I've been trying to get the OPSEC LEA loggrabber working with my Splunk (v4.3.2) and Checkpoint (R75.40). I've followed the instructions in OPSEC LEA for Checkpoint. I've installed the app on the forwarder successfully and have set up the OPSEC object in Checkpoint, along with the bits to enable the LEA server. However, when I try to retrieve the OPSEC certificate using opsec_pull_cert this fails. I can see in the Checkpoint logs that the connection is being attempted, but the Checkpoint server doesn't seem to respond to the certificate request.
Can anyone tell me if I've missed something? Do I need to enable something in Checkpoint to tell it to respond to certificate downloads or something like that?
The question has been closed for the following reason "The question is answered, right answer was accepted" by araitz 09 Apr, 16:24
Just to complete the thread, I've now solved the problem. It turned out to not be a problem with either Splunk or Checkpoint, but was a routing issue in the network. The routing has now been fixed and the OPSEC components are now communicating.
answered 06 Jul '12, 00:19
I played a lot with Checkpoint integration....and to be honest, it does NOT work at all !!!
Even Splunk says that they support OPSEC LEA for Checkpoint, it's wrong. More than 2 years they haven't updated anything. Loggrabber is old and nobody maintains it.
If I can recommend you something and if you have a enterprise license, please ask and ask Splunk support about Checkpoint integration....maybe one day they will do something.
Good luck !
answered 03 Jul '12, 14:13