Deployment Architecture

LEA Client doesn't connect to Check Point OPSEC LEA Server

d646800
Explorer

I am getting the errors below when i try to made a new connection to a checkpoint log server

my opsec.log
2015-06-25 03:25:04,408 [ERROR] [] params: {'model': u'{"opsec_host":"10.95.3.6","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}
2015-06-25 03:25:27,508 [ERROR] [] params: {'model': u'{"opsec_host":"10.95.3.6","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}

i went through the system requirement and installed the latest pam and glibc but that did not resolve my issue. not sure what am i missing

http://docs.splunk.com/Documentation/OPSEC-LEA/3.0.0/Install/Systemrequirements

[splunk@pucu-spf-44 bin]$ /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh
unknown parameter ../certs/

CheckPoint 2001. Getting an object's certificate. Works once per certificate.

Usage: opsec_pull_cert -h host -n object-name -p passwd [-o cert_file] [-od dn_file]
-p is the one-time-password given in the SmartDashboard when defining this entity.
-o is for the output certificate file. default is "($OPSECDIR/)opsec.p12".
-od is for the output sic name (one line text file).
A relative path filename will be concatenated to OPSECDIR env variable (if exists).

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

had a similar issue the other week, and was able to resolve it by installing the Check Point database after creating the SplunkLEA OPSEC app.

0 Karma

splunker12er
Motivator

Did u provide the below details correctly, to pull a certificate

  1. Type the OPSEC App Name, for example SplunkLEA
  2. Type the One-time Password
  3. Type the Management Server IP address.

eg:
Connection name : LEA10.95.3.6
Log Server IP : 10.95.3.6
Log Server Port ; 18184
Verion : choose you device version

Once , pulled the certificate, it is stored under the .p12 file.

Note: If you receive an error message, this might be because you are attempting to pull the same certificate for the same Connection Name, using an invalid password or IP address, or the connection to the server is down. For additional error details, see $SPLUNK_HOME/var/log/splunk/web_service.log.

0 Karma

splunker12er
Motivator

Hope , you are using heavy forwarder installed with "Splunk add-on for checkpoint OPSEC lea"

are you able to successfully create a new connection entry in the app "Splunk add-on for checkpoint OPSEC lea" ?

Provide the SIC Name & Entity SIC name correctly , while you add a new connection instance. On successful creation , you will see the Last Updated column getting populated with latest time

0 Karma

d646800
Explorer

yes, heavy forwarder for sure

this is the error when i try to create new connection- it does not even create the connection sucessfully. i use "i need to get new certificates" so i am not being asked to enter SIC Name & Entity SIC name

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!