Reporting
Highlighted

Can you help me with my checkpoint log export?

New Member

Hello all,

I am a novice when it comes to Splunk. I am in the process of building a POC using checkpoint log export feature. I am running R77.30 T338. My goal is to export log from customer CLM to Splunk 7.2.0. Below is my configuration on checkpoint side:

[Expert@mlm11:0] cp_log_export show

name: C1-export domain-server: clm1
           enabled: true
           target-server: 172.16.1.10
           target-port: 4321
           protocol: tcp
           format: splunk
           read-mode: raw

Once this export is restarted, I can see that SYN are being sent to Splunk instance, by looking at the netstat on the MLM server.

However, SYN ack is never sent back so three way handshake cannot complete. When I try simple telnet to this remote port 4321, I do not receive any response either. I guess I am missing something in Splunk configuration. I have set up a new Data input as local tcp on port 4321. I can see that is is listening on it

[splunk@siem1 ~]$ netstat -antp | grep 4321
tcp         0       0 0.0.0.0:4321        0.0.0.0:*           LISTEN 1657/splunkd

From Splunk itself, I am able to connect to this port locally.

Labels (1)
0 Karma
Highlighted

Re: Can you help me with my checkpoint log export?

New Member

Did you ever resolve this issue? I'm running into the exact same issue currently.

0 Karma