Hello community,
Im trying to integrating the checkpoint firewall to qradar, i tried 2 diferent protocol and none of those worked to me.
I tried the syslog integration but i only received operative system events, i followed this guide:
https://www.ibm.com/docs/en/dsm?topic=point-integrate-check-by-using-syslog#c_dsm_guide_checkpoint_firewall1_syslogintegrationI tried to integrate it using OPSEC/LEA but i'm having different problems:
1) I have 2 gateways, 1 device where gateways are connected to and 1 manager, as i know in the log source i have to use the manager IP, is that ok?
2) Using the manager IP i see this errors in the qradar.error log:
May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0000003000][172.31.1.10/- -] [-/- -] Opsec error. rc=-1 err=-100 General error in Certificate Authority
May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]Failed to pull the certificate for the LEA server 10.10.10.18.
May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]An error occured when trying to configure a source connection for provider LEA Provider 10.10.10.18
May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] com.q1labs.semsources.sources.LEA.LEAConfigurationException: Code=Failed to pull the certificate for the LEA server 10.10.10.18, Subcode=N/A, Reason=N/A
May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] at com.q1labs.semsources.sources.LEA.LEAProvider.preExecuteConfigure(LEAProvider.java:356)
May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870535] at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProvider.java:181)
May 13 09:18:50 ::ffff:172.31.1.10 [ecs-ec-ingress.ecs-ec-ingress] [Thread-870538] com.q1labs.semsources.sources.LEA.LEASource: [ERROR] [NOT:0070003100][172.31.1.10/- -] [-/- -]There appears to be a configuration issue with the provider connection 'LEA Provider 10.10.10.18'.
I exported the certificate and copied it to the collector but i see the same error, the only error that is not generating again is the certificate error.
I would like to know if some of you had success integrating the checkpoint firewall to qradar, what is the best protocol to use and what i'm doing bad.
I really would appreciate if some of you could help me with this.
------------------------------
Johan Lopez
------------------------------