Archive
Highlighted

Opsec LEA with Checkpoint R71 - opsec_putkey failing

Path Finder

We are following exactly the documentation provided with "OPSEC LEA for Checkpoint (Linux)" App.

The step Retrieve FW1 authentication key does not work:

splunk@syyyyyy:~/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22$ ./opsec_putkey -debug -ssl -port 18184 x.x.x.x

(debug output here)

My question relates to the configuration on the LEA Management Server in $FWDIR/conf/opsec.conf

The documentation says:

2. Edit $FWDIR/conf/fwopsec.conf and add the following lines:
lea_server auth_port 18184
lea_server auth_type ssl_opsec

On a Checkpoint R71 release in fwopsec.conf you can find the (commented) defaults:

# The VPN-1/FireWall-1 default settings are:
#  lea_server  auth_port  18184
#  lea_server  port  0

As the parameters mentioned in the Apps documentation seem to be the defaults, we did not touch anything here.

Another Splunk customer with Checkpoint R71 also had these problems and changed the fwopsec.conf like this:

lea_server  auth_port   18184
lea_server  port       0
lea_server  auth_type  ssl_opsec

The question is, if we have to enable these parameters for successful execution of opsec_putkey on the Splunk instance? Even if the defaults have the same values?

If yes, is this a temporary configuration for the key retrieval or does it have to be permanent?
Unfortunately we cannot play around and cpstop/cpstart our Checkpoint Management instance...

Did anybody already implement the lea-loggrabber App successfully R70 or higher and can share experiences how to successfully pass this step here?
Thanks a lot!

0 Karma
Highlighted

Re: Opsec LEA with Checkpoint R71 - opsec_putkey failing

Ultra Champion

Seeing the same problems here (R71 on Windows)

  • no $FWDIR/conf/opsec.conf, but there is a c:/Windows/FW-1/conf/fwopsec.conf (backslashes not allowed here?)
  • auth_type not an allowed option according to above mentioned fwopsec.conf
  • auth_port and port defaults to 18184 and 0, respectively in fwopsec.conf (no changes made by us)
  • The opsec.p12 file was retrieved successfully
  • We did NOT enable any FWicapull or FW_lea rules, since the Splat and Splunk are on the same side of the firewall. (should those rules be applied anyway?)
  • Same failure regarding opsec_putkey. However I did not notice any of your errors regarding nonexistent CPDIR. I sense that the following lines indicate the problem;

    • [8739]@s000730 PMpolicychoose: finished successfully. choose: DENY.
    • [8739]@s000730 policy_choose: choose failed.
    • [8739]@s000730 sicclientnegotiateauthmethod: policy choose failed.
    • [8739]@s000730 fwasyncmuxin: 8: handler returned with error

Is this sicclientnegotiateauthmethod the same as the auth_type that should have gone into the opsec.conf??
Sorry if the text got somewhat mangled by the messageboard.

Any clues or workarounds appreciated.

UPDATE: if I had followed the instructions to the letter - everything would have worked much sooner. The problem is that the fwopsec.conf file did explicitly say that the only valid parameters were auth_port and port. Naturally I should have disregarded this and boldly added the auth_type as well....

Kristian

0 Karma
Highlighted

Re: Opsec LEA with Checkpoint R71 - opsec_putkey failing

Communicator

I successfully implemented the lea-loggrabber app on several R7* Check Point firewalls.
If you follow the supplied documentation it should work out of box, couple of notes below:

You have to enable the lea_server settings. In the original post, you have to remove the line with port 0, so leave just the following two lines in the configuration file:

lea_server  auth_port   18184
lea_server  auth_type  ssl_opsec

This basically tells Check Point to start the lea server.

Also, you have to add a rule which explicitly allows the Splunk server to connect to the LEA port on the Smartcenter box. If you don't do that Splunk will not be able to connect.