Getting Data In

Checkpoint R75.40 and OPSEC LEA

pajohnston
Explorer

I've been trying to get the OPSEC LEA loggrabber working with my Splunk (v4.3.2) and Checkpoint (R75.40). I've followed the instructions in OPSEC LEA for Checkpoint. I've installed the app on the forwarder successfully and have set up the OPSEC object in Checkpoint, along with the bits to enable the LEA server. However, when I try to retrieve the OPSEC certificate using opsec_pull_cert this fails. I can see in the Checkpoint logs that the connection is being attempted, but the Checkpoint server doesn't seem to respond to the certificate request.

Can anyone tell me if I've missed something? Do I need to enable something in Checkpoint to tell it to respond to certificate downloads or something like that?

Tags (2)
1 Solution

pajohnston
Explorer

Just to complete the thread, I've now solved the problem. It turned out to not be a problem with either Splunk or Checkpoint, but was a routing issue in the network. The routing has now been fixed and the OPSEC components are now communicating.

View solution in original post

pajohnston
Explorer

Just to complete the thread, I've now solved the problem. It turned out to not be a problem with either Splunk or Checkpoint, but was a routing issue in the network. The routing has now been fixed and the OPSEC components are now communicating.

ysouchon
Explorer

I played a lot with Checkpoint integration....and to be honest, it does NOT work at all !!!

Even Splunk says that they support OPSEC LEA for Checkpoint, it's wrong. More than 2 years they haven't updated anything. Loggrabber is old and nobody maintains it.

If I can recommend you something and if you have a enterprise license, please ask and ask Splunk support about Checkpoint integration....maybe one day they will do something.

Good luck !

0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

I downvoted this post because app works

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

@ysouchon: Check Point integration does work, can you provide me with a support case number from the time you worked with splunk> support? I can provide you with additional help to get it working properly in your environment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...