Solved

Checkpoint R70.40 won't talk to McAfee SIEM

Posted on 2014-03-11
10
1,746 Views
Last Modified: 2014-03-31
We are running Checkpoint R70.40 and need the logs to go to a McAfee SIEM.  We are getting the error message:  "Check Point test connection unsuccessful.  The referred entity does not exist in the Certificate Authority".
0
Comment
Question by:dhuff2012
  • 5
  • 5
10 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39923397
Pls see the kb from McAfee as it suggest it is likely the Open Platform for Security (OPSEC) framework is suspect.

https://kc.mcafee.com/corporate/index?page=content&id=KB74622&actp=LIST
https://kc.mcafee.com/corporate/index?page=content&id=KB79151&actp=LIST_RECENT

Also for Checkpoint, it also leads to OPSEC issues as

http://publib.boulder.ibm.com/tividd/td/TRM/SC23-4823-00/en_US/HTML/adapter_guide09.htm#HDRCPFADDINFO

opsec_pull_cert can fail in the following ways:

The SIC communication with the adapter is already in the 'Trust established' mode.
f:\>opsec_pull_cert -h 104.48.36.101 -n RMThegrill -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority

The wrong Opsec Application Name is used.
f:\>opsec_pull_cert -h 104.48.36.101 -n WrongName -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority
0
 

Author Comment

by:dhuff2012
ID: 39927630
https://kc.mcafee.com/corporate/index?page=content&id=KB74622&actp=LIST
All the steps in this link have been performed.

https://kc.mcafee.com/corporate/index?page=content&id=KB79151&actp=LIST_RECENT
The sic communitcation has been confirmed.

The error message is pointing to a certificate error.  "The referred entity does not exist in the certificate authority."
0
 

Author Comment

by:dhuff2012
ID: 39927633
What does it mean by "The wrong Opsec Application Name is used."?
0
 
LVL 61

Expert Comment

by:btan
ID: 39928172
It refers back to the original error - "The referred entity does not exist in the Certificate Authority". From McAfee kb

e.g. Opsec error. rc=-1 err=-93

The OPSEC Application was not created in the Check Point Smart Dashboard, or the data source Application Name setting for the Check Point data source is not correct. The OPSEC Client tried to contact the Check Point Log Server to pull the SIC certificate and the Log Server reported that the requested certificate does not exist.

    Verify that the OPSEC Application was created correctly in the Smart Dashboard.
    Verify that the Check Point Policy was installed.
    Verify that the data source contains the correct Application Name.
0
 

Author Comment

by:dhuff2012
ID: 39929846
This is the OPSEC object in the firewall (attached).  I don't know what to put in the "Application Properties".  McAfee is not listed in the Vendor drop down. The McAfee event receiver 9.3.2 build 20140228100925.  

Any ideas?
OPSEC-object.PNG
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Expert Comment

by:btan
ID: 39930936
Pls see this guide

Creating OPSEC Applications

1.Expand the OPSEC Applications tree node, right-click on the OPSEC Application category, and then select New OPSEC Application.
2.In the OPSEC Application Properties dialog, type a name for the OPSEC Application (The same name will be used to create the data source).
3.Select a host. In the Host field, click the down arrow button and select the network object that represents the McAfee Event Receiver that is to collect log data from the OPSEC device. If the network object does not exist, create one by clicking New.
4.Leave the Vendor field as the default selection (User Defined) and select the LEA checkbox in the Client Entries section. The parameters are now set for the certificate and you need to establish communication.
5.Click Communication, near the bottom of the dialog and wait for the Activation Key prompt. NOTE: This key is the password you will use to set up this data source in the ESM.
6.Enter and confirm your activation key.
7.Click Initialize to initialize the certificate. After the initialization process is complete, you will see the following message in the Trust State field:

Initialized but trust not established.
This means that the certificate has been initialized and is valid; however, the certificate has not been retrieved.
 
8.Click Close and keep a note of the CN name that you can see at the bottom of the OPSEC Application Properties window, under the Secure Internal Communication section.
9.Click OK on the OPSEC Application Process dialog and select Policy in the Tool menu, then click Install to install the Check Point policy.
10.Run Install DB on the Check Point server when the application is created in the following way:
 a.Open the Smart Dashboard.
 b.Click Policy, Install DB.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39930938
this is slightly out as using IBM Compliance Mgr instead to configure auditing for Check Point FireWall-1 (OPSEC) ut thought it will come to better your understanding too as setting Checkpoint as the source to various dest services
0
 

Author Comment

by:dhuff2012
ID: 39967015
We decided to simply configure syslog to send the logs to the SIEM.  It appears to be working now.  Thanks for your help.
0
 

Author Closing Comment

by:dhuff2012
ID: 39967019
Thanks for your help
0
 
LVL 61

Expert Comment

by:btan
ID: 39968165
Glad to help
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now