All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Add-on for Check Point OPSEC LEA: Why does "Manage Connections" never load and I get no data?

whoa
Explorer
‎04-07-2016 07:55 AM

I have Checkpoint R75.40 installed in a tiered format (Separate Mgt Console, FW, and GUI on different boxes). I have followed all of the documentation found here: docs.splunk.com/Documentation/OPSEC-LEA

I have "Trust Established" on the OPSEC object in Checkpoint, and have found all of the SIC_ENTITY variables per the documentation, but in the Splunk frontend GUI under Splunk > Splunk Add-on for Check Point OPSEC LEA > Manage Connections > Just to the right of that I get the spinning circle as if it's trying to load data, but it never does.

In this document: wiki.splunk.com/Community:Configure_OPSEC_LEA_input under section 1 Checkpoint FW Modification Step 2 it says to "Edit $FWDIR/conf/fwopsec.conf and add the following lines to enable the LEA service". On my mgt console in that directory there is no fwopsec.conf file so I created one and added those 2 lines. I then did the cpstop / cpstart and did a ./splunk restart

As a sidenote I have Splunk installed on Ubuntu 14.04, but I don't think that matters as I've gotten everything installed programmatically just fine.

In var/log/splunk Ive tailed conf.log / opsec.log / splunk.log, but I don't see any errors... Not sure what to do to make this work...

Please help.

Reply

hjauch_splunk
Splunk Employee
Splunk Employee
‎04-15-2016 04:54 PM

Do you by chance have FIPSs mode enabled? There is a known issue with FIPs mode.

OPSEC-398 When FIPs is enabled in a distributed Spunk Enterprise environment, the Manage Connections page cannot be accessed on the search head, even after restarting the Splunk platform

0 Karma
Reply

neelamsantosh
Path Finder
‎04-13-2016 02:30 AM

Any update or workaround..

0 Karma
Reply

tsweet_splunk
Splunk Employee
Splunk Employee
‎04-07-2016 11:09 AM

Check out this post from yesterday - I think it may be your issue:

https://answers.splunk.com/answers/389001/checkpoint-add-on-for-check-point-opsec-lea-why-is.html#co...

0 Karma
Reply

whoa
Explorer
‎04-07-2016 12:04 PM

I modified the remote.py and restarted splunk and still no joy. In that thread however he said he disabled the "proxy settings". Where might those be?

0 Karma
Reply

whoa
Explorer
‎04-12-2016 11:32 AM

No answer so far. Please help.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...