I have Checkpoint R75.40 installed in a tiered format (Separate Mgt Console, FW, and GUI on different boxes). I have followed all of the documentation found here: docs.splunk.com/Documentation/OPSEC-LEA
I have "Trust Established" on the OPSEC object in Checkpoint, and have found all of the SIC_ENTITY variables per the documentation, but in the Splunk frontend GUI under Splunk > Splunk Add-on for Check Point OPSEC LEA > Manage Connections > Just to the right of that I get the spinning circle as if it's trying to load data, but it never does.
In this document: wiki.splunk.com/Community:Configure_OPSEC_LEA_input under section 1 Checkpoint FW Modification Step 2 it says to "Edit $FWDIR/conf/fwopsec.conf and add the following lines to enable the LEA service". On my mgt console in that directory there is no fwopsec.conf file so I created one and added those 2 lines. I then did the cpstop / cpstart and did a ./splunk restart
As a sidenote I have Splunk installed on Ubuntu 14.04, but I don't think that matters as I've gotten everything installed programmatically just fine.
In var/log/splunk Ive tailed conf.log / opsec.log / splunk.log, but I don't see any errors... Not sure what to do to make this work...
Do you by chance have FIPSs mode enabled? There is a known issue with FIPs mode.
OPSEC-398 When FIPs is enabled in a distributed Spunk Enterprise environment, the Manage Connections page cannot be accessed on the search head, even after restarting the Splunk platform
Any update or workaround..
Check out this post from yesterday - I think it may be your issue:
I modified the remote.py and restarted splunk and still no joy. In that thread however he said he disabled the "proxy settings". Where might those be?
No answer so far. Please help.