Opsec LEA with Checkpoint R71 - opsec_putkey faili...

meno · ‎06-06-2011

We are following exactly the documentation provided with "OPSEC LEA for Checkpoint (Linux)" App.

The step Retrieve FW1 authentication key does not work:

splunk@syyyyyy:~/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22$ ./opsec_putkey -debug -ssl -port 18184 x.x.x.x

(debug output here)

My question relates to the configuration on the LEA Management Server in $FWDIR/conf/opsec.conf

The documentation says:

2. Edit $FWDIR/conf/fwopsec.conf and add the following lines:
lea_server auth_port 18184
lea_server auth_type ssl_opsec

On a Checkpoint R71 release in fwopsec.conf you can find the (commented) defaults:

# The VPN-1/FireWall-1 default settings are:
#  lea_server  auth_port  18184
#  lea_server  port  0

As the parameters mentioned in the Apps documentation seem to be the defaults, we did not touch anything here.

Another Splunk customer with Checkpoint R71 also had these problems and changed the fwopsec.conf like this:

lea_server  auth_port   18184
lea_server  port       0
lea_server  auth_type  ssl_opsec

The question is, if we have to enable these parameters for successful execution of opsec_putkey on the Splunk instance? Even if the defaults have the same values?

If yes, is this a temporary configuration for the key retrieval or does it have to be permanent?
Unfortunately we cannot play around and cpstop/cpstart our Checkpoint Management instance...

Did anybody already implement the lea-loggrabber App successfully R70 or higher and can share experiences how to successfully pass this step here?
Thanks a lot!

bojanz · ‎07-03-2011

I successfully implemented the lea-loggrabber app on several R7* Check Point firewalls.
If you follow the supplied documentation it should work out of box, couple of notes below:

You have to enable the lea_server settings. In the original post, you have to remove the line with port 0, so leave just the following two lines in the configuration file:

lea_server  auth_port   18184
lea_server  auth_type  ssl_opsec

This basically tells Check Point to start the lea server.

Also, you have to add a rule which explicitly allows the Splunk server to connect to the LEA port on the Smartcenter box. If you don't do that Splunk will not be able to connect.

kristian_kolb · ‎07-01-2011

Seeing the same problems here (R71 on Windows)

no $FWDIR/conf/opsec.conf, but there is a c:/Windows/FW-1/conf/fwopsec.conf (backslashes not allowed here?)
auth_type not an allowed option according to above mentioned fwopsec.conf
auth_port and port defaults to 18184 and 0, respectively in fwopsec.conf (no changes made by us)
The opsec.p12 file was retrieved successfully
We did NOT enable any FW_ica_pull or FW_lea rules, since the Splat and Splunk are on the same side of the firewall. (should those rules be applied anyway?)
Same failure regarding opsec_putkey. However I did not notice any of your errors regarding nonexistent CPDIR. I sense that the following lines indicate the problem;
- [8739]@s000730 PM_policy_choose: finished successfully. choose: DENY.
- [8739]@s000730 policy_choose: choose failed.
- [8739]@s000730 sic_client_negotiate_auth_method: policy choose failed.
- [8739]@s000730 fwasync_mux_in: 8: handler returned with error

Is this sic_client_negotiate_auth_method the same as the auth_type that should have gone into the opsec.conf??
Sorry if the text got somewhat mangled by the messageboard.

Any clues or workarounds appreciated.

UPDATE: if I had followed the instructions to the letter - everything would have worked much sooner. The problem is that the fwopsec.conf file did explicitly say that the only valid parameters were auth_port and port. Naturally I should have disregarded this and boldly added the auth_type as well....

Kristian

Opsec LEA with Checkpoint R71 - opsec_putkey failing

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life