12:11 PM
In response to Dan_Zada

Dan,

Could I get access to the EA as well? We have a dedicated CP log server, with our management server as fallback. Our efforts to get LEA setup to LogRhythm for this deployment has not gotten anywhere and would like to see about exporting via log exporter if Checkpoint and LogRhythm have a supported solution now.

Thanks in advance 🙂
0 Kudos
Reply
Shay_Hibah
Employee+
Employee+
‎2019-12-17 12:18 PM
In response to Scott_Chambers

Hi Scott,

My name is Shay and I am in charge of LogRhythm EA program.
I sent you a private massage - please check your inbox.

Regards,
Shay
0 Kudos
Reply
Enrique_Mejia
Participant
‎2019-10-17 11:18 AM
In response to Dan_Zada

Dear Dan_Zada

We‘re in the same issue - please add me also to the EA program to provide me some additional informations.

Thank you.

Enrique
0 Kudos
Reply
Reuben_W
Explorer
‎2019-11-26 01:53 AM
In response to Dan_Zada

Dear Dan 

Kindly add me also i have a similar setup

 

0 Kudos
Reply
Titus_Kimathi
Explorer
‎2019-11-26 02:00 AM
In response to Dan_Zada

Hello Dan_Zada,

 

Kindly add  me  to EA program.

 

Regards

Titus

0 Kudos
Reply
Andrew_Muthian1
Explorer
‎2019-11-26 11:49 PM
In response to Titus_Kimathi

Dear Dan

 

Kindly add me to the EA program

0 Kudos
Reply
stuartp
Explorer
‎2019-11-27 03:53 AM
In response to Dan_Zada

Hi Dan

Please can you add us to this EA program?

Many thanks

Stuart 

0 Kudos
Reply
Eric_Knopp
Participant
‎2019-12-13 10:57 AM
In response to Dan_Zada

Is this EA program the OPSEC LEA for 7.4.1+ Log Processing Policy or something different/new/improved? We'd like to hear more about this program.

Also, I've been searching the help site and cannot find whether the Checkpoint OPSEC application for collection supports Server Core 2019 for the Agent collector server OS?

Thank you
Eric

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-12-13 11:31 AM
In response to Eric_Knopp

The EA has nothing to do with LEA and everything to do with Log Exporter, which can export logs in various syslog formats.
We have worked with and are continuing to work with a number of SIEM vendors to ensure they can properly parse the logs from Log Exporter.
See: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-guide/m-p/9035#M968

LEA in general isn't going away, but we are focusing our efforts on improving Log Exporter.
All future integrations should not use LEA and use Log Exporter instead.

With regards to LogRhythm, I'm not exactly sure where this is in the process.
0 Kudos
Reply
chrisw
Explorer
‎2019-12-13 11:36 AM
In response to Dan_Zada

Hey Dan,

 

Any way I can get in on this EA program as well?

 

Chris

0 Kudos
Reply