Solved

Checkpoint R70.40 won't talk to McAfee SIEM

Posted on 2014-03-11
10
1,927 Views
Last Modified: 2014-03-31
We are running Checkpoint R70.40 and need the logs to go to a McAfee SIEM.  We are getting the error message:  "Check Point test connection unsuccessful.  The referred entity does not exist in the Certificate Authority".
0
Comment
Question by:dhuff2012
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39923397
Pls see the kb from McAfee as it suggest it is likely the Open Platform for Security (OPSEC) framework is suspect.

https://kc.mcafee.com/corporate/index?page=content&id=KB74622&actp=LIST
https://kc.mcafee.com/corporate/index?page=content&id=KB79151&actp=LIST_RECENT

Also for Checkpoint, it also leads to OPSEC issues as

http://publib.boulder.ibm.com/tividd/td/TRM/SC23-4823-00/en_US/HTML/adapter_guide09.htm#HDRCPFADDINFO

opsec_pull_cert can fail in the following ways:

The SIC communication with the adapter is already in the 'Trust established' mode.
f:\>opsec_pull_cert -h 104.48.36.101 -n RMThegrill -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority

The wrong Opsec Application Name is used.
f:\>opsec_pull_cert -h 104.48.36.101 -n WrongName -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority
0
 

Author Comment

by:dhuff2012
ID: 39927630
https://kc.mcafee.com/corporate/index?page=content&id=KB74622&actp=LIST
All the steps in this link have been performed.

https://kc.mcafee.com/corporate/index?page=content&id=KB79151&actp=LIST_RECENT
The sic communitcation has been confirmed.

The error message is pointing to a certificate error.  "The referred entity does not exist in the certificate authority."
0
 

Author Comment

by:dhuff2012
ID: 39927633
What does it mean by "The wrong Opsec Application Name is used."?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 64

Expert Comment

by:btan
ID: 39928172
It refers back to the original error - "The referred entity does not exist in the Certificate Authority". From McAfee kb

e.g. Opsec error. rc=-1 err=-93

The OPSEC Application was not created in the Check Point Smart Dashboard, or the data source Application Name setting for the Check Point data source is not correct. The OPSEC Client tried to contact the Check Point Log Server to pull the SIC certificate and the Log Server reported that the requested certificate does not exist.

    Verify that the OPSEC Application was created correctly in the Smart Dashboard.
    Verify that the Check Point Policy was installed.
    Verify that the data source contains the correct Application Name.
0
 

Author Comment

by:dhuff2012
ID: 39929846
This is the OPSEC object in the firewall (attached).  I don't know what to put in the "Application Properties".  McAfee is not listed in the Vendor drop down. The McAfee event receiver 9.3.2 build 20140228100925.  

Any ideas?
OPSEC-object.PNG
0
 
LVL 64

Expert Comment

by:btan
ID: 39930936
Pls see this guide

Creating OPSEC Applications

1.Expand the OPSEC Applications tree node, right-click on the OPSEC Application category, and then select New OPSEC Application.
2.In the OPSEC Application Properties dialog, type a name for the OPSEC Application (The same name will be used to create the data source).
3.Select a host. In the Host field, click the down arrow button and select the network object that represents the McAfee Event Receiver that is to collect log data from the OPSEC device. If the network object does not exist, create one by clicking New.
4.Leave the Vendor field as the default selection (User Defined) and select the LEA checkbox in the Client Entries section. The parameters are now set for the certificate and you need to establish communication.
5.Click Communication, near the bottom of the dialog and wait for the Activation Key prompt. NOTE: This key is the password you will use to set up this data source in the ESM.
6.Enter and confirm your activation key.
7.Click Initialize to initialize the certificate. After the initialization process is complete, you will see the following message in the Trust State field:

Initialized but trust not established.
This means that the certificate has been initialized and is valid; however, the certificate has not been retrieved.
 
8.Click Close and keep a note of the CN name that you can see at the bottom of the OPSEC Application Properties window, under the Secure Internal Communication section.
9.Click OK on the OPSEC Application Process dialog and select Policy in the Tool menu, then click Install to install the Check Point policy.
10.Run Install DB on the Check Point server when the application is created in the following way:
 a.Open the Smart Dashboard.
 b.Click Policy, Install DB.
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39930938
this is slightly out as using IBM Compliance Mgr instead to configure auditing for Check Point FireWall-1 (OPSEC) ut thought it will come to better your understanding too as setting Checkpoint as the source to various dest services
0
 

Author Comment

by:dhuff2012
ID: 39967015
We decided to simply configure syslog to send the logs to the SIEM.  It appears to be working now.  Thanks for your help.
0
 

Author Closing Comment

by:dhuff2012
ID: 39967019
Thanks for your help
0
 
LVL 64

Expert Comment

by:btan
ID: 39968165
Glad to help
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question