IBM QRadar

Hello community,
Im trying to integrating the checkpoint firewall to qradar, i tried 2 diferent protocol and none of those worked to me.
I tried the syslog integration but i only received operative system events, i followed this guide:
https://www.ibm.com/docs/en/dsm?topic=point-integrate-check-by-using-syslog#c_dsm_guide_checkpoint_firewall1_syslogintegration
I tried to integrate it using OPSEC/LEA but i'm having different problems:
1) I have 2 gateways, 1 device where gateways are connected to and 1 manager, as i know in the log source i have to use the manager IP, is that ok?
2) Using the manager IP i see this errors in the qradar.error log:
   

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0000003000][172.31.1.10/- -] [-/- -] Opsec error. rc=-1 err=-100 General error in Certificate Authority

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]Failed to pull the certificate for the LEA server 10.10.10.18.

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]An error occured when trying to configure a source connection for provider LEA Provider 10.10.10.18

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAConfigurationException: Code=Failed to pull the certificate for the LEA server 10.10.10.18, Subcode=N/A, Reason=N/A

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] at com.q1labs.semsources.sources.LEA.LEAProvider.preExecuteConfigure(LEAProvider.java:356)

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProvider.java:181)

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870538] com.q1labs.semsources.sources.LEA.LEASource: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]There appears to be a configuration issue with the provider connection 'LEA Provider 10.10.10.18'.

I exported the certificate and copied it to the collector but i see the same error, the only error that is not generating again is the certificate error.

I would like to know if some of you had success integrating the checkpoint firewall to qradar, what is the best protocol to use and what i'm doing bad.

I really would appreciate if some of you could help me with this.

------------------------------
Johan Lopez
------------------------------

I recall someone told me last year they had problems integrating using OPSEC/LEA, and ended up enabling 3DES on CheckPoint side after reading this and this.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Thu May 13, 2021 11:59 AM
From: Johan Lopez
Subject: Integrate checkpoint firewall

Hello community,
Im trying to integrating the checkpoint firewall to qradar, i tried 2 diferent protocol and none of those worked to me.
I tried the syslog integration but i only received operative system events, i followed this guide:
https://www.ibm.com/docs/en/dsm?topic=point-integrate-check-by-using-syslog#c_dsm_guide_checkpoint_firewall1_syslogintegration
I tried to integrate it using OPSEC/LEA but i'm having different problems:
1) I have 2 gateways, 1 device where gateways are connected to and 1 manager, as i know in the log source i have to use the manager IP, is that ok?
2) Using the manager IP i see this errors in the qradar.error log:
   

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0000003000][172.31.1.10/- -] [-/- -] Opsec error. rc=-1 err=-100 General error in Certificate Authority

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]Failed to pull the certificate for the LEA server 10.10.10.18.

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]An error occured when trying to configure a source connection for provider LEA Provider 10.10.10.18

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAConfigurationException: Code=Failed to pull the certificate for the LEA server 10.10.10.18, Subcode=N/A, Reason=N/A

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] at com.q1labs.semsources.sources.LEA.LEAProvider.preExecuteConfigure(LEAProvider.java:356)

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProvider.java:181)

May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870538] com.q1labs.semsources.sources.LEA.LEASource: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]There appears to be a configuration issue with the provider connection 'LEA Provider 10.10.10.18'.

I exported the certificate and copied it to the collector but i see the same error, the only error that is not generating again is the certificate error.

I would like to know if some of you had success integrating the checkpoint firewall to qradar, what is the best protocol to use and what i'm doing bad.

I really would appreciate if some of you could help me with this.

------------------------------
Johan Lopez
------------------------------