Trying to setup a 3rd party LEA connection to Log Rhythm, has anyone done this yet with R80? Any issues/gotchas?
Yes: if this is a new R80 setup the CRL (among other things) will be signed using SHA-256 instead of SHA-1 by default, which LogRhythm may not be able to deal with if it was compiled with an older version of the OPSEC libraries. Workaround is to regenerate the certificate using SHA-1 which is described in sk109618. If you can't/won't do this for some reason, your final fallback is to configure the OPSEC connection as "clear" which is not a good idea security-wise but it does work.
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
My customer wants to integrate R80 management server with Arcsight over lea.. Is it possible?
Currently they are on R77.30 and arcsight is integrated through Lea mode
Arcsight said to customer that is not supported with R80 version yet.
Arcsight and R80 worked fine for my customer once we ensured the certificate used for the OPSEC LEA transaction was generated with SHA-1 and not SHA-256 as specified in sk109618. There was a new OPSEC SDK released by Check Point that supports SHA-256 (sk110425); OPSEC vendors like Arcsight need to recompile their applications with it to permit SHA-256 support.
Thanks for your reply
Does below command is support for R80 because as per SK article the version supported is till R77.30
[Expert@HostName]# cpca_client set_sign_hash sha1
Yes that was the command we used on R80. Need to run that command, set up SIC with Arcsight then set default signing algorithm back to SHA-256.
I am working with HP team here
can you also share the customer name so I will ask HP team to check confirm from their end.
I can't name the account in an open post, please contact the Check Point SE for the account Tom Stasko, I have alerted him to this conversation thread.
Feel free to shoot me an email and I can tell you more about the customer and deployment.
Retrieving data ...