topic Re: Configure the Splunk Add-on for Check Point OPSEC LEA in All Apps and Add-ons

Configure the Splunk Add-on for Check Point OPSEC LEA

lnhquang1993 — Sat, 16 Dec 2017 04:37:29 GMT

Hi everyone,
I'm need to Configure the Splunk Add-on for Check Point OPSEC LEA but i has faced some problems. I can't add new connection.

192.168.20.1 is IP of Checkpoint FW
192.168.20.30 is IP of Splunk

I has pull the certifiacte success from Checkpoint but i can't select it on SIC Certificate. I can't Reuse Existing SIC Certificate option.

And in Checkpoint SmartConsole. I can't see where to check SIC status.

Please help,
Quang

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

lmaclean — Mon, 18 Dec 2017 01:13:28 GMT

Hi,

Looking at the doco Mgt Server IP isn't that of the Splunk server but of the Check Point Mgt Server, if it is a standalone environment (#6.2 on doco page).

I would suggest confirming all of the steps in the doco setup, then if it still isn't working provide here:

Which step you believe it failed upon
The stderr lines within the splunkd.log referenced in the error message
Check the ../certs/ folder within the app - and the permissions for the folder/files
Output from the web_service.log reference the troubleshoot section of the linked doco page

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

lnhquang1993 — Mon, 18 Dec 2017 02:41:56 GMT

Hi lmaclean,
Thanks for your help. And yes i recognize my fault. It a standalone enviroment so both Log Server IP and Mgt Server IP is the same - 192.168.20.1 right ? But i still get error :
External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - The referred entity does not exist in the Certificate Authority. Make sure you have provided the right application name and one-time password'. See splunkd.log for stderr output.

I pretty sure that i has type the right application name and one-time password.
Here is the application that i create on CP :
name = splunk-lea OTP = 123
and i use it to pull-cert from CP to Splunk :
./pull-cert.sh 192.168.20.1 splunk-lea 123 splunk.pl2
and out show that Certifiacte success written to ../certs/splunk.pl2.

so the application name and OTP can't be wrong right ?

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

lmaclean — Mon, 18 Dec 2017 03:03:17 GMT

Might be worth looking at the opseclea_connection.conf file in the ../local/ folder and seeing if the settings match what you have configured in Check Point.

Also remember they are case sensitive; password cannot contain certain special characters; reapply the password in Check Point after each failed attempt incase after the first failed try it blocks it out; and that all the other settings in the file match your environment as well.

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

Edit: Oh and on the end of the cert script it is a number one (1) right not an l (L) that you are running??

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

kalaiarasu — Mon, 21 May 2018 01:51:44 GMT

Hi,

Have you resolved the issue ? currently i'm facing the same issue.

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

ektasiwani — Tue, 29 Sep 2020 20:39:09 GMT

Hi,

I was facing the same issue. I solved this by giving proper permission to "$SPLUK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/" folder. Make sure your application folder is having proper permission and should have "$SPLUK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local/" folder.

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

evinasco — Wed, 15 Aug 2018 16:47:23 GMT

what kind of permissions does it need? 777? in linux

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

ektasiwani — Wed, 15 Aug 2018 16:59:38 GMT

Yes. You need to give 777 permission.

If giving permission will not solve your issue please follow steps mentioned in below link.

https://answers.splunk.com/answers/614787/splunk-check-point-lea-opsec-error-fatal-error-gli.html

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

evinasco — Wed, 15 Aug 2018 20:36:01 GMT

hi thanks, but i know have the next issue jejeje .. when i create a input

ERROR: Session end reason: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

do you know what is going on ?

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

ektasiwani — Tue, 29 Sep 2020 20:52:46 GMT

Hi,

This issue is because OPSEC side started to use sha256 and updated its SDK.
Download file from http://supportcontent.checkpoint.com/file_download?id=50832 and replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones.

This solution is mentioned in the link which I shared in my comment:
https://answers.splunk.com/answers/614787/splunk-check-point-lea-opsec-error-fatal-error-gli.html

Check out below link by checkpoint:
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk130292

Re: Configure the Splunk Add-on for Check Point OPSEC LEA

Enedis — Wed, 03 Jul 2019 14:42:01 GMT

Hi,

The OPSEC App Name does not contain specials characters.
Try : splunklea.

Alex