topic Re: Checkpoint OPSEC log collection Error in Installation

Checkpoint OPSEC log collection Error

suryavicky21 — Tue, 29 Sep 2020 19:35:21 GMT

Hello

I am trying to integrate Checkpoint logs into Splunk using the OPSEC LEA modular input/TA. I notice the below error post configuring the connections and inputs

2018-05-20 05:53:33,998 +0000 log_level=ERROR, pid=xxxx, tid=Thread-61667, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="name" connection="connecitonname" data="xxx"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:1056 :ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error

I see this error for each of the inputs that is configured.
the setup is
-- 1 Primary checkpoint Manager
-- 1 Secondary checkpoint Manager
-- 1 reporter manager server
-- multiple gateways

So i presume the certificate shall be pulled from the primary manager and the logs as well, as manager deals with all the gateways. I did pull the certificate from primary manager and configured the connections.conf for manager, but above is the error i see. Couldn't figure out yet the issue to fix. 😞

Did anyone test the Checkpoint OPSEC LEA for splunk over distributed architecture that has a manager handling gateways and a reporter server.

I would be glad if anyone can help me on this.

Thanks
Surya Teja

Re: Checkpoint OPSEC log collection Error

jkat54 — Sun, 20 May 2018 13:39:19 GMT

Yes it’s been done in distributed environments pulling from the primary, etc as you described.

A quick google of the error revealed several checkpoint articles that may apply:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk99130&t=1526823404788

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120112&t=1526823447480

Any of these help?

Re: Checkpoint OPSEC log collection Error

suryavicky21 — Mon, 21 May 2018 06:42:17 GMT

tried these, but no luck. I did not find any error related to time though.
I've installed the same on a single instance setup where there is only one manager handling multiple gateways, and the OPSEC LEA TA works like pro

any more inputs please 😐

Re: Checkpoint OPSEC log collection Error

jkat54 — Mon, 21 May 2018 15:23:43 GMT

I’d submit a ticket to splunk for support and escalate through your account rep if necessary. At least you can have that working while more answers come in here... Best of luck!

Re: Checkpoint OPSEC log collection Error

milesbrennan — Tue, 29 Sep 2020 19:54:11 GMT

If you're got an updated Linux server and you're running the latest add-on, there is a known error with glibc which fails to establish an OPSEC connected and download the certificate. Do you have a valid certificate?

ls -la /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs

Checkout the add-on release notes for more details.

I worked around this by downgrading my glibc, setting up add-on, then upgrading glibc again.

Best of luck.

Re: Checkpoint OPSEC log collection Error

suryavicky21 — Mon, 02 Jul 2018 07:20:59 GMT

Thanks for the comment @milesbrennan
there wasn't an issue pulling the cert. Add-on did fetch the cert, i've created the connection.conf and inputs.conf as well post which i see the SIC 147 error. Also i followed the procedure mentioned at Splunk docs to configure the inputs and cert

Thanks

Re: Checkpoint OPSEC log collection Error

suryavicky21 — Tue, 29 Sep 2020 20:24:05 GMT

So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device

there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf

lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)

So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca

so for clear connections the fwopsec.conf should have
lea_server port 12345

For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca

If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)

Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;