Installation

Checkpoint OPSEC log collection Error

suryavicky21
Explorer

Hello

I am trying to integrate Checkpoint logs into Splunk using the OPSEC LEA modular input/TA. I notice the below error post configuring the connections and inputs

2018-05-20 05:53:33,998 +0000 log_level=ERROR, pid=xxxx, tid=Thread-61667, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="name" connection="connecitonname" data="xxx"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:1056 :ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error

I see this error for each of the inputs that is configured.
the setup is
-- 1 Primary checkpoint Manager
-- 1 Secondary checkpoint Manager
-- 1 reporter manager server
-- multiple gateways

So i presume the certificate shall be pulled from the primary manager and the logs as well, as manager deals with all the gateways. I did pull the certificate from primary manager and configured the connections.conf for manager, but above is the error i see. Couldn't figure out yet the issue to fix. 😞

Did anyone test the Checkpoint OPSEC LEA for splunk over distributed architecture that has a manager handling gateways and a reporter server.

I would be glad if anyone can help me on this.

Thanks
Surya Teja

Tags (1)
0 Karma
1 Solution

suryavicky21
Explorer

So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device

there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf

lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)

So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca

so for clear connections the fwopsec.conf should have
lea_server port 12345

For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca

If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)

Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;

View solution in original post

0 Karma

suryavicky21
Explorer

So finally after so much troubleshooting i figured out the issue was with configurations on the Checkpoint device

there are stanzas in the fwopsec.conf on Checkpoint at $FWDIR/conf/fwopsec.conf

lea_server port 12345 --> when a port is assigned here opsec works on clear connections
lea_server auth_port 23456 --> this is what accepts ssl connections (opsec sslca)

So per my troubleshooting Splunk connects to Opsec only on SSL and wont work with CLEAR, therefore the lea_server auth_port 23456 stanza should exist in fwopsec.conf, Now when the auth_port is mentioned the type shall be mentioned in the fwopsec.conf which is lea_server auth_type sslca

so for clear connections the fwopsec.conf should have
lea_server port 12345

For sslca the fwopsec.conf should have stanzas
lea_server auth_port 23456
lea_server auth_type sslca

If the port is 0(Zero) that means that type is disabled (Ex: lea_server auth_port 0 means sslca is disabled)

Another thing, i guess Opsec can only listen either on clear or SSL but not both at same time, so make sure lea_server auth_port 23456 and lea_server auth_type sslca exists in fwopsec.conf on checkpoint and it works like pro ;

0 Karma

milesbrennan
Path Finder

If you're got an updated Linux server and you're running the latest add-on, there is a known error with glibc which fails to establish an OPSEC connected and download the certificate. Do you have a valid certificate?

ls -la /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs

Checkout the add-on release notes for more details.

I worked around this by downgrading my glibc, setting up add-on, then upgrading glibc again.

Best of luck.

0 Karma

suryavicky21
Explorer

Thanks for the comment @milesbrennan
there wasn't an issue pulling the cert. Add-on did fetch the cert, i've created the connection.conf and inputs.conf as well post which i see the SIC 147 error. Also i followed the procedure mentioned at Splunk docs to configure the inputs and cert

Thanks

0 Karma

jkat54
SplunkTrust
SplunkTrust

Yes it’s been done in distributed environments pulling from the primary, etc as you described.

A quick google of the error revealed several checkpoint articles that may apply:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Any of these help?

0 Karma

suryavicky21
Explorer

tried these, but no luck. I did not find any error related to time though.
I've installed the same on a single instance setup where there is only one manager handling multiple gateways, and the OPSEC LEA TA works like pro

any more inputs please 😐

0 Karma

jkat54
SplunkTrust
SplunkTrust

I’d submit a ticket to splunk for support and escalate through your account rep if necessary. At least you can have that working while more answers come in here... Best of luck!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...