topic Checkpoint LEA and SSL authentication in Getting Data In

Checkpoint LEA and SSL authentication

cyrillefranchet — Wed, 11 May 2011 08:13:07 GMT

Hi all,

Does anyone try to use FWN1 auth method successfully instead of SSL one?

I'm asking because it could be complicated to stop ChekPoint Manager in a production environment to modify the fwopsec.conf file.

Thanks for your help.

Cheers,

cyrillefranchet — Wed, 11 May 2011 08:50:28 GMT

Ok to have this working , on Splunk forwarder you need to retrieve the key by executing the following command.

opsec_putkey -port 18184 < Source IP address of checkpoint box >

You should get the authkeys.C file. Copy this file in the $SPLUNK_HOME/etc/apps/lea-loggrabber-splunk/bin/ directory.

Modify lea.conf file to change "lea_server auth_type ssl_opsec" to "lea_server auth_type auth_opsec".

Restart the Splunk forwarder. Now , you should receive events from CheckPoint.

Cyrille.

araitz — Tue, 09 Apr 2013 23:25:58 GMT

Note this is valid for pre-2.0.0 versions of Splunk OPSEC LEA integration.