All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rc=-1 err=-96 Connection error with Check Point OSPEC LEA app 2.0.2

jbsplunk
Splunk Employee
Splunk Employee
‎05-29-2013 01:17 PM

I recently installed the Splunk Add-on for Check Point OSPEC LEA application (2.0.2), and when I attempt to Add a New Connection I get this UI error when Pulling the Certificate

Manage Connections: New Connection > Pull Certificate > SIC Details

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: ../opsec-tools/opsec_pull_cert: rc=-1 err=-96 Connection error

What gives?

Reply
1 Solution
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-29-2013 01:33 PM

This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:

  1. The App does not have the correct IP address of the Check Point manager

    (which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)

  2. The host name is not resolvable to the correct IP address

    (make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)

  3. The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)

    nc -z CKPT_mgmt.domain.com 18184
    -AND-
    nc -z CKPT_mgmt.domain.com 18210

18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate

View solution in original post

Reply
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-29-2013 01:33 PM

This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:

  1. The App does not have the correct IP address of the Check Point manager

    (which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)

  2. The host name is not resolvable to the correct IP address

    (make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)

  3. The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)

    nc -z CKPT_mgmt.domain.com 18184
    -AND-
    nc -z CKPT_mgmt.domain.com 18210

18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...