Solved

Checkpoint R70.40 won't talk to McAfee SIEM

Posted on 2014-03-11
10
1,841 Views
Last Modified: 2014-03-31
We are running Checkpoint R70.40 and need the logs to go to a McAfee SIEM.  We are getting the error message:  "Check Point test connection unsuccessful.  The referred entity does not exist in the Certificate Authority".
0
Comment
Question by:dhuff2012
  • 5
  • 5
10 Comments
 
LVL 63

Expert Comment

by:btan
ID: 39923397
Pls see the kb from McAfee as it suggest it is likely the Open Platform for Security (OPSEC) framework is suspect.

https://kc.mcafee.com/corporate/index?page=content&id=KB74622&actp=LIST
https://kc.mcafee.com/corporate/index?page=content&id=KB79151&actp=LIST_RECENT

Also for Checkpoint, it also leads to OPSEC issues as

http://publib.boulder.ibm.com/tividd/td/TRM/SC23-4823-00/en_US/HTML/adapter_guide09.htm#HDRCPFADDINFO

opsec_pull_cert can fail in the following ways:

The SIC communication with the adapter is already in the 'Trust established' mode.
f:\>opsec_pull_cert -h 104.48.36.101 -n RMThegrill -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority

The wrong Opsec Application Name is used.
f:\>opsec_pull_cert -h 104.48.36.101 -n WrongName -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority
0
 

Author Comment

by:dhuff2012
ID: 39927630
https://kc.mcafee.com/corporate/index?page=content&id=KB74622&actp=LIST
All the steps in this link have been performed.

https://kc.mcafee.com/corporate/index?page=content&id=KB79151&actp=LIST_RECENT
The sic communitcation has been confirmed.

The error message is pointing to a certificate error.  "The referred entity does not exist in the certificate authority."
0
 

Author Comment

by:dhuff2012
ID: 39927633
What does it mean by "The wrong Opsec Application Name is used."?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 63

Expert Comment

by:btan
ID: 39928172
It refers back to the original error - "The referred entity does not exist in the Certificate Authority". From McAfee kb

e.g. Opsec error. rc=-1 err=-93

The OPSEC Application was not created in the Check Point Smart Dashboard, or the data source Application Name setting for the Check Point data source is not correct. The OPSEC Client tried to contact the Check Point Log Server to pull the SIC certificate and the Log Server reported that the requested certificate does not exist.

    Verify that the OPSEC Application was created correctly in the Smart Dashboard.
    Verify that the Check Point Policy was installed.
    Verify that the data source contains the correct Application Name.
0
 

Author Comment

by:dhuff2012
ID: 39929846
This is the OPSEC object in the firewall (attached).  I don't know what to put in the "Application Properties".  McAfee is not listed in the Vendor drop down. The McAfee event receiver 9.3.2 build 20140228100925.  

Any ideas?
OPSEC-object.PNG
0
 
LVL 63

Expert Comment

by:btan
ID: 39930936
Pls see this guide

Creating OPSEC Applications

1.Expand the OPSEC Applications tree node, right-click on the OPSEC Application category, and then select New OPSEC Application.
2.In the OPSEC Application Properties dialog, type a name for the OPSEC Application (The same name will be used to create the data source).
3.Select a host. In the Host field, click the down arrow button and select the network object that represents the McAfee Event Receiver that is to collect log data from the OPSEC device. If the network object does not exist, create one by clicking New.
4.Leave the Vendor field as the default selection (User Defined) and select the LEA checkbox in the Client Entries section. The parameters are now set for the certificate and you need to establish communication.
5.Click Communication, near the bottom of the dialog and wait for the Activation Key prompt. NOTE: This key is the password you will use to set up this data source in the ESM.
6.Enter and confirm your activation key.
7.Click Initialize to initialize the certificate. After the initialization process is complete, you will see the following message in the Trust State field:

Initialized but trust not established.
This means that the certificate has been initialized and is valid; however, the certificate has not been retrieved.
 
8.Click Close and keep a note of the CN name that you can see at the bottom of the OPSEC Application Properties window, under the Secure Internal Communication section.
9.Click OK on the OPSEC Application Process dialog and select Policy in the Tool menu, then click Install to install the Check Point policy.
10.Run Install DB on the Check Point server when the application is created in the following way:
 a.Open the Smart Dashboard.
 b.Click Policy, Install DB.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39930938
this is slightly out as using IBM Compliance Mgr instead to configure auditing for Check Point FireWall-1 (OPSEC) ut thought it will come to better your understanding too as setting Checkpoint as the source to various dest services
0
 

Author Comment

by:dhuff2012
ID: 39967015
We decided to simply configure syslog to send the logs to the SIEM.  It appears to be working now.  Thanks for your help.
0
 

Author Closing Comment

by:dhuff2012
ID: 39967019
Thanks for your help
0
 
LVL 63

Expert Comment

by:btan
ID: 39968165
Glad to help
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question