Checkpoint R70.40 won't talk to McAfee SIEM

Posted on 2014-03-11
Last Modified: 2014-03-31
We are running Checkpoint R70.40 and need the logs to go to a McAfee SIEM.  We are getting the error message:  "Check Point test connection unsuccessful.  The referred entity does not exist in the Certificate Authority".
Question by:dhuff2012
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
LVL 63

Expert Comment

ID: 39923397
Pls see the kb from McAfee as it suggest it is likely the Open Platform for Security (OPSEC) framework is suspect.

Also for Checkpoint, it also leads to OPSEC issues as

opsec_pull_cert can fail in the following ways:

The SIC communication with the adapter is already in the 'Trust established' mode.
f:\>opsec_pull_cert -h -n RMThegrill -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority

The wrong Opsec Application Name is used.
f:\>opsec_pull_cert -h -n WrongName -p password
Opsec error. rc=-1 err=-93 The referred entity does not exist in the
Certificate Authority

Author Comment

ID: 39927630
All the steps in this link have been performed.
The sic communitcation has been confirmed.

The error message is pointing to a certificate error.  "The referred entity does not exist in the certificate authority."

Author Comment

ID: 39927633
What does it mean by "The wrong Opsec Application Name is used."?
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

LVL 63

Expert Comment

ID: 39928172
It refers back to the original error - "The referred entity does not exist in the Certificate Authority". From McAfee kb

e.g. Opsec error. rc=-1 err=-93

The OPSEC Application was not created in the Check Point Smart Dashboard, or the data source Application Name setting for the Check Point data source is not correct. The OPSEC Client tried to contact the Check Point Log Server to pull the SIC certificate and the Log Server reported that the requested certificate does not exist.

    Verify that the OPSEC Application was created correctly in the Smart Dashboard.
    Verify that the Check Point Policy was installed.
    Verify that the data source contains the correct Application Name.

Author Comment

ID: 39929846
This is the OPSEC object in the firewall (attached).  I don't know what to put in the "Application Properties".  McAfee is not listed in the Vendor drop down. The McAfee event receiver 9.3.2 build 20140228100925.  

Any ideas?
LVL 63

Expert Comment

ID: 39930936
Pls see this guide

Creating OPSEC Applications

1.Expand the OPSEC Applications tree node, right-click on the OPSEC Application category, and then select New OPSEC Application.
2.In the OPSEC Application Properties dialog, type a name for the OPSEC Application (The same name will be used to create the data source).
3.Select a host. In the Host field, click the down arrow button and select the network object that represents the McAfee Event Receiver that is to collect log data from the OPSEC device. If the network object does not exist, create one by clicking New.
4.Leave the Vendor field as the default selection (User Defined) and select the LEA checkbox in the Client Entries section. The parameters are now set for the certificate and you need to establish communication.
5.Click Communication, near the bottom of the dialog and wait for the Activation Key prompt. NOTE: This key is the password you will use to set up this data source in the ESM.
6.Enter and confirm your activation key.
7.Click Initialize to initialize the certificate. After the initialization process is complete, you will see the following message in the Trust State field:

Initialized but trust not established.
This means that the certificate has been initialized and is valid; however, the certificate has not been retrieved.
8.Click Close and keep a note of the CN name that you can see at the bottom of the OPSEC Application Properties window, under the Secure Internal Communication section.
9.Click OK on the OPSEC Application Process dialog and select Policy in the Tool menu, then click Install to install the Check Point policy.
10.Run Install DB on the Check Point server when the application is created in the following way:
 a.Open the Smart Dashboard.
 b.Click Policy, Install DB.
LVL 63

Accepted Solution

btan earned 500 total points
ID: 39930938
this is slightly out as using IBM Compliance Mgr instead to configure auditing for Check Point FireWall-1 (OPSEC) ut thought it will come to better your understanding too as setting Checkpoint as the source to various dest services

Author Comment

ID: 39967015
We decided to simply configure syslog to send the logs to the SIEM.  It appears to be working now.  Thanks for your help.

Author Closing Comment

ID: 39967019
Thanks for your help
LVL 63

Expert Comment

ID: 39968165
Glad to help

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup another VLAN on Fortigate 3 45
ASA Tunnel 18 54
port redirection on cisco asa 5520 5 37
SonicPoint N2 will not provision on SonicWall NSA220 4 55
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question