All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Check Point OPSEC LEA: Opsec error. rc=-1 err=-96 Connection error Checkpoint Add-on pull-cert

jgbricker
Contributor
‎11-18-2015 12:39 PM

I'm unable to get the certificate from the Check Point management server. I can successfully connect with nc -z <ip> <port> I've verified the ip and password. I have opened a case with Splunk support, but I wanted to see if any other assistance was available as I would like to resolve this quickly.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jgbricker
Contributor
‎01-22-2016 04:26 AM

I did a tcpdump at my heavy forwarder with the dst filter and found that I was just sending SYN packets without getting any further through the tcp convo. There was an issue with the ACL rules, and also the port 18210 had to be opened for the initial cert exchange.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jgbricker
Contributor
‎01-22-2016 04:26 AM

I did a tcpdump at my heavy forwarder with the dst filter and found that I was just sending SYN packets without getting any further through the tcp convo. There was an issue with the ACL rules, and also the port 18210 had to be opened for the initial cert exchange.

0 Karma
Reply
Solved! Jump to solution

Chubbybunny
Splunk Employee
Splunk Employee
‎11-18-2015 12:46 PM

we had a similar issue in:
https://answers.splunk.com/answers/89725/rc-1-err-96-connection-error-with-check-point-ospec-lea-app...

I believe we resolved it by assigning a hostname entry to our configured NIC's

0 Karma
Reply
Solved! Jump to solution

jgbricker
Contributor
‎11-18-2015 01:16 PM

Yeah I was checking out that post. I can nc -z 18184

Would the mentioned hostname config be a possible issue if I'm not using host name in the connect param? By the way I do have a splunk case opened. 289923.

0 Karma
Reply
Solved! Jump to solution

Chubbybunny
Splunk Employee
Splunk Employee
‎11-18-2015 01:29 PM

while port 18184/tcp is used to retrieve the FW/Audit logs from Check Point, you'll also need port 18210/tcp available to execute a one time "pull-cert" from the manager.

I believe we had added a static entry for each interface in /etc/hosts. Then used an IP address to connect with the manager to finalize the connection.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...