I recently installed the Splunk Add-on for Check Point OSPEC LEA application (2.0.2), and when I attempt to Add a New Connection I get this UI error when Pulling the Certificate
Manage Connections: New Connection > Pull Certificate > SIC Details
/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: ../opsec-tools/opsec_pull_cert: rc=-1 err=-96 Connection error
What gives?
This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:
The App does not have the correct IP address of the Check Point manager
(which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)
The host name is not resolvable to the correct IP address
(make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)
The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)
nc -z CKPT_mgmt.domain.com 18184
-AND-
nc -z CKPT_mgmt.domain.com 18210
18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate
This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:
The App does not have the correct IP address of the Check Point manager
(which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)
The host name is not resolvable to the correct IP address
(make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)
The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)
nc -z CKPT_mgmt.domain.com 18184
-AND-
nc -z CKPT_mgmt.domain.com 18210
18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate