Does anyone try to use FWN1 auth method successfully instead of SSL one?
I'm asking because it could be complicated to stop ChekPoint Manager in a production environment to modify the fwopsec.conf file.
Thanks for your help.
Ok to have this working , on Splunk forwarder you need to retrieve the key by executing the following command.
opsec_putkey -port 18184 < Source IP address of checkpoint box >
You should get the authkeys.C file. Copy this file in the $SPLUNK_HOME/etc/apps/lea-loggrabber-splunk/bin/ directory.
Modify lea.conf file to change "lea_server auth_type ssl_opsec" to "lea_server auth_type auth_opsec".
Restart the Splunk forwarder. Now , you should receive events from CheckPoint.
View solution in original post
Note this is valid for pre-2.0.0 versions of Splunk OPSEC LEA integration.