This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
‎2022-12-14 11:48 PM
Jump to solution

Smart-1 Cloud Log Export formats

I had the option to select CEF as format to export logs when the instance was running R81.

Since its been migrated to R81.10, it's done from a menu called Forward to SIEM where CEF isn't present nor in the admin guide.

Isn't Forward to SIEM the same as Log Exporter, where CEF is in the list of supported formats?

The customer requires CEF. Is there way to enable it? I have a TAC case open but thought I'd ask here as well.

0 Kudos
(1)
1 Solution

Accepted Solutions
Alex-
Leader Leader
Leader
‎2023-01-16 05:30 AM
In response to TomerLev
Jump to solution

It was solved by re-issuing the certificate from the Forward to SIEM entry, use it to generate a new PEM cand CRT/KEY files using OpenSSL 1.1.1 and have them installed by the partner receiving the logs, something I'd like to have avoided as it goes through change requests but in the end it worked.

I hope that the RFE will go through and the next release will support CEF and along its transparent migration of certificates.

 

Thanks all for the comments and insights.

View solution in original post

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-12-15 12:08 AM
Jump to solution

Requests via TAC is the correct way for options the UI won't currently allow.

Not all formats are supported but additional ones can be enabled manually via a ticket is my understanding.

CCSM R77/R80/ELITE
0 Kudos
Alex-
Leader Leader
Leader
‎2023-01-10 11:17 PM
In response to Chris_Atkinson
Jump to solution

TAC did the configuration in R81.10 with CEF and it worked, but it's broken since R81.20 even if I restart the SIEM export from the portal. I have a new SR open but I guess I have to raise an RFE to support CEF.

0 Kudos
Alex-
Leader Leader
Leader
‎2023-01-14 05:59 AM
In response to Chris_Atkinson
Jump to solution

This feature seems broken for good since the customer's instance has been migrated to R81.20. I have a high-priority SR which is moving at a senator's pace.

Also, do you know why Smart-1 Cloud instances are upgraded to R81.20 when the R81.20 SK still shows that R81.10 with latest JHF is the widely recommended release? The customer is feeling that they're being used as test environment to get feedback from production networks.

 

Also, sk166312 - Smart-1 Cloud - What's New hasn't been updated in 2 years and stops at R81.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-14 11:29 AM
In response to Alex-
Jump to solution

I believe the intention all along for Smart-1 Cloud was to always be on the latest release soon after release.
That didn't happen for R81.10 as up until the recent upgrades to R81.20, Smart-1 Cloud users were on R81.
Don't know the precise reason for that.

0 Kudos
TomerLev
Employee
Employee
‎2023-01-14 10:35 PM
In response to PhoneBoy
Jump to solution

Hi

Indeed Smart-1 Cloud statement is to supply the latest and greatest security management. It took a while in the transition from 81 to 81.10, it's going way faster with 81.20 many happy customers already have an environment with 81.20, since the GA that was 7 weeks ago (new customers launched with 81.20 a week after GA).   

It's a gradual upgrade to 81.20 of  all customers environments,  within several weeks all customers will be upgraded to 81.20. Upgrades are done in off hours and customer receives a notification email several days before with the schedule range in which it will be performed.

Regarding the CEF format this is still being checked,  @Alex- please share the SR number in the private channel

Also, thank you @Alex-  for the comment regarding the What's New SK, we have What's New banners on S1C UI on infinity Portal for a while now, but leaving outdated SK was not the intention. Will be taken care of one way or another.

 

0 Kudos
Alex-
Leader Leader
Leader
‎2023-01-15 12:02 AM
In response to TomerLev
Jump to solution

@TomerLev 

Thanks for the reply. Everything works except that CEF Log Exporter over TLS which was not completely carried over from R81.10 to R81.20. The customer really needs it for contractual reasons.

I'm sending you the SR in a private message.

0 Kudos
Alex-
Leader Leader
Leader
‎2023-01-16 05:30 AM
In response to TomerLev
Jump to solution

It was solved by re-issuing the certificate from the Forward to SIEM entry, use it to generate a new PEM cand CRT/KEY files using OpenSSL 1.1.1 and have them installed by the partner receiving the logs, something I'd like to have avoided as it goes through change requests but in the end it worked.

I hope that the RFE will go through and the next release will support CEF and along its transparent migration of certificates.

 

Thanks all for the comments and insights.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-01-15 01:02 AM
In response to Alex-
Jump to solution

The others have provided feedback but I will add some additional scenarios that warrant R81.20 for Smart-1 Cloud for tenants. 

- Select Identity Awareness use cases

- Management of Spark appliances with R81.10.x

 

 

 

CCSM R77/R80/ELITE
0 Kudos
Alex-
Leader Leader
Leader
‎2023-01-15 05:22 AM
In response to Chris_Atkinson
Jump to solution

Great. But it doesn't change the fact that a working feature which directed the customer to a paid service stopped working and no amount of high-priority ticket, reaching out here and there are enough to quickly restore the service, notwithstanding the fact that it shows that pre- and post-migration checks don't take the whole setup into account. As with any migration, when a loss of service is reported, there should be a way to rollback and take the issue off-production for further analysis.

As integrator with the paying, long-standing, customer's interests as first priority, this puts me in a difficult position.

But I will try to explain to them that other customers are happy and there are new features and see if it will help.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events