All Apps and Add-ons

checkpoint LEA app authentication/config

sonicZ
Contributor

Having some trouble getting my checkpoint LEA connection logs forwarded from our checkpoint device to the LEA forwarder.
Our Network admin has got everything set and provided me with

SIC Name: CN=SPLUNK,O=AUTH-FW-MGR..po4iy7
Entity name: SPLUNK

I've got all the dependencies finally configured on the forwarder host with Splunk 4.3.6 and when i configured the app with the above params, and did get prompted to and do see I receive the cert. It's saved in

/app/splunk/etc/apps/Splunk_TA_opseclea_linux22/certs/checkpoint_cma_auth_fw_mgr.p12

within the LEA app it shows "Last Connected=Unknown"
looking int to Splunkd.log shows the following:

05-22-2013 00:59:31.042 +0000 ERROR ExecProcessor - message from "/app/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity checkpoi
nt_cma_auth_fw_mgr" ERROR: failed to create session (Argument is NULL or lacks some data)

Trying to run the checkpoint debug steps doing a

$SPLUNK_HOME/bin/splunk login
and 
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh --configentity checkpoint_cma_auth_fw_mgr 

Returns this output

checkpoint_cma_a
uth_fw_mgr
Using Splunk instance: /app/splunk, app name Splunk_TA_opseclea_linux22
DEBUG: LOGGRABBER configuration file is: /app/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename      : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames   : No
DEBUG: FW1-2000         : No
DEBUG: Online-Mode      : No
DEBUG: Audit-Log        : No
DEBUG: Show Fieldnames  : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/checkpoint_cma_auth_fw_mgr
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/checkpoint_cma_auth_fw_mgr'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content: 
<response>
  <messages>
    <msg type="WARN">call not properly authenticated</msg>
  </messages>
</response>


splunkd request failed, 401: 
        $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/checkpoint_cma_auth_fw_mgr
        QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/checkpoint_cma_auth_fw_mgr'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content: 
<response>
  <messages>
    <msg type="WARN">call not properly authenticated</msg>
  </messages>
</response>


ERROR: unable to get splunk lea config arguments
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays

So based on not seeing a connected status in the UI or splunkd logs, and unable to verify in the debug connection if checkpoint authentication is actually setup properly i am kind of stuck and not sure where my config fail is.

0 Karma
1 Solution

araitz
Splunk Employee
Splunk Employee

This app, along with other apps that use scripted inputs requiring credentials (i.e. that use passAuth), requires that your home directory be writable so that we can set an authentication token there. I'll see if we can add this issue to the troubleshooting section of the documentation.

View solution in original post

Chubbybunny
Splunk Employee
Splunk Employee

yes, it seems the Sever DN is incorrect.

DEBUG: Server DN (sic name) : SPLUNK

DEBUG: OPSEC LEA client DN (sic name) : CN=SPLUNK,O=AUTH-FW-MGR..po4iy7

Try configuring it like this instead:

opsec_sic_name "CN=SPLUNK,O=AUTH-FW-MGR..po4iy7"

lea_server opsec_entity_sic_name "cn=cp_mgmt,o==AUTH-FW-MGR..po4iy7"

sonicZ
Contributor

ok making that change in the
Splunk_TA_opseclea_linux22/local/opsec.conf

Would the ENTITY SIC Name on the Lea server have to be renamed to "cn=cp_mgmt,o==AUTH-FW-MGR..po4iy7"
right now i think it's just called "SPLUNK" on the LEA side.

0 Karma

sonicZ
Contributor

Some sample logs from lea-loggrabber-debug.sh
I think these are the important bits, seems like the problem is with the DN?

(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name (SPLUNK)
                :auth_type (sslca)
                :auth_port (18184)
                :ip (10.198.148.105)
        )
        :opsec_sslca_file ("../certs/checkpoint_cma_auth_fw_mgr.p12")
        :opsec_sic_name ("CN=SPLUNK,O=AUTH-FW-MGR..po4iy7")
)

[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Could not find info for ...opsec_shared_local_path...
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Could not find info for ...opsec_sic_policy_file...
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Could not find info for ...opsec_mt...
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_init: multithread safety is not initialized
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] cpprng_opsec_initialize: path is not initialized - will initialize
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] cpprng_opsec_initialize: full file name is ops_prng
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_file_is_intialized: seed is initialized
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] cpprng_opsec_initialize: seed init for opsec succeeded
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_create: version 5301.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_add_name_to_group: finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_set_local_names: () names. finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_create: finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_add_name_to_group: finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_add_name_to_group: finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_add_name_to_group: finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_set_local_names: ("CN=SPLUNK,O=AUTH-FW-MGR..po4iy7") names. finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_apply_default_dn: ca_dn = [O=AUTH-FW-MGR..po4iy7].
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_apply_default_dn: finished successfully.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 12
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] CkpRegDir: Environment variable CPDIR is not set.
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] GenerateGlobalEntry: Unable to get registry path
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 12
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 32
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 11
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 31
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 12
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] sslcaInitCP_Ex: using asym client without ca cert
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 12
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 12
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] sslcaInitCP_Ex: using asym client without ca cert
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 32
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 32
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] sslcaInitCP_Ex: using asym client without ca cert
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 11
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 11
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] sslcaInitCP_Ex: using asym client without ca cert
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 31
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] ckpSSLctx_New: prefs = 31
[ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
    DEBUG: OPSEC LEA conf file is lea.conf
        DEBUG: Authentication mode has been used.
        DEBUG: Server-IP     : 10.198.148.105
        DEBUG: Server-Port     : 18184
        DEBUG: Authentication type: sslca
        DEBUG: OPSEC sic certificate file name : ../certs/checkpoint_cma_auth_fw_mgr.p12
        DEBUG: Server DN (sic name) : SPLUNK
        DEBUG: OPSEC LEA client DN (sic name) : CN=SPLUNK,O=AUTH-FW-MGR..po4iy7
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_init_entity_sic: called for the client side
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Configuring entity lea_server
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Could not find info for ...conn_buf_size...
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Could not find info for ...no_nagle...
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Could not find info for ...port...
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: SPLUNK, d_ip: NULL, dport 18184, svc: lea, method: sslca
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_entity_add_sic_rule: adding INBOUND rule
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_entity_add_sic_rule: adding OUTBOUND rule
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_get_comm: creating comm for ent=8a59bd8  peer=8a59258 passive=0 key=2 info=0
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] c=0x8a59bd8 s=0x8a59258 comm_type=4

        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Could not find info for ...opsec_client...
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_get_comm: Creating session hash (size=256)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_get_comm: ADDING comm=0x8a50110 to ent=0x8a59bd8 with key=2
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_env_get_context_id_by_peer_sic_name: illegal DN of sic name: SPLUNK
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] OPSEC_SET_ERRNO: err =  4  Argument is NULL or lacks some data (pre =  0)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_sic_connect: failed to get context id for connection
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_get_comm: error in opsec_sic_connect
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] destroying comm 0x8a50110
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Destroying comm 0x8a50110 with 0 active sessions
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] pulling dgtype=ffffffff len=-1 to list=0x8a5012c
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] REMOVING comm=0x8a50110 from ent=0x8a59bd8 with key=2
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Unable to make session
        ERROR: failed to create session (Argument is NULL or lacks some data)
        DEBUG: function cleanup_fw1_environment
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Destroying entity 1 with 0 active comms
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_destroy_entity_sic: deleting sic rules for entity 0x8a59bd8
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] Destroying entity 2 with 0 active comms
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_destroy_entity_sic: deleting sic rules for entity 0x8a59258
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] IpcUnMapFile: unmapping file (handle=0x8a4f8d0)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] IpcUnMapFile: unmapping file (handle=0x8a4f9b0)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] IpcUnMapFile: unmapping file (handle=0x8a4fa30)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] IpcUnMapFile: unmapping file (handle=0x8a4fad0)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] IpcUnMapFile: unmapping file (handle=0x8a4fdf0)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] PM_policy_destroy: finished successfully.
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] fwd_env_destroy: env 0x8a341c0 (alloced = 1)
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] T_env_destroy: env 0x8a341c0 
        [ 27504 4152007472]@pxy15sbo-w1-inf[22 May 18:28:32] do_fwd_env_destroy:  really destroy 0x8a341c0
        splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/checkpoint_cma_auth_fw_mgr
        splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/checkpoint_cma_auth_fw_mgr'
        HTTP Status: 200.
        Content:
0 Karma

araitz
Splunk Employee
Splunk Employee

Probably best to open a support case so we can get a diag and if necessary webex.

0 Karma

sonicZ
Contributor

I see some errors with the peer_sic_name Illegal DN of sicname: SPLUNK
trying to paste in these logs but site's not updating.

0 Karma

araitz
Splunk Employee
Splunk Employee

This app, along with other apps that use scripted inputs requiring credentials (i.e. that use passAuth), requires that your home directory be writable so that we can set an authentication token there. I'll see if we can add this issue to the troubleshooting section of the documentation.

sonicZ
Contributor

Thanks Alex, posted debug session logs below. Let me know if this should be a support case 😄

0 Karma

olanandkate
Engager

I'm new to Splunk, so making the home directory writable helps but my home directory is already writable by the process that Splunk is using to run. Is there something else I'm missing?

0 Karma

sonicZ
Contributor

hmm Odd, running as root. actually it was not write-able...i just chmod'd it

[root@pxy15sbo-w1-inf local]# ls -la /root
total 2108
drwxr-x---. 4 root root 4096 May 17 16:59 .
dr-xr-xr-x. 23 root root 4096 May 2 23:56 ..

Seeing a lot of connection stuff now.

0 Karma

araitz
Splunk Employee
Splunk Employee

Is your home directory writable?

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...