- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Checkpoint OPSEC log collection Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I am trying to integrate Checkpoint logs into Splunk using the OPSEC LEA modular input/TA. I notice the below error post configuring the connections and inputs
2018-05-20 05:53:33,998 +0000 log_level=ERROR, pid=xxxx, tid=Thread-61667, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="name" connection="connecitonname" data="xxx"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:1056 :ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error
I see this error for each of the inputs that is configured.
the setup is
-- 1 Primary checkpoint Manager
-- 1 Secondary checkpoint Manager
-- 1 reporter manager server
-- multiple gateways
So i presume the certificate shall be pulled from the primary manager and the logs as well, as manager deals with all the gateways. I did pull the certificate from primary manager and configured the connections.conf for manager, but above is the error i see. Couldn't figure out yet the issue to fix. 😞
Did anyone test the Checkpoint OPSEC LEA for splunk over distributed architecture that has a manager handling gateways and a reporter server.
I would be glad if anyone can help me on this.
Thanks
Surya Teja
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device
there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf
lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)
So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca
so for clear connections the fwopsec.conf should have
lea_server port 12345
For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca
If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)
Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device
there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf
lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)
So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca
so for clear connections the fwopsec.conf should have
lea_server port 12345
For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca
If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)
Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're got an updated Linux server and you're running the latest add-on, there is a known error with glibc which fails to establish an OPSEC connected and download the certificate. Do you have a valid certificate?
ls -la /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs
Checkout the add-on release notes for more details.
I worked around this by downgrading my glibc, setting up add-on, then upgrading glibc again.
Best of luck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the comment @milesbrennan
there wasn't an issue pulling the cert. Add-on did fetch the cert, i've created the connection.conf and inputs.conf as well post which i see the SIC 147 error. Also i followed the procedure mentioned at Splunk docs to configure the inputs and cert
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it’s been done in distributed environments pulling from the primary, etc as you described.
A quick google of the error revealed several checkpoint articles that may apply:
Any of these help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried these, but no luck. I did not find any error related to time though.
I've installed the same on a single instance setup where there is only one manager handling multiple gateways, and the OPSEC LEA TA works like pro
any more inputs please 😐
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’d submit a ticket to splunk for support and escalate through your account rep if necessary. At least you can have that working while more answers come in here... Best of luck!
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
