- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Checkpoint OPSEC log collection Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I am trying to integrate Checkpoint logs into Splunk using the OPSEC LEA modular input/TA. I notice the below error post configuring the connections and inputs
2018-05-20 05:53:33,998 +0000 log_level=ERROR, pid=xxxx, tid=Thread-61667, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="name" connection="connecitonname" data="xxx"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:1056 :ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error
I see this error for each of the inputs that is configured.
the setup is
-- 1 Primary checkpoint Manager
-- 1 Secondary checkpoint Manager
-- 1 reporter manager server
-- multiple gateways
So i presume the certificate shall be pulled from the primary manager and the logs as well, as manager deals with all the gateways. I did pull the certificate from primary manager and configured the connections.conf for manager, but above is the error i see. Couldn't figure out yet the issue to fix. 😞
Did anyone test the Checkpoint OPSEC LEA for splunk over distributed architecture that has a manager handling gateways and a reporter server.
I would be glad if anyone can help me on this.
Thanks
Surya Teja
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device
there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf
lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)
So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca
so for clear connections the fwopsec.conf should have
lea_server port 12345
For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca
If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)
Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device
there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf
lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)
So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca
so for clear connections the fwopsec.conf should have
lea_server port 12345
For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca
If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)
Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're got an updated Linux server and you're running the latest add-on, there is a known error with glibc which fails to establish an OPSEC connected and download the certificate. Do you have a valid certificate?
ls -la /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs
Checkout the add-on release notes for more details.
I worked around this by downgrading my glibc, setting up add-on, then upgrading glibc again.
Best of luck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the comment @milesbrennan
there wasn't an issue pulling the cert. Add-on did fetch the cert, i've created the connection.conf and inputs.conf as well post which i see the SIC 147 error. Also i followed the procedure mentioned at Splunk docs to configure the inputs and cert
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it’s been done in distributed environments pulling from the primary, etc as you described.
A quick google of the error revealed several checkpoint articles that may apply:
Any of these help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried these, but no luck. I did not find any error related to time though.
I've installed the same on a single instance setup where there is only one manager handling multiple gateways, and the OPSEC LEA TA works like pro
any more inputs please 😐
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’d submit a ticket to splunk for support and escalate through your account rep if necessary. At least you can have that working while more answers come in here... Best of luck!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
