This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Julie_Paul
Employee
Employee
‎2016-04-25 03:04 PM

LEA Connections

Jump to solution

Trying to setup a 3rd party LEA connection to Log Rhythm, has anyone done this yet with R80?  Any issues/gotchas?

Labels (1)
Labels
0 Kudos
Reply
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion
‎2016-04-25 06:13 PM

Jump to solution

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Reply
8 Replies
Timothy_Hall
Champion
Champion
‎2016-04-25 06:13 PM

Jump to solution

Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries.  Workaround is to regenerate the certificate using SHA-1 which is described in sk109618.  If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Reply
Mike_Swaminatha
Employee
Employee
‎2017-02-01 03:59 AM

Jump to solution

Hi Tim

My customer wants to integrate R80 management server with Arcsight over lea.. Is it possible?

Currently they are on R77.30 and arcsight is integrated through Lea mode

Arcsight said to customer that is not supported with R80 version yet.

regards

Mike

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2017-02-01 04:41 AM
In response to Mike_Swaminatha

Jump to solution

Arcsight and R80 worked fine for my customer once we ensured the certificate used for the OPSEC LEA transaction was generated with SHA-1 and not SHA-256 as specified in sk109618.   There was a new OPSEC SDK released by Check Point that supports SHA-256 (sk110425); OPSEC vendors like Arcsight need to recompile their applications with it to permit SHA-256 support.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Reply
Mike_Swaminatha
Employee
Employee
‎2017-02-01 04:54 AM

Jump to solution

Hi Tim

Thanks for your reply

Does below command is support for R80 because as per SK article the version supported is till R77.30

[Expert@HostName]# cpca_client set_sign_hash sha1

regards

Mike

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2017-02-01 05:01 AM
In response to Mike_Swaminatha

Jump to solution

Yes that was the command we used on R80.  Need to run that command, set up SIC with Arcsight then set default signing algorithm back to SHA-256.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Mike_Swaminatha
Employee
Employee
‎2017-02-01 05:00 AM

Jump to solution

Hello Tim

I am working with HP team here

can you also share the customer name so I will ask HP team to check confirm from their end.

regards

Mike

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2017-02-01 06:35 AM
In response to Mike_Swaminatha

Jump to solution

I can't name the account in an open post, please contact the Check Point SE for the account Tom Stasko, I have alerted him to this conversation thread.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Thomas_Stasko
Employee
Employee
‎2017-02-01 08:55 AM
In response to Mike_Swaminatha

Jump to solution

Mike,

Feel free to shoot me an email and I can tell you more about the customer and deployment.

tstasko@checkpoint.com

0 Kudos
Reply