I'm unable to get the certificate from the Check Point management server. I can successfully connect with nc -z <ip> <port> I've verified the ip and password. I have opened a case with Splunk support, but I wanted to see if any other assistance was available as I would like to resolve this quickly.
I did a tcpdump at my heavy forwarder with the dst filter and found that I was just sending SYN packets without getting any further through the tcp convo. There was an issue with the ACL rules, and also the port 18210 had to be opened for the initial cert exchange.
I did a tcpdump at my heavy forwarder with the dst filter and found that I was just sending SYN packets without getting any further through the tcp convo. There was an issue with the ACL rules, and also the port 18210 had to be opened for the initial cert exchange.
we had a similar issue in:
https://answers.splunk.com/answers/89725/rc-1-err-96-connection-error-with-check-point-ospec-lea-app...
I believe we resolved it by assigning a hostname entry to our configured NIC's
Yeah I was checking out that post. I can nc -z 18184
Would the mentioned hostname config be a possible issue if I'm not using host name in the connect param? By the way I do have a splunk case opened. 289923.
while port 18184/tcp is used to retrieve the FW/Audit logs from Check Point, you'll also need port 18210/tcp available to execute a one time "pull-cert" from the manager.
I believe we had added a static entry for each interface in /etc/hosts. Then used an IP address to connect with the manager to finalize the connection.