- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk Add-on for Checkpoint OPSEC LEA - Faile...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having difficulty with SSL connection to Checkpoint Management server version 77 on GAIA server software.
Checkpoint Admin cannot locate GuiDBEdit util to validate entity_sic_name. I updated the opsec.conf file with what he found that may be the entity_sic_name and then restarted Splunk, but it doesn't appear to pick up this change.
/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf
[checkpoint_Man]
collect_audit =
fw_version = 77
is_disabled = 0
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.29.1.75
opsec_entity_sic_name = "CN=POCGateway2,O=Manager.mydomain.com.userid"
opsec_sic_name = "CN=Splunk,O=Manager.mydomain.com.userid"
opsec_sslca_file = ../certs/opsec.p12
mode = non_audit
Debug output:
[root@tstsplunk01 opsec-tools]# ./opsec_putkey -debug -ssl -port 18184 10.29.1.75
Please enter secret key:
Please enter secret key again:
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_create: version 5301.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_add_name_to_group: finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_set_local_names: () names. finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_create: finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_add_name_to_group: finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_add_name_to_group: finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_add_name_to_group: finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_policy_set_local_names: ("OPSECPUTKEY") names. finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] PM_apply_default_dn: finished successfully.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] setting fwa1 init password for 10.29.1.75 (10.29.1.75)
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] resolver_gethostbyname: Performing gethostbyname for tstsplunk01
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] peers addresses are
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] 10.1.159.16
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] sic_client_do_connect: no server sic name supplied, server sic name is unknown.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] fwasync_conn_params: <a019f10,57965> -> <a1d014b,18184>
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:05] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] sic_client_set_version: 6: protocol version is 59000000
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] call_handlers_list: no conversion done, set cn=cp_mgmt,o=Manager.erieinsurance.com.b8662s as sic name
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] PM_session_init: given session O(OPSECPUTKEY;cn=cp_mgmt,o=Manager.erieinsurance.com.b8662s;18184;ssl_opsec).
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] PM_policy_query: input session O(OPSECPUTKEY;cn=cp_mgmt,o=Manager.erieinsurance.com.b8662s;18184;ssl_opsec).
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] PM_policy_query: rule found (ANY;ANY;ANY;ssl_opsec;ssl(1/1)).
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] PM_policy_query: finished successfully. 1st method = ssl
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] PM_policy_choose: finished successfully. choose: ssl.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] peers addresses are
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 10.29.1.75
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] resolver_gethostbyaddr: Performing gethostbyaddr for 10.29.1.75
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] fwa1 peername for 10.29.1.75 is 10.29.1.75
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSLctx_New: prefs = e
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_PrepareConnection: verify mode: 1
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] My SSL Ciphers:
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] Cipher List:
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 0: ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 1: ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_NegotiateStep: current state = before/connect initialization
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] is_initialized: new process or forked
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] rand_add_seedfile: Failed to read seed
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] fwrand_write_seed: Failed to read seed.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] CkpRegDir: Environment variable CPDIR is not set.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] GenerateGlobalEntry: Unable to get registry path
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] fwrand_write_seed: Failed to write seed.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_NegotiateStep: should retry.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_NegotiateStep: current state = SSLv2/v3 read server hello A
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_NegotiateStep: should retry.
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_NegotiateStep: current state = SSLv3 read finished A
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_NegotiateStep: conncected, used TLSv1/SSLv3 ,ADH-DES-CBC3-SHA (4)
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] Peer DH is:
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 52 e7 21 a9 ab 5f 7d 4a 02 38 f5 5b f5 a4 32 77 fe 18 36 ef
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 96 88 ba 72 a7 89 bc 38 b7 d5 55 1e c4 fb 61 92 6a 3c 7e 8f
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 7f b0 b5 6a c2 91 60 ae cc 3e 8b ed 08 0b 40 c2 a3 b7 88 a0
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] e2 5e 5a a6 91 48 9a d4 cf 52 18 9e a3 21 77 5b 62 63 1c 19
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 54 46 fb 5d ab 51 a2 29 f6 dc 0c 81 42 cc ba fb 43 4b 78 a4
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 09 fb a1 a7 fa cd 88 4b 37 d0 bd 82 5c 3f 0a d3 f5 dd 6a 7b
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] 5b 31 66 bd 1d c7 c0 a0
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_connected: peer not authenticated
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_connected: current state: SSL negotiation finished successfully
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_do_write: write 4 bytes
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_do_read: read 4 bytes
I want to exchange keys but 10.29.1.75 don't have a password
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_fwasync_close: start shutdown
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] sic_client_end_handler: for conn id = 6
Failed to initialize authentication with 10.29.1.75
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_ShutdownHandler: rc=0 (1) SSL negotiation finished successfully
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_ShutdownHandler_in_sock: called
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_ShutdownHandler_in_sock: Received shutdown
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_ShutdownHandler: state is ckpSSL_St_PeerClosed
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] ckpSSL_Destroy: closed fd 6
[ 29436 4150852096]@tstsplunk01[28 Jul 16:21:06] T_event_mainloop_e: T_event_mainloop_iter returns 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The putkey tool was not needed. I edited the opsec.conf file with the confirmed entity_sic_name(cn=cp_mgmt,o=Manager.mydomain.com.userid) and restarted splunk to apply changes. In working with Splunk Support, I requested the following changes to be performed by the checkpoint admin: Please comment out all the lines on checkpoint fwopsec.conf and restart
lea_server auth_port 18184
lea_server auth_type ssl_opsec
lea_server port 0
And then please install the database
Step 6 - Install the database
1. In SmartDashboard, click the Policy menu item.
2. Select Install Database.
3. In the Install Database dialog, select the check box for your Management Server.
4. Click OK
Check Point installs the database.
5. Click Close on successful database installation.
After these updates the connection was successful and we were able to index checkpoint.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The putkey tool was not needed. I edited the opsec.conf file with the confirmed entity_sic_name(cn=cp_mgmt,o=Manager.mydomain.com.userid) and restarted splunk to apply changes. In working with Splunk Support, I requested the following changes to be performed by the checkpoint admin: Please comment out all the lines on checkpoint fwopsec.conf and restart
lea_server auth_port 18184
lea_server auth_type ssl_opsec
lea_server port 0
And then please install the database
Step 6 - Install the database
1. In SmartDashboard, click the Policy menu item.
2. Select Install Database.
3. In the Install Database dialog, select the check box for your Management Server.
4. Click OK
Check Point installs the database.
5. Click Close on successful database installation.
After these updates the connection was successful and we were able to index checkpoint.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thumbs up!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the credit is owned to Chubbybunny! Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of late, the Splunk_TA_opseclea_linux22 app only supports 'sslca' authentication. In the debug output above, it appears you are attempting to run the 'opsec_putkey' command which is a requirement for ssl OPSEC authentication and not supported.
You may want to consult with a Splunk Support engineer to discuss your options instead. Please be sure to reference this posting and ask for the Chubbybunny.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay thanks for the tip. I have a support case opened but I haven't yet received any feedback. Case#256908. I have been hopping around different configuration guides trying to figure this out and may have lost my way . I checked in the Splunk GUI and within the add-on I have a connection showing with the following error: In handler 'conf-inputs': Could not find object id=script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity checkpoint_Man does this point to anything that anyone is aware of?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
