Reporting

Can you help me with my checkpoint log export?

mkukan
New Member

Hello all,

I am a novice when it comes to Splunk. I am in the process of building a POC using checkpoint log export feature. I am running R77.30 T338. My goal is to export log from customer CLM to Splunk 7.2.0. Below is my configuration on checkpoint side:

[Expert@mlm11:0] cp_log_export show

name: C1-export domain-server: clm1
           enabled: true
           target-server: 172.16.1.10
           target-port: 4321
           protocol: tcp
           format: splunk
           read-mode: raw

Once this export is restarted, I can see that SYN are being sent to Splunk instance, by looking at the netstat on the MLM server.

However, SYN ack is never sent back so three way handshake cannot complete. When I try simple telnet to this remote port 4321, I do not receive any response either. I guess I am missing something in Splunk configuration. I have set up a new Data input as local tcp on port 4321. I can see that is is listening on it

[splunk@siem1 ~]$ netstat -antp | grep 4321
tcp         0       0 0.0.0.0:4321        0.0.0.0:*           LISTEN 1657/splunkd

From Splunk itself, I am able to connect to this port locally.

Labels (1)
0 Karma

boyanmilushev
Explorer

I had a similar problem.

Our setup is:

CheckPoint Log Server => Splunk Intermediate Heavy Forwarder => Splunk Cloud indexer.

The Intermediate HF was set-up to listen on TCP 514 from limited list of IP addresses (CheckPoint Log Servers).

It didn't work, because you are not allowed to listen on ports below 1024 on Linux if you don't have root privileges. The intermediate HF was sending "Reset" packages to the LogExporter Log server.

After that, I changed the port to 9997, but it didn't work as well, because this port is reserved for Splunk "cooked" data ingestion from Splunk instances.

Finally, I made it work after selecting the port 18188. This port turned-out to be free and not reserved for other apps.

This is example of my inputs.conf on the Heavy Forwarder:

[tcp://1.2.3.4:18188]
host = checkpoint_host_1
sourcetype = cp_log
index = logexporter_index

[tcp://1.2.3.5:18188]
host = checkpoint_host_2
sourcetype = cp_log
index = logexporter_index

[tcp://1.2.3.6:18188]
host = checkpoint_host_3
sourcetype = cp_log
index = logexporter_index

The outputs.conf file is set to send the data to the cloud:

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
server = input_host.splunkcloud.com:9997
compressed = false

Seems like the port number is very important and you cannot select just any random port...

Also you need to check if the traffic is not being blocked on a Firewall device between the Log Server and Splunk instance.

I hope that this info is helpful, because I didn't find anything like that in the CheckPoint Log Exporter documentation. 

0 Karma

ca1bab
New Member

Did you ever resolve this issue? I'm running into the exact same issue currently.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...