We are following exactly the documentation provided with "OPSEC LEA for Checkpoint (Linux)" App.
The step Retrieve FW1 authentication key does not work:
splunk@syyyyyy:~/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22$ ./opsec_putkey -debug -ssl -port 18184 x.x.x.x
(debug output here)
My question relates to the configuration on the LEA Management Server in $FWDIR/conf/opsec.conf
The documentation says:
2. Edit $FWDIR/conf/fwopsec.conf and add the following lines:
lea_server auth_port 18184
lea_server auth_type ssl_opsec
On a Checkpoint R71 release in fwopsec.conf you can find the (commented) defaults:
# The VPN-1/FireWall-1 default settings are:
# lea_server auth_port 18184
# lea_server port 0
As the parameters mentioned in the Apps documentation seem to be the defaults, we did not touch anything here.
Another Splunk customer with Checkpoint R71 also had these problems and changed the fwopsec.conf like this:
lea_server auth_port 18184
lea_server port 0
lea_server auth_type ssl_opsec
The question is, if we have to enable these parameters for successful execution of opsec_putkey on the Splunk instance? Even if the defaults have the same values?
If yes, is this a temporary configuration for the key retrieval or does it have to be permanent?
Unfortunately we cannot play around and cpstop/cpstart our Checkpoint Management instance...
Did anybody already implement the lea-loggrabber App successfully R70 or higher and can share experiences how to successfully pass this step here?
Thanks a lot!
I successfully implemented the lea-loggrabber app on several R7* Check Point firewalls.
If you follow the supplied documentation it should work out of box, couple of notes below:
You have to enable the lea_server settings. In the original post, you have to remove the line with port 0, so leave just the following two lines in the configuration file:
lea_server auth_port 18184
lea_server auth_type ssl_opsec
This basically tells Check Point to start the lea server.
Also, you have to add a rule which explicitly allows the Splunk server to connect to the LEA port on the Smartcenter box. If you don't do that Splunk will not be able to connect.
Seeing the same problems here (R71 on Windows)
Same failure regarding opsec_putkey. However I did not notice any of your errors regarding nonexistent CPDIR. I sense that the following lines indicate the problem;
Is this sic_client_negotiate_auth_method the same as the auth_type that should have gone into the opsec.conf??
Sorry if the text got somewhat mangled by the messageboard.
Any clues or workarounds appreciated.
UPDATE: if I had followed the instructions to the letter - everything would have worked much sooner. The problem is that the fwopsec.conf file did explicitly say that the only valid parameters were auth_port and port. Naturally I should have disregarded this and boldly added the auth_type as well....
Kristian