Checkpoint OPSEC LEA

Tags: checkpoint | opsec

#1 manoj.muthukumaran

Hi all, 

I'm trying to troubleshoot an issue with getting the Checkpoint input module working and pulling syslogs from a Checkpoint management appliance. I'm following the configuration guide provided in the nxlog documentation, but I am running into a few issues. 

Specifically on the step where I attempt to retrieve the authentication key by using opsec_putkey. The correct output from that command should be "FW: Received new control security key from IP; Authentication with IP initialized successfully." However, my output is " FW: Received new control security key from IP; Failed to initialize authentication with IP."

When I go to test whether the log collection works because I do end up receiving the sslauthkeys.c and sslses.c files, and I have the opsec.p12 cert from a previous step, I get the following response - "Peer IP wants to exchange keys but I don't have a password."

Google hasn't been very fruitful so any advice would be appreciated. 

-M

#2 b0ti Nxlog ✓
#1 manoj.muthukumaran
Hi all,  I'm trying to troubleshoot an issue with getting the Checkpoint input module working and pulling syslogs from a Checkpoint management appliance. I'm following the configuration guide provided in the nxlog documentation, but I am running into a few issues.  Specifically on the step where I attempt to retrieve the authentication key by using opsec_putkey. The correct output from that command should be "FW: Received new control security key from IP; Authentication with IP initialized successfully." However, my output is " FW: Received new control security key from IP; Failed to initialize authentication with IP." When I go to test whether the log collection works because I do end up receiving the sslauthkeys.c and sslses.c files, and I have the opsec.p12 cert from a previous step, I get the following response - "Peer IP wants to exchange keys but I don't have a password." Google hasn't been very fruitful so any advice would be appreciated.  -M

Did you use the sslca authentication type? The im_checkpoint section in the new user guide is a bit more up-to-date, you may want to recheck according to this. Other than that I suggest contacting CheckPoint for help as this is their code and protocol.