Installation

Checkpoint OPSEC log collection Error

suryavicky21
Explorer

Hello

I am trying to integrate Checkpoint logs into Splunk using the OPSEC LEA modular input/TA. I notice the below error post configuring the connections and inputs

2018-05-20 05:53:33,998 +0000 log_level=ERROR, pid=xxxx, tid=Thread-61667, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="name" connection="connecitonname" data="xxx"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:1056 :ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error

I see this error for each of the inputs that is configured.
the setup is
-- 1 Primary checkpoint Manager
-- 1 Secondary checkpoint Manager
-- 1 reporter manager server
-- multiple gateways

So i presume the certificate shall be pulled from the primary manager and the logs as well, as manager deals with all the gateways. I did pull the certificate from primary manager and configured the connections.conf for manager, but above is the error i see. Couldn't figure out yet the issue to fix. 😞

Did anyone test the Checkpoint OPSEC LEA for splunk over distributed architecture that has a manager handling gateways and a reporter server.

I would be glad if anyone can help me on this.

Thanks
Surya Teja

Tags (1)
0 Karma
1 Solution

suryavicky21
Explorer

So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device

there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf

lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)

So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca

so for clear connections the fwopsec.conf should have
lea_server port 12345

For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca

If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)

Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;

View solution in original post

0 Karma

suryavicky21
Explorer

So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device

there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf

lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)

So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca

so for clear connections the fwopsec.conf should have
lea_server port 12345

For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca

If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)

Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;

0 Karma

milesbrennan
Path Finder

If you're got an updated Linux server and you're running the latest add-on, there is a known error with glibc which fails to establish an OPSEC connected and download the certificate. Do you have a valid certificate?

ls -la /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs

Checkout the add-on release notes for more details.

I worked around this by downgrading my glibc, setting up add-on, then upgrading glibc again.

Best of luck.

0 Karma

suryavicky21
Explorer

Thanks for the comment @milesbrennan
there wasn't an issue pulling the cert. Add-on did fetch the cert, i've created the connection.conf and inputs.conf as well post which i see the SIC 147 error. Also i followed the procedure mentioned at Splunk docs to configure the inputs and cert

Thanks

0 Karma

jkat54
SplunkTrust
SplunkTrust

Yes it’s been done in distributed environments pulling from the primary, etc as you described.

A quick google of the error revealed several checkpoint articles that may apply:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Any of these help?

0 Karma

suryavicky21
Explorer

tried these, but no luck. I did not find any error related to time though.
I've installed the same on a single instance setup where there is only one manager handling multiple gateways, and the OPSEC LEA TA works like pro

any more inputs please 😐

0 Karma

jkat54
SplunkTrust
SplunkTrust

I’d submit a ticket to splunk for support and escalate through your account rep if necessary. At least you can have that working while more answers come in here... Best of luck!

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...