All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rc=-1 err=-96 Connection error with Check Point OSPEC LEA app 2.0.2

jbsplunk
Splunk Employee
Splunk Employee
‎05-29-2013 01:17 PM

I recently installed the Splunk Add-on for Check Point OSPEC LEA application (2.0.2), and when I attempt to Add a New Connection I get this UI error when Pulling the Certificate

Manage Connections: New Connection > Pull Certificate > SIC Details

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: ../opsec-tools/opsec_pull_cert: rc=-1 err=-96 Connection error

What gives?

Reply
1 Solution
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-29-2013 01:33 PM

This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:

  1. The App does not have the correct IP address of the Check Point manager

    (which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)

  2. The host name is not resolvable to the correct IP address

    (make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)

  3. The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)

    nc -z CKPT_mgmt.domain.com 18184
    -AND-
    nc -z CKPT_mgmt.domain.com 18210

18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate

View solution in original post

Reply
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-29-2013 01:33 PM

This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:

  1. The App does not have the correct IP address of the Check Point manager

    (which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)

  2. The host name is not resolvable to the correct IP address

    (make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)

  3. The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)

    nc -z CKPT_mgmt.domain.com 18184
    -AND-
    nc -z CKPT_mgmt.domain.com 18210

18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate

Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...