SmartConnector for CheckPoint OPSEC NG

SmartConnector for CheckPoint OPSEC NG

 
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments

There is one essential piece of information missing from the documentation : if you configure ssl_opsec, the OPSEC Entity SIC Name is not always displayed by the Check Point Smart Center but you can guess it :

OPSEC Entity SIC Name is the concatenation of the fixed string “CN=cp_mgmt,” and the string after the first comma in the opsec_sic_name. For instance, "CN=cp_mgmt,O=test..8u5G5z". It is confirmed by this post :

https://protect724.arcsight.com/message/22281#22281

If you don't configure the opsec entity SIC name in your Smart Connector, your connection will fail.

Yes, under R70 and above the Domain's (CMA's) SIC name doesn't show up in the Domain object like it did in R65.  But you can find it using GUIDBedit.exe (if using Windows and R75.47 it would be in in C:\Program Files (x86)\CheckPoint\SmartConsole\R75.47\PROGRAM).  Find your Domain\CMA object in the network objects and then scroll down through the fields until you find "sic_name" and there's what you are looking for.

Hi ,

As per this discussion (), Mr seems to have found a typo in the Checkpoint doc(s).

On page 27 for the doc above specifically, the field "app_name" is listed incorrectly as mapped to "Device Service Name". It should be "Device Process Name".

I checked the parser, which shows Device Service Name being mapped to app_name as is documented in the guide, not Device Process Name.  I am checking with development to determine whether the parser needs to be updated. Until then, I won't be able to make the change in the configuration guide.

Ingrid

Hi Ingrid, Thanks for checking into this for us!

, not sure if you've filed tickets with support, but there seems to be two issues compounded together:

1) the parser is mapping the field 'app_name' instead of 'appi_name'.

2) it's then mapping to 'Device Service Name', which isn't a standard ArcSight field

Hi Richard,

Yes, I have raised a service request with HP support with regards to this issue.

Please refer the SR# 4651710544.

Regards,

Anirudh

The CheckPoint connector configuration guide has been modified and now, the correct mapping information is populated:

Destination Service Name= One of (service, Service_name, app_Name, service_id)

Regards,

Anirudh

Hi Ingrid,

What changes has been made on the document ?

Regards,

Anirudh

You can find out changes to any configuration guide by referring to the Revision on page 2.  For this update:

Added support for Identity Awareness events in R77. Added information about installing the PAM package for connectors running on CentOS 6.5, 6.6, 7.0 or 7.1 and RHEL OS 6.5 or 7.0.

Anti Malware fields are not populated as this pdf tells:

Device Custom String 1 malware_rule_name
Device Custom String 2 Protection Type
Device Custom String 3 protection_id
Device Custom String 4 Protection Name  (FAIL... this is RULE UID)
Device Custom String 6 scan direction (FAIL, this is Policy name)

Any info about New Anti Virus mappings?

Custom string 4 has rule uid... (?)

Custom String 6 has policy name...(?)

Page 20, Step 3.  Directions A, B, C, and D.  "C Go to "Pull the Certificate – sslca and ssl_opsec" and follow the procedure documented. Then continue with step 3E."  This does not exist.  Pull Certificate - sslca does but not for ssl_opsec.  If we are suppose to do the same whither you use sslca or ssl_opsec, it would be nice if that were clarified.  Then also state on step C for SSL_OPSEC that one needs to do Step D as well.

Am I missing something?

The reference should have been to "Pull the Certificate -- sslca", not "Pull the Certificate -- sslca and ssl_opsec". We have update the configuration guide, which will be available with next release.  The certificate doesn't need to be pulled for ssl_opsec.  Sorry for the confusion.

Ingrid

Hi All,

Is the latest Checkpoint version R80.10 is supported by ArcSight smart connector..?

No, R80 support is not yet available.


"No, R80 support is not yet available."
When expected?

R80.10 support is now available with the Check Point Syslog connector.  This version support will not be added to the Check Point OPSEC NG connector, for which support will be ending in 2018 (Check Point does not support 64-bit platforms for Check Point OPSEC and at some point in 2018, only 64-bit support will be provided for connectors).

Top Contributors
Version history
Revision #:
12 of 12
Last update:
‎2020-02-17 18:08
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.