All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

Explorer

Hello everyone:

I installed the Splunk Add-on for Check Point OPSEC LEA (https://splunkbase.splunk.com/app/3197/)

I followed all the installation steps, but it gives me the following connection error:

2016-12-20 15:03:18,130 +0000 loglevel=ERROR, pid=23280, tid=Thread-9, file=taopsecleadatacollector.py, funcname=getlogs, codelineno=62 | [inputname="CheckPoint" connection="CheckPointmgmt" data="fw"]loglevel=0 file:lealoggrabber.cpp funcname:checksessionendreason codelineno:2159 :Session end reason: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

My opseclea_inputs.conf is

[CheckPoint]
connection = CheckPoint_mgmt
data = fw
host = xxx.xxx.xxx.xxx
index = checkpoint_test
interval = 30
mode = offline
noresolve = 1
disabled = 1

And the opseclea_connection.conf is

[CheckPoint_mgmt]
cert_name = CheckPoint_mgmt_20361674.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_object_name =
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = xxx.xxx.xxx.xxx
lea_server_type = primary
management_server_ip = xxx.xxx.xxx.xxx
opsec_entity_sic_name = CN=cp_mgmt,O=fwmgmt..nnc98w
opsec_sic_name = CN=SplunkLEA,O=fwmgmt..nnc98w
disabled = 0

Where's the problem??

Regards

0 Karma

Splunk Employee
Splunk Employee

The config looks right, so this is probably an issue with the OPSEC app configuration.
Check for some ideas here http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot (specifically the checkpoint URL: http://dl3.checkpoint.com/paid/20/How-To-Troubleshoot-SIC-related-Issues.pdf?HashKey=1463490738_979d...)

0 Karma

Explorer

Mreynov, thanks for your answer

We saw this in the firewall configuration:

[Expert@fwmgmt:0]# cat /var/opt/CPsuite-R77/fw1/conf/fwopsec.conf | grep lea_server

samserver, leaserver, elaserver, cpmiserver, uaa_server.

leaserver authport 18184
leaserver authtype ssl_opsec

It is possible to configure this authentication type in the connection?

Or whe need change this in de CheckPoint configuration?

Regards

Horacio

0 Karma

Splunk Employee
Splunk Employee

This is definitely on the checkpoint side, but I am not sure if this is a general setting or specific to the OPSEC app/object

0 Karma

Explorer

Hi mreynov!

When I change the parameter:

leaserverauthtype = sslopsec (in opseclea_connection.conf)

Now give me this error message:

SIC ERROR 302 - SIC Error for ssl_opsec: peer name wasn't found in authentication files

Regards

Horacio

0 Karma