Getting Data In

Checkpoint R75.40 and OPSEC LEA

Explorer

I've been trying to get the OPSEC LEA loggrabber working with my Splunk (v4.3.2) and Checkpoint (R75.40). I've followed the instructions in OPSEC LEA for Checkpoint. I've installed the app on the forwarder successfully and have set up the OPSEC object in Checkpoint, along with the bits to enable the LEA server. However, when I try to retrieve the OPSEC certificate using opsecpullcert this fails. I can see in the Checkpoint logs that the connection is being attempted, but the Checkpoint server doesn't seem to respond to the certificate request.

Can anyone tell me if I've missed something? Do I need to enable something in Checkpoint to tell it to respond to certificate downloads or something like that?

Tags (2)
1 Solution

Explorer

Just to complete the thread, I've now solved the problem. It turned out to not be a problem with either Splunk or Checkpoint, but was a routing issue in the network. The routing has now been fixed and the OPSEC components are now communicating.

View solution in original post

Explorer

Just to complete the thread, I've now solved the problem. It turned out to not be a problem with either Splunk or Checkpoint, but was a routing issue in the network. The routing has now been fixed and the OPSEC components are now communicating.

View solution in original post

Explorer

I played a lot with Checkpoint integration....and to be honest, it does NOT work at all !!!

Even Splunk says that they support OPSEC LEA for Checkpoint, it's wrong. More than 2 years they haven't updated anything. Loggrabber is old and nobody maintains it.

If I can recommend you something and if you have a enterprise license, please ask and ask Splunk support about Checkpoint integration....maybe one day they will do something.

Good luck !

0 Karma

Splunk Employee
Splunk Employee

I downvoted this post because app works

0 Karma

Splunk Employee
Splunk Employee

@ysouchon: Check Point integration does work, can you provide me with a support case number from the time you worked with splunk> support? I can provide you with additional help to get it working properly in your environment.

0 Karma