william.schroed Absent Member.
Absent Member.
608 views

CheckPoint Logging

The CheckPoint connector seems to only allow gathering logs from the manger. We use a distributed log infrastructure with splat loggers. Has onyone setup a connector that works with multiple loggers?

Labels (2)
0 Likes
Reply
9 Replies
ronaldo Absent Member.
Absent Member.

Re: CheckPoint Logging

Do you mean that you have multiple CLM's or Smartcenters distributed across you environment ?

If that is the case you just need to start a connector per smartcenter, enable sic with it and have it dump the logs into logger.

0 Likes
Reply
william.schroed Absent Member.
Absent Member.

Re: CheckPoint Logging

I quized our checkpoint admin- his response is below.

We have smart centers and separate log severs distributed

w

0 Likes
Reply
william.schroed Absent Member.
Absent Member.

Re: CheckPoint Logging

I have an open ticket on this issue-

"The issue is caused by the fact that the communication is occurring  between the client and the firewall logger and not the lea manager. When  I chnaged the ip in the opsec_pull_cert to the IP of the manager (and  not the log server) the cert was created.  We use a distributed log  infrastructure and the logs are NOT on the manager. "

The opsec_pull_cert step kept failing when we were using the IP of the splat log server. When I stopped and changed to the IP of the manager the cert got created.

0 Likes
Reply
ronaldo Absent Member.
Absent Member.

Re: CheckPoint Logging

The manager acts as the internal CA (ICA) for the sic certificates so all components which need SIC established need to pull the certifcates from him.

0 Likes
Reply
Highlighted
ronaldo Absent Member.
Absent Member.

Re: CheckPoint Logging

0 Likes
Reply
william.schroed Absent Member.
Absent Member.

Re: CheckPoint Logging

I have a document on how this was resolved. I need to sanitize and then I will post.

0 Likes
Reply
vip
New Member.

Re: CheckPoint Logging

Hi Will,

Do you have such document available ? Many thanks !

0 Likes
Reply
william.schroed Absent Member.
Absent Member.

Re: CheckPoint Logging

0 Likes
Reply
vip
New Member.

Re: CheckPoint Logging

Thanks, I went through your documentation.

The most difficult part is indeed to get the opsec_entity_sic_name with releases >= R70 and I didn't find any right explanation on the web or on the check point website on the way to get it.

I found another method to find it, but I'm not quite sure it works 100% of the time (I'm not a check point specialist) : open file “objects_5_0.C” in $FWDIR/conf on the SmartCenter and look for the like beginning with “:sic_name”. With this method, you don't need a GUI tool.

Regards,

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.