All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

horaciob
Explorer

Hello everyone:

I installed the Splunk Add-on for Check Point OPSEC LEA (https://splunkbase.splunk.com/app/3197/)

I followed all the installation steps, but it gives me the following connection error:

2016-12-20 15:03:18,130 +0000 log_level=ERROR, pid=23280, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="CheckPoint" connection="CheckPoint_mgmt" data="fw"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

My opseclea_inputs.conf is

[CheckPoint]
connection = CheckPoint_mgmt
data = fw
host = xxx.xxx.xxx.xxx
index = checkpoint_test
interval = 30
mode = offline
noresolve = 1
disabled = 1

And the opseclea_connection.conf is

[CheckPoint_mgmt]
cert_name = CheckPoint_mgmt_20361674.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_object_name =
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = xxx.xxx.xxx.xxx
lea_server_type = primary
management_server_ip = xxx.xxx.xxx.xxx
opsec_entity_sic_name = CN=cp_mgmt,O=fwmgmt..nnc98w
opsec_sic_name = CN=SplunkLEA,O=fwmgmt..nnc98w
disabled = 0

Where's the problem??

Regards

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

The config looks right, so this is probably an issue with the OPSEC app configuration.
Check for some ideas here http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot (specifically the checkpoint URL: http://dl3.checkpoint.com/paid/20/How-To-Troubleshoot-SIC-related-Issues.pdf?HashKey=1463490738_979d...)

0 Karma

horaciob
Explorer

Mreynov, thanks for your answer

We saw this in the firewall configuration:

[Expert@fwmgmt:0]# cat /var/opt/CPsuite-R77/fw1/conf/fwopsec.conf | grep lea_server

sam_server, lea_server, ela_server, cpmi_server, uaa_server.

lea_server auth_port 18184
lea_server auth_type ssl_opsec

It is possible to configure this authentication type in the connection?

Or whe need change this in de CheckPoint configuration?

Regards

Horacio

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This is definitely on the checkpoint side, but I am not sure if this is a general setting or specific to the OPSEC app/object

0 Karma

horaciob
Explorer

Hi mreynov!

When I change the parameter:

lea_server_auth_type = ssl_opsec (in opseclea_connection.conf)

Now give me this error message:

SIC ERROR 302 - SIC Error for ssl_opsec: peer name wasn't found in authentication files

Regards

Horacio

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...