Splunk Add-on for Check Point OPSEC

LEA 2.1.1
Installation and Configuration Manual
Generated: 11/04/2014 6:30 am

Copyright (c) 2014 Splunk Inc. All Rights Reserved

Table of Contents
Introduction..........................................................................................................1
About the Splunk Add-on for Check Point OPSEC LEA...........................1
New to Splunk...........................................................................................2
How this add-on fits into the Splunk picture..............................................5
How to get support and learn more about Splunk.....................................6
Before you deploy................................................................................................7
Deployment Architecture...........................................................................7
Prerequisites.............................................................................................9
Hardware requirements...........................................................................11
What data does the add-on collect?........................................................13
Set up lea_loggrabber..............................................................................15
Set up forwarder......................................................................................17
Set up SSLCA authentication..................................................................17
Installation checklist..........................................................................................19
Installation Checklist...............................................................................19
Deploy the add-on..............................................................................................21
Install the Splunk Add-on for Check Point OPSEC LEA.........................21
Configure the LEA client.........................................................................26
Manage Connections.........................................................................................35
Manage connections...............................................................................35
Terminology.......................................................................................................38
Terminology............................................................................................38
Troubleshooting.................................................................................................40
Set debug logging level...........................................................................40
View debug logs......................................................................................40
Run lea-loggrabber manually..................................................................41
Basic Check Point debugging.................................................................41

Introduction
About the Splunk Add-on for Check Point OPSEC
LEA
The Splunk Add-on for Check Point OPSEC LEA lets you collect and analyze
firewall logs and audit logs from Check Point standalone FW-1 firewalls, standard
Multi-Domain Security Management (Provider-1) environments, and Provider-1
environments using the Multi-Domain Log Module (MLM).
The add-on uses the Check Point Log Export API (LEA) along with a customized
Splunk lea-loggrabber utility to poll your Check Point servers and collect log
data.
The Splunk Add-on for Check Point OPSEC LEA installation package, includes
all of the files required to install and run the add-on on Linux (RHEL/CentOS 5.x
or 6.x only) or Solaris SPARC (version 10 or later).
You can download the package from Splunk Apps, then install the add-on
manually on your Splunk Enterprise deployment. Or install the add-on from the
Apps menu inside Splunk Web.

Feature Summary
The Splunk Add-on for Check Point OPSEC LEA includes these features:
Facilitates near-real-time log data analysis to help detect anomalous
behavior and maintain regulatory standards compliance.
Includes a UI to simplify Check Point data collection configuration.
Monitors firewall administrative activity.
Displays event throughput metrics for monitoring connection and system
health.
Hides the complexity of data collection from multiple firewalls in a single
technology add-on instance.

About Check Point logs

The Splunk Add-on for Check Point OPSEC LEA collects logs from Check Point
R75.10, R75.4, R76, and R77 firewalls, including:

 Data from standalone FW-1 firewalls.

Data from multiple (10 to 100) Provider-1 firewalls, concurrently.
The Splunk Add-on for Check Point OPSEC LEA collects these log files:
Regular log files (*.log).
Account log files (*.alog).
Audit log files (*.adtlog).
Data collection uses the OPSEC LEA protocol over SSL.
Note: Support for Check Point R70 log data is discontinued in version 2.0.4 of
the Splunk Add-on for Check Point OPSEC LEA. For more information, see
Supported Check Point products and versions.

New to Splunk
If this is the first time you have used Splunk, then read on...this topic introduces
the most important Splunk concepts you need to understand when installing and
using Splunk apps.

Splunk and Splunk apps work together.

The key points to come away with are:
All Splunk apps run on the Splunk platform.
Understanding how Splunk works will greatly help you understand how
Splunk apps work.
Installing and configuring the app is only part of the experience - you might
need to prepare Splunk before installing your app.
Careful planning helps achieve a successful app deployment experience.

Splunk basics
Splunk is a software platform that accepts data from many different sources,
such as files or network streams. Splunk stores a unique copy of this data in
what's called an index. Once the data is there, you can connect to Splunk with
your web browser and run searches across that data. You can even make
reports or graphs on the data, right from within the browser.

You can extend Splunk's capability by installing apps. Splunk apps come with
searches, reports, and graphs about specific products that are common to most
IT departments. These searches, reports, and graphs reduce the amount of time
it takes to glean real value from installing and running the Splunk platform.
Before you can really understand how Splunk apps work, you should understand
how Splunk works. Fortunately, we've got you covered in that respect.
If you're new to Splunk, then the best place to learn more about it is in the Search
Tutorial. It helps you learn what Splunk is and what it does, as well as what you
need to run it and get step-by-step walk-throughs on how to set it up, get data
into it, search with it, and create reports and dashboards on it.
Licensing
The next thing you want to learn about is Splunk's licensing model. Splunk
charges you based on the amount of data you index. The licensing introduction
from the Admin Manual is a great place to start learning about how licenses
work. You can also find out the types of licenses that are available, how to install,
remove, and manage them, and what happens when you go over your license
quota.
In the context of Splunk apps, the amount of licensing capacity you need
depends on how each app defines the individual data inputs that it uses. Splunk
apps use inputs to tell Splunk what data it needs to collect for the app's purpose.
Some apps, such as the Splunk App for Enterprise Security, collect a lot of data,
which your license must cover in order for you to be able to search that data
without interruption. When planning for your app, make sure you include enough
licensing capacity.
Configuration
Much of Splunk's extensibility is in how configurable it is. You must configure
Splunk before it can collect data and extract knowledge. All Splunk apps use
configuration files to determine how to collect, transform, display, and provide
alerts for data. The Admin Manual shows you how to configure those files and
includes a reference topic for each configuration file that Splunk uses. In some
cases, you can also use Splunk Web or the CLI to make changes to a Splunk
app's configuration.
Splunk also uses configuration files to configure itself. When Splunk initializes, it
finds all of the configuration files located in the Splunk directory and merges them
to build a final "master" configuration, which it then runs on. When you install a
3

Splunk app on a Splunk instance, Splunk must determine which configuration

files to use if it encounters a conflict. This is where configuration file precedence
comes in.
It's important to understand how precedence works. In many cases, if there is a
configuration file conflict, Splunk gives priority to an app's configuration file. In
some situations, installing an app might inadvertently override a setting in a
configuration file in the core platform, which might lead to undesired results in
data collection. Be sure to read the previously mentioned topic thoroughly for
details.
Splunk Search
Splunk provides the ability to look through all the data it indexes and create
dashboards, reports, and even alerts. All Splunk apps rely on Splunk search, so
it's a good idea to read the Search Manual's overview on search to learn how
powerful Splunk's search engine is (the Tutorial is also a good place to learn
about Splunk search.)
You should also have an understanding of Splunk's search language. Splunk
apps use the search language extensively to put together search results and
knowledge objects which drive their dashboards, reports, charts, and tables.
Finally, it's a good idea to familiarize yourself with the search commands in the
Search Reference Manual. That manual describes the commands that both
Splunk and your Splunk app can use.
Sources and source types
When Splunk indexes data, it does so from a source - an entity that provides
data for Splunk to extract, for example, Windows event logs, or *nix syslogs.
Splunk tags incoming data with a "source" field as it gets indexed. The source
type is an indicator for the type of data, so that Splunk knows how to properly
format and extract it as it comes in. It's also - conveniently enough - a way to
categorize data, as you can use Splunk search to display all data of a certain
source type.
Splunk apps use sources and source types to extract knowledge from the data
they index. Many views in an application depend on searches with specific
sources and source types defined in them. Splunk apps sometimes use the
source types that come with Splunk, and sometimes they define their own.

Capacity planning and distributed Splunk

Another important factor to consider when using a Splunk app: Do you have
enough hardware to realistically support a deployment for the Splunk app you're
using? Read our capacity planning documentation for a head-start on ensuring
you have the machinery in place to run your Splunk app deployment at peak
performance.
Learning about capacity planning is a perfect time to introduce another concept
with which you should be familiar: distributed search. Nearly every Splunk app
available can use distributed search, and many were developed with distributed
search in mind. What this means is that you must working with multiple Splunk
instances at once - with each instance playing a specific role - to use the app to
its full potential. Initially, you add indexers to increase indexing performance, then
you add search heads to increase search performance. The Distributed
Deployment Manual provides details on how to add more Splunk instances to
keep up with your app's performance demands.

What's next?
From this point, you are ready to plan your app deployment. Continue reading for
information about how this app fits into the Splunk picture, platform and hardware
requirements, and other deployment considerations.

How this add-on fits into the Splunk picture

The Splunk Add-on for Check Point OPSEC LEA is one of a variety of apps and
add-ons available in the Splunk ecosystem. All Splunk apps and add-ons run on
top of a Splunk Enterprise installation, so you must first install Splunk Enterprise,
then install then install the Splunk Add-on for Check Point OPSEC LEA. For
installation instructions, see ""Install the Splunk Add-on for Check Point OPSEC
LEA" later in this manual.
The Splunk Add-on for Check Point OPSEC LEA is compatible with the Common
Information Model (CIM) and can be integrated with the Splunk App for
Enterprise Security (ES) and the Splunk App for PCI Complicance (PCI). For
more information, see:
Splunk App for Enterprise Security: Version 1.x, 2.x and later
supported. See Add a custom technology add-on to an app. Make sure to
review the Known Issues described in the ES Release Notes.
5

 Splunk App for PCI Compliance: See Install technology add-ons. Make
sure to review the Known Issues described in the PCI Release Notes.
For more information about Splunk apps and add-ons, see "What are apps and
add-ons?" in the Splunk Admin Manual.

How to get support and learn more about Splunk

Get Support
To get help with the Splunk Add-on for Check Point OPSEC LEA, send an email
to support@splunk.com, or use the Splunk Support Portal to log a support case.
If your Splunk deployment is large or complex, contact the Splunk Professional
Services team to help you deploy the Splunk Add-on for Check Point OPSEC
LEA.

Learn more
This list includes a variety of resources available to help you learn more about
Splunk and the Splunk Add-on for Check Point OPSEC LEA.
The core Splunk documentation
Splunk Answers
The #splunk IRC channel on EFNET:
http://www.splunk.com/view/SP-CAAACDF
Download the Splunk Add-on for Check Point OPSEC LEA:
http://apps.splunk.com/app/263
Documentation (OPSEC LEA specific):
http://docs.splunk.com/Documentation/OPSEC-LEA
Questions and answers (OPSEC LEA specific):
http://answers.splunk.com/tags/?q=opsec
General Splunk support: http://www.splunk.com/support

Before you deploy

Deployment Architecture
The Splunk Add-on for Check Point OPSEC LEA is typically installed on a Splunk
light or heavy (but not universal) forwarder and configured to pull data from a
remote Checkpoint device. The add-on must also be installed on Splunk indexers
and search head to provide index- and search-time knowledge.
For smaller scale environments, all of the Splunk components may be installed
on the same hardware instance, running either a Linux (RHEL/CentOS 5.x or 6.x)
or Solaris SPARC version 10 or later operating system. For supported Check
Point products/versions and additional compatibility information, see
Prerequisites.

How it works
The Splunk Add-on for Check Point OPSEC LEA communicates with the Check
Point environment to retrieve log records, using the Check Point Log Export API
(LEA). The lea-loggrabber utility implements the client side of the LEA protocol.
The Splunk version of lea-loggrabber is derived from the commonly used
FW1-Loggrabber.
Collected Check Point log data is forwarded to Splunk indexers and, eventually,
a search head for creating Splunk knowledge objects. The Splunk Add-on for
Check Point OPSEC LEA integrates with other apps and add-ons, including the
Splunk App for Enterprise Security (ES). When the ES application is installed, its
traffic and access/audit dashboards are populated with Check Point log data.
This figure shows the Check Point and Splunk Add-on for Check Point OPSEC
LEA communication paths for configuration and for transferring log data, in a
standard Multi-Domain Server (MDS) Provider-1 environment:

Callout description:
The Splunk Add-on for Check Point OPSEC LEA is installed on your Splunk
forwarder, indexer, and search head, as applicable:

Forwarder Data acquisition: Authenticates communication between

Splunk and Check Point environments and periodically polls Check
Point log data, using lea-loggrabber. For optimum performance,
Splunk recommends using a heavy forwarder (see Types of
forwarders). Use the Splunk Add-on for Check Point OPSEC LEA UI
to configure the Splunk/Check Point interface.
Indexer Indexes Check Point firewall and audit data.
Search head Provides search time knowledge for field extractions
and event types.
In some environments, it may be desirable to perform authentication using
the CLI, instead of the UI.
Use the Check Point SmartDashboard to:

Create the Splunk Add-on for Check Point OPSEC LEA.

Create OPSEC application certificate.
Add firewall rules.
Verify that trust is established.
Install the database.

The Splunk Add-on for Check Point OPSEC LEA periodically polls the Check
4 Point server, using the lea-loggrabber utility (LEA), to collect security
and audit log records.
8

Log data are transmitted to the Splunk Add-on for Check Point OPSEC LEA
in response to lea-loggrabber requests.

Prerequisites
General system requirements for installing and running Splunk applications are
covered in the System Requirements section of the Splunk Enterprise Installation
Manual.

Splunk Enterprise version

The Splunk Add-on for Check Point OPSEC LEA is dependent on the Splunk
Enterprise platform, which must be installed and configured prior to installing the
Splunk Add-on for Check Point OPSEC LEA.
The Splunk Add-on for Check Point OPSEC LEA version 2.1 requires Splunk
Enterprise version 6.0.3 or later.
For detailed information on Splunk component and hardware requirements, see
Hardware requirements.

Supported Check Point products and versions

The Splunk Add-on for Check Point OPSEC LEA supports these Check Point
products:
Standalone FireWall-1 NGX
Multi-Domain Security Management (Provider-1)
Provider-1 with Multi-Domain Log Module (MLM)
Supported firewall Versions:
R75.10
R75.40
R76
R77

Supported operating systems

These operating system requirements apply to the Splunk forwarder only. The
search head and indexer can be hosted on any platform.
9

Linux
RHEL/CentOS 5.x or 6.x. No other Linux variants.
Linux kernel version 2.6.x or later (x86_64).
Bash, version 3 or later. If you are using an earlier version of Bash, edit
the lea-loggrabber.sh script to pass the application name instead of
using the BASH_SOURCE environment variable. See "Set up
lea_loggrabber".
GNU C library (glibc.i686 32-bit). Install using yum install glibc.i686
PAM shared libraries (pam.i686 32-bit). Install using yum install
pam.i686.
Solaris
Solaris SPARC version 10 or later .

Supported file systems

Platform
Linux

File systems
ext2/3/4, reiser3, XFS, NFS 3/4

Solaris
NFS 3/4
For more information on Splunk supported file systems, see "Supported file
systems" in the Splunk Enterprise Installation Manual.

Supported browsers
The Splunk Add-on for Check Point OPSEC LEA version 2.1 supports these
browsers:
Chrome (latest)
Safari (latest)
Firefox (latest) (version 10.x is not supported)
Internet Explorer 9 or later. Internet version 9 is not supported in
compatibility mode.

Splunk licensing
Splunk licenses are based on the amount of data stored by your Splunk indexers
per day. For detailed information, see "How Splunk licensing works."

10

Other prerequisites
For Check Point server authentication to work, the $HOME directory must be
writable by the Linux account that Splunk is running as.

Hardware requirements
Before installing the Splunk Add-on for Check Point OPSEC LEA, make sure that
your underlying Splunk Enterprise deployment meets the requirements specified
in "Introduction to capacity planning for Splunk Enterprise" in the Splunk
Enterprise Capacity Planning Manual.
For details on Splunk component performance specifications and reference
hardware requirements, see "Reference hardware" in the Splunk Enterprise
Installation Manual.
For recommendations on scaling your Splunk Enterprise deployment for your
specific performance requirements, see the "Performance questionnaire" in the
Splunk Enterprise Installation Manual.
Note: Reference hardware recommendations refer only to the Splunk Enterprise
deployment on which your Splunk Add-on for Check Point OPSEC LEA runs.
Depending on the throughput of your OPSEC LEA connections, additional
indexer capacity might be required. See Indexer requirements.

Splunk component requirements

Install the Splunk Add-on for Check Point OPSEC LEA on your Splunk forwarder,
indexer, and search head, as applicable to your deployment. For a detailed view
of a standard Splunk Add-on for Check Point OPSEC LEA deployment, see
"Deployment architecture".
Forwarder: The forwarder collects Check Point log data from the OPSEC
LEA connection, and sends it to your Splunk indexer(s). Use light
forwarders or heavy forwarders only. Do not use universal forwarders. For
best performance, we recommend that you use a heavy forwarder. See
Types of forwarders. The forwarder also:
authenticates communication between Splunk and Check Point
environments;

11

 polls the Check Point environment for log data at default intervals of
30 seconds, using lea-loggrabber;
and provides a UI to configure the Splunk/Check Point interface.
Indexer: Indexers receive and index Check Point log data sent from the
Splunk forwarder. Indexers provide index time settings for Check Point
firewall and audit data. To avoid load conditions that can introduce
latency, make sure that your Splunk Enterprise deployment includes
sufficient indexer capacity. See Indexer requirements.
Search head: The search head is where you perform search and analysis
operations on your Check Point log data. Search Heads provide search
time knowledge for field extractions and event types.
Forwarders must be installed on Linux (RHEL/CentOS 5.x and 6.x) or Solaris
SPARC (version 10 or later) hosts only. Search head and indexers can be
installed on any Splunk Enterprise compatible operating system.
Note: Data collection on search heads or indexers is not recommended for larger
deployments.
For more information about Splunk components, see "Components of a Splunk
Enterprise deployment" in the Splunk Enterprise Capacity Planning Manual.

Indexer requirements
It is important that your Splunk Add-on for Check Point OPSEC LEA deployment
includes sufficient indexer capacity to handle the incoming load. An insufficient
number of indexers can negatively impact performance and introduce latency
into your system.
Follow these steps, and refer to the chart below, to determine your indexer
requirements:
1. Determine the average eps (events per second) of all combined OPSEC LEA
connections. You can run a Splunk search to find this. For example:
source=*my_connection* | stats count as eps by _time | stats avg(eps)

You can run this search by sourcetype (sourcetype="opsec"), per source (as
shown above), or pipe in all of your connections. To get a useful baseline
sample, run the search across peak hours of the previous day, for several
consecutive days.
12

2. If the total average eps from all combined OPSEC LEA connections exceeds
13k eps, add one additional indexer to your deployment for each 13k eps
increment.
Total events per second
(eps)

Number of Indexers

< 13k eps

13k-26k eps

26k-39k eps

39k-52k eps

Add one indexer for each additional 13k eps

increment
Note: A single Splunk indexer can accept any number of OPSEC LEA
connections, so long as the rate of input does not exceed 13k eps for that
indexer.
> 52k eps

For more information on Splunk indexers, see "How indexing works" in the
Managing Indexers and Clusters manual.
Important: These indexer requirements are in addition to the processing
requirements of your Splunk Enterprise deployment on which this add-on runs.
For more information on Splunk Enterprise requirements, see the Capacity
Planning manual.

What data does the add-on collect?

About log record collection
The Splunk Add-on for Check Point OPSEC LEA hides the complexity of Check
Point log record collection. In addition to collecting firewall security logs and audit
logs, the add-on:
Performs log roll-over (switching).
Handles latency in extended networks.
Recovers from communication errors.
The add-on implements the client side of the LEA protocol and either
auto-detects environment configuration parameters, or provides for parameter
configuration through the UI.
13

The lea-loggrabber utility polls the Check Point logs every thirty seconds, by
default. The polling period is configurable. The Splunk client application tracks
the position of the last Check Point log it received. If for some reason it cannot
retrieve logs from the server, it begins record collection where it last left off after
communication is restored.

What data is logged?

The Splunk Add-on for Check Point OPSEC LEA retrieves Check Point security
and account data. For more information, see Check Point? LEA (Log Export API)
Specification (refer to LEA.pdf, p.20,25).
Splunk extracts key-value pairs from Check Point log records and creates the
corresponding index fields. Additionally, the following data items are provided:
fileid The file ID of the Check Point log file.
loc The position of the record in the log file.

Sourcetype
The Splunk Technology Add-on for Check Point OPSEC LEA associates the
following sourcetypes with the key-value pairs:
opsec Firewall security data has the opsec sourcetype.
opsec_audit Audit/account data has the opsec_audit sourcetype.
(user-defined) You can define a custom sourcetype to associate with the
key value pair.
The desired sourcetype is selected, or specified, in the UI.
Note: Splunk recommends that you use the default audit log sourcetype name,
opsec_audit. If you change the sourcetype, you must also edit the props.conf
file in $SPLUNK_HOME/etc/apps/Splunk_TA_opsec/local to correctly set Splunk
processing properties, such as field extractions and linebreaking.
For more information about sourcetype, see:
Splexicon > sourcetype
Getting Data In

14

Filtering log data

You can specify the type of log data to collect by manually editing the
fw1-loggrabber.conf file located in the
$SPLUNK_HOME/etc/apps/splunk_TA_opseclea/bin directory.
Refer to the fw1-loggrabber manpage for detailed information about configuring
log data collection. In the CONFIGURATION FILE section, see the
FW1_FILTER_RULE and AUDIT_FILTER_RULE property descriptions, which
refer to examples in the FILTERING section.

Set up lea_loggrabber
For information on lea_loggrabber configuration, see fw1-loggrabber manpage.
Note: In the manpage CONFIGURATION FILE section (fw1-loggrabber.conf),
the FW1_FILTER_RULE option does not work. See Known issues.
Warning: We strongly recommend that you do not modify fw1-loggrabber
options in the fw1-loggrabber.conf file. Changing these options can cause
REST conflicts.

Bash version
If you are using a version of Bash older than version 3, edit the
lea-loggrabber.sh script to pass the application name instead of using the
BASH_SOURCE environment variable.
1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea/bin.
2. Enter ./lea-loggrabber.sh "$@" --appname Splunk_TA_opseclea
Note: This applies to Linux environments only.

Specify audit log collection

The lea-loggrabber utility lets you collect audit logs by specifying the --auditlog
parameter in the command line. While you can specify audit log collection by
manually editing the lea-loggrabber.sh script, we strongly recommend that you
specify audit log collection in the Splunk Add-on for Check Point OPSEC LEA UI.

15

FW-1 loggraber license agreement

/******************************************************************************/
/* fw1-loggrabber - (C)2005 Torsten Fellhauer, Xiaodong Lin
*/
/******************************************************************************/
/* Version: 1.11.1
*/
/******************************************************************************/
/*
*/
/* Copyright (c) 2005 Torsten Fellhauer, Xiaodong Lin
*/
/* All rights reserved.
*/
/*
*/
/* Redistribution and use in source and binary forms, with or without
*/
/* modification, are permitted provided that the following conditions
*/
/* are met:
*/
/* 1. Redistributions of source code must retain the above copyright
*/
/*
notice, this list of conditions and the following disclaimer.
*/
/* 2. Redistributions in binary form must reproduce the above copyright
*/
/*
notice, this list of conditions and the following disclaimer in
the
*/
/*
documentation and/or other materials provided with the
distribution.
*/
/*
*/
/* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS AND
*/
/* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
*/
/* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE */
/* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE
*/
/* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL */
/* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
*/
/* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
*/
/* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT */

16

/* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY

WAY */
/* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF
*/
/* SUCH DAMAGE.
*/
/*
*/
/******************************************************************************/

Set up forwarder
For most use cases, we recommend that you install the Splunk Add-on for Check
Point OPSEC LEA on a Splunk forwarder. You can install the add-on on a light
forwarder or heavy forwarder, but not a universal forwarder.
If you install the Splunk Add-on for OPSEC LEA on a forwarder, make sure that
Splunk Web is enabled for running the configuration UI by setting the
startwebserver variable in the
$SPLUNK_HOME/etc/apps/<forwarderType>/default/web.conf file.
startwebserver = 1

Note: To run the Splunk Add-on for Check Point OPSEC LEA, the forwarder
must be installed on either a Linux (RHEL/CentOS 5.x or 6.x only) or Solaris
SPARC (version 10 or later) operating system.

Set up SSLCA authentication

Check Point recommends SSLCA as the default authentication method.
Changes to the fwopsec.conf and sic_policy.conf files are not
recommended, and are not supported during upgrade. Make sure the
fwopsec.conf and sic_policy files have the default settings for LEA. In
particular, ssl_opsec auth_type is not supported.
Note: The Splunk Add-on for OPSEC LEA version 1.1, required changes to
these files. If you installed version 1.1, you must restore the files to their default
values, as follows:
1. SSH into the Management Server (or Provider-1 CMA) and enter expert mode:
mdsenv <CMA_IP_Address>

17

2. Confirm that the fwopsec.conf file has no entries related to LEA server.
3. Confirm that the sic_policy.conf file has the following default entries for #LEA:
#LEA:
ANY ; ANY ; 18184 ; fwn1_opsec ; fwn1, local_ipcheck

4. If you have made changes to either file, restart the server or CMA:
cpstop
cpstart

18

Installation checklist
Installation Checklist
Use this checklist to verify your installation process. Each item links to detailed
information about how to perform the required step.

Preliminary steps
Verify that the system running your Splunk instance meets the minimum
requirements.
(Linux-only) Set up lea_loggrabber.
Set up forwarder(s), if applicable.
Set up SSLCA authentication.

Basic steps
Download and install Splunk.
Download and install the Splunk Add-on for Check Point OPSEC LEA for your
operating system.
Verify LEA settings. Create the Splunk OPSEC application, if necessary.
Create the OPSEC application certificate, adding SplunkLEA to the OPSEC
Application list.
If there are firewalls between Splunk and the management server, add new
firewall rules.
Install the database.

Configure the LEA client via the Splunk Add-on for OPSEC
LEA UI or via command line
Connect to the Management Server (FW-1), or CMA or CLM (Provider-1).

19

Pull the certificate for SplunkLEA, creating the <opsecAppName>.p12 file.

Configure SIC details.
Verify that a trusted state is established for SplunkLEA.

Follow-up steps
Verify that splunk is indexing data.
If you need to debug a problem, set the debug logging level.
Set the log record checkpoint value for networks with large latency.

20

Deploy the add-on

Install the Splunk Add-on for Check Point OPSEC
LEA
These instructions show you how to install the Splunk Add-on for Check Point
OPSEC LEA so that you can collect logs from Check Point FW-1 and Provider-1
servers.
The configuration process for both servers is essentially the same. The only
difference is that the SmartDashboard communicates with the Management
Server that manages multiple FW-1 instances, while the CMA is an instance of a
management server in the Provider-1 context. (Substitute Management Server
for CMA, as applicable, in these procedures.)
These instructions assume familiarity with the Check Point environment. Check
Point server and application deployment instructions are not included.
Note: Upgrade is not supported for the Splunk add-on for Check Point OPSEC
LEA version 1.1.

Step 1 - Install Splunk

Note: Skip this step if Splunk is already installed on your search head.
Install Splunk on a Linux-based search head as follows:
1. Download the applicable Splunk RPM/DEB package or tar file for your Linux
distribution to a temporary directory. You can find the latest release on the
Splunk download site: http://www.splunk.com/download.
2. Click the *nix distribution in the Installer column compatible with your
hardware and operating system to download Splunk. You may need to log in or
create an account, if you don't already have one. Save the file to a temporary
directory.
3. Untar the saved file to the /opt/splunk directory, which is your $SPLUNK_HOME
directory.
4. Add $SPLUNK_HOME/bin to your PATH environment variable.
21

5. To download and install the Splunk Add-on for Check Point OPSEC LEA using
Splunk Web, you must launch Splunk:
./splunk start

For a new installation, you must add the --accept-license argument to accept
the license agreement:
./splunk start --accept-license

For information covering other installation use cases, see the step-by-step
installation instructions.

Step 2 - Install the Splunk Add-on for Check Point OPSEC LEA
Splunk provides separate installation packages (.tgz) for Linux and Solaris
platforms:
Linux: splunk-add-on-for-check-point-opsec-lea-linux_204.tgz
Solaris: splunk-add-on-for-check-point-opsec-lea-solaris_204.tgz
For most use cases, we recommend that you install the appropriate package for
your platform on a Splunk forwarder (light forwarder or heavy forwarder only).
While you can install the Splunk Add-on for Check Point OPSEC LEA on a
Windows indexer/search head to collect data, the UI is supported on Linux and
Solaris platforms only.
If you want to integrate the Splunk Add-on for Check Point OPSEC LEA with the
Splunk App for Enterprise Security, follow the instructions in Add a custom
technology add-on to an app. We also recommend reviewing the known issues
listed in the Splunk App for Enterprise Security Release Notes prior to
installation.
To install the Splunk Add-on for Check Point OPSEC LEA:
1. Download the appropriate installation package (.tgz) for your platform from
Splunk Apps:
Splunk Add-on for Check Point OPSEC LEA - Linux
Splunk Add-on for Check Point OPSEC LEA - Solaris
2. Click Download and accept the terms and conditions of the Splunk license
agreement.
22

3. Log in, if requested, and save the .tgz file to a temporary location.
4. Open Splunk Web.
Note: If you are using Internet Explorer, Splunk Web running locally,
http://localhost:8000, must be added as a trusted site, or the UI might not
work as expected.
5. Click Apps > Manage Apps.
6. Click the Install app from file button.
7. Browse to the installation package (.tgx) that you downloaded to a temporary
location, and click Upload. If you are upgrading from an earlier version of the
add-on, check the Upgrade app box. This overwrites the earlier version of the
add-on with the newer version.
Note: If you receive an "App name already exists" error when uploading the
installation package, check the Upgrade app checkbox and repeat the upload
again. In most cases, this will resolve the error.
8. Click Restart Splunk when prompted, or restart Splunk via the command line,
as shown:
./splunk restart

Upgrade the Splunk Add-on for Check Point OPSEC LEA

If you are upgrading from an earlier version of the Splunk Add-on for Check Point
OPSEC LEA, you must select the Upgrade app check box in the installation
package upload window, prior to uploading the upgrade package (as shown in
Step 7 of the "Install the Splunk add-on for Check Point LEA" instructions,
above). This overwrites the old version of the add-on with the newer version.
Upgrade from version 1.1
If you are upgrading from the Splunk Add-on for Check Point OPSEC LEA
version 1.1, make the following directory updates before continuing to Step 3.
1. Stop Splunk.
2. Copy the $SPLUNK_HOME/etc/apps/splunk_app_opseclea/local and /certs
sub-directories as sub-directories of the $SPLUNK_HOME/etc/Splunk_TA_opseclea
23

directory.
3. Edit Splunk_TA_opseclea/local/inputs.conf, replacing all occurrences of
splunk_app_opseclea with Splunk_TA_opseclea.
4. Move the entire $SPLUNK_HOME/etc/apps/splunk_app_opseclea directory to the
$SPLUNK_HOME/etc/disabled-apps directory.
5. Restart Splunk.
6. Verify that the newly installed Splunk Add-on for Check Point OPSEC LEA
works as expected.

Step 3 - Create the OPSEC application

Create the Splunk OPSEC application, if it does not already exist.
1. Login to the Check Point SmartDashboard on the desired CMA.
2. Click the Servers and OPSEC Applications icon.
3. Create a new OPSEC application:
1. Right-click OPSEC Applications.
2. Select New OPSEC Application.
The OPSEC Application Properties dialog appears.
3. In the Name field, type "SplunkLEA". You can use any name but
SplunkLEA is recommended by convention.
4. Click the Host field arrow and select the desired Management Server
from the list.
5. In the Client Entities window, select the LEA check box.

Step 4 - Create the OPSEC application certificate

Continuing in the SmartDashboard OPSEC Application Properties dialog ...
1. Click the Communication button, in the lower left, to access the
Communication dialog.
24

2. Enter a One-time password and confirm the password.

Important: Save the one-time password in a secure location for your reference.
You will need this one-time password when you configure the LEA client.
3. Click Initialize.
4. When initialization completes, click Close. This generates a value in the
OPSEC Application Properties DN window. This is the opsec_sic_name. You
will need this opsec_sic_name when you configure the LEA client.
5. Click OK to finish creating the "SplunkLEA" application.
6. Confirm that the "SplunkLEA" application is now visible in the OPSEC
Applications/OPSEC Application list, in the left panel.

Step 5 - Add firewall rules

Note: This step is only necessary if there are firewalls between the Splunk
instance and the management server.
1. Continuing with the SmartDashboard application, click the Rules menu.
2. Select Add Rule followed by Top.
3. In the Service column, click the plus symbol and verify that the FW1_lea and
FW1_ica_pull rule settings are correct. Action should be set to accept for both
rules.

Step 6 - Install the database

1. In SmartDashboard, click the Policy menu item.
2. Select Install Database.
3. In the Install Database dialog, select the check box for your Management
Server.
4. Click OK
Check Point installs the database.
5. Click Close on successful database installation.
25

Configure the LEA client

You can configure the LEA client using the command line or the Splunk Add-on
for Check Point OPSEC LEA UI.
Note: The Splunk Add-on for Check Point OPSEC LEA is supported on Linux
(RHEL/CentOS 5.x and 6.x only) and Solaris SPARC (version 10 or later). The
add-on is not supported on Windows. See Prerequisites.
About Log Server IP and Management Server IP assignment

If you have a standard Check Point Provider-1 environment, you must configure
an LEA client connection for each Customer Management Add-on (CMA)
connected to the Multi-Domain Management Server (MDS). The CMA acts as
both Log Server (handling log file collection) and Management Server (issuing
the OPSEC application certificate). When you configure the LEA in the UI, you
must provide the CMA IP address, where requested, for both Log Server IP and
Management Server IP.
If your Provider-1 environment includes the optional Multi-Domain Log Module
(MLM), you must configure an LEA client connection for each Customer Log
Module (CLM) connected to the Multi-Domain Log Module (MLM). In this case,
the CLM acts as the Log Server, while the the CMA acts as the Management
Server. When you configure the LEA client in the UI, you must provide the CLM
IP address, where requested, for the the Log Server IP, and the CMA IP, where
requested, for the Management Server IP.

Configure the LEA client using the UI

Step 1. Configure connection details
1. Go to Splunk Web at: http://localhost:8000/.
2. Select Apps > Splunk Add-on for Check Point OPSEC LEA
(Linux/Solaris10).
The Manage Connections page opens.
3. Click New Connection.
The New Connection configuration window opens.

26

4. Type a Connection Name. This name must be unique for each connection.
5. Type the Log Server IP address.
For standard MDS (Multi-Domain Server) environments, the Log Server IP
is the CMA IP address.
For environments using the optional MLM (Multi-Domain Log Module), the
Log Server IP is the CLM IP address.
For standalone environments, the Log Server IP is the Management
Server IP address.
6. Accept the default Port number, 18184, unless your local environment uses a
different port.
7. In the Version menu, select the firewall version of your Check Point
deployment.
8. Type the Destination Index or use the default name. This is the index to
which firewall security or firewall audit events are sent.
9. In the Host appears as field, accept the default host name, or enter the Check
Point host (CMA name) to which you want to reroute security or audit events.
10. In the Collect menu, select the type of data you want to acquire (firewall
event data or firewall audit data).
Note: To collect both security and audit data requires separate connections.
11. (optional) Select the No-Resolve Mode check box. This specifies the
loggrabber --no-resolve argument and prevents object name resolution. For
more information on object name resolution, see Splunk Answers.
12. (optional) Select the Online mode check box to enable Check Point's
realtime mode. This keeps a single Check Point process running, and prevents
the Check Point process from being closed when no new log data is available on
the Check Point server. This might help improve performance in cases where
data flow is intermittent.
13. Accept the default log extraction Interval of 30 seconds, or enter a new
interval.

27

Note: The lea_loggrabber script runs at 30 second intervals by default. The script
connects to the Check Point environment, pulls the logs, and closes the
connection. After the connection is closed on the client, the connection might
remain open for some time in the TIME_WAIT state. (TIME_WAIT is a protection
mechanism in TCP that prevents data loss and corruption by allowing data
transmission to continue if necessary to complete data delivery.) To minimize
TIME_WAIT after the lea_loggrabber finishes, increase the Interval to a value
greater than that returned by: cat /proc/sys/net/ipv4/tcp_fin_timeout
(typically 60 seconds).
14. Click Next.
Step 2. Pull OPSEC application certificate
If you already have a certificate:

1. Click I already have a certificate.

2. In the Certificates menu, select your certificate.
If you don't have a certificate:

1. Select I need to get a new certificate.

2. Type the OPSEC App Name, for example SplunkLEA (from Step 3 - Create the
Splunk OPSEC application).
3. Type the One-time Password (from Step 4 - Create the OPSEC application
certificate).
4. Type the Management Server IP address.
For standard MDS (Multi-Domain Server) environments, the Management
Server IP is the CMA IP address.
For environments using the optional MLM (Multi-Domain Log Module), the
Management Server IP is the CMA IP address.
5. Click Next.
The certificate is stored in the <opsecAppName>.p12 file.

28

Note: If you receive an error message, this might be because you are attempting
to pull the same certificate for the same Connection Name, using an invalid
password or IP address, or the connection to the server is down. For additional
error details, see $SPLUNK_HOME/var/log/splunk/web_service.log.
Step 3. Configure SIC Details
1. Type the SIC Name from the SmartDashboard OPSEC Application
Properties dialog DN window (from Step 4 - Create the OPSEC application
certificate).
2. Type the Entity SIC Name of the stand-alone Check Point Manager, the
Provider-1 Customer Log Module (CLM), or the Provider-1 Customer
Management Add-on (CMA). (Consult your Check Point administrator.)
To acquire the Entity SIC Name:
1. Open GuiDBedit (the Check Point Database Tool).
2. Go to Tables > Network Objects > network object (at left).
A list of network objects opens (at right).
3. Click the network object (for example, opsec-fw1-r7540) in the list.
A list of object attributes appears (at bottom).
4. Scroll down the list to find the sic_name field (near the end of the list), or
search for the sic_name field. The sic name will look similar to this:
CN=cn=cp_mgmt,o=opsec-p1-r7540-test-env-domain1_management_server..pj7ux4.

Note: The process for acquiring the entity SIC name is described in detail
on Splunk Answers.
3. Click Submit.
4. Verify that Splunk is indexing your Check Point data, by executing a search on
the source type.

29

Configure the LEA client using the command line

You can configure the LEA client using the command line, as follows:
Step 1. Pull the OPSEC application certificate
1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin.
2. Run the pull-cert.sh script to pull the certificate from the Management
Server.
./pull-cert.sh <CMA_IP> <OPSEC_app_name> <password>
<outputFileName.p12>

For example:

./pull-cert.sh 10.160.27.253 SplunkLEA <password> newFile.p12

Parameters:

-h = CMA IP address
-n = OPSEC Application name (for example, "SplunkLEA")
-p = One-time password (activation key) specified in Step 4 - Create the
OPSEC application certificate.
Note: The password must not include any of the following special
characters: exclamation (!), accent circumflex (^), tilde (~), accent grave
(`), quotation ("), and apostrophe (').
-o = Output file (*.p12) containing the application DN name as defined in
the Management Server. The default file name is opsec.p12 but you can
use any name, unique for each CMA.
The command returns an opsec_sic_name, for example:
[CN=SplunkLEA, O=opsec-p1-R7540-demo_Management_Server...3tvqd0]

Important: Save the opsec_sic_name because you will need to enter it when you
edit the opsec.conf configuration file.
3. View the current directory to confirm that <outputFileName>.p12 has been
created.

30

Step 2. Edit opsec.conf

1. Go to

$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf.

Note: You might need to create the local/opsec.conf if it does not yet exist in
your $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22 directory:
mkdir local
cd local
touch opsec.conf

2. Append a new domain name (typically by cutting and pasting an existing

domain name). For example:
[r75.4test]

3. Enter the opsec_sic_name.

4. Enter the opsec_entity_sic_name from Check Point. For instructions on how to
acquire the entity_sic_name, see Configure SIC Details, above.
5. Enter the opsec_sslca_file name, which is the generated .p12 file name.
This example shows a domain entry with all required fields:
[SplunkRESTName]
collect_audit = 0
fw_version = 75.40
is_disabled = 0
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.160.27.249
opsec_entity_sic_name =
cn=cp_mgmt,o=opsec-p1-r7540-test-env-domain1_management_server..pj7ux4
opsec_sic_name =
CN=SplunkLEA,O=opsec-p1-R7540-test-env-domain1_Management_Server..pj7ux4
opsec_sslca_file = ../certs/p1-r7540-test1.p12
Important: The is_disabled parameter controls the connection state. Set the
parameter value to 1 to disable the connection or 0 to enable the connection.

This parameter also determines the connection state displayed in the UI, and
must agree with the disabled parameter value in the inputs.conf file, below.
6. Restart Splunk, using either the ./splunk restart command or
http://<host>:<port>/en-US/debug/refresh in the browser address bar.
31

7. View the new opsec.conf domain configuration:

https://<host>:<managementPort>/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec

login: admin/<password>
find <yourNewDomain>
8. Copy .../opsec-tools/<filename>.p12 to the /certs directory.
9. Create the inputs.conf file in the
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/default

directory.

10. In inputs.conf, add a scripted input stanza. For example:

[script:///home/admin/splunk6.0/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggr
--configentity SplunkRESTName]
disabled = false
interval = 30
passAuth = admin
sourcetype = opsec</code>
<code>SplunkRESTName</code> (this must match the name of the entry in
the <code>opsec.conf</code> file.

Because the connection state displayed in the UI is determined by the

opsec.conf connection state, the inputs.conf disabled state must match the
opsec.conf is_disabled state, above.
Note: For information on setting the lea_loggrabber Interval to minimize
TIME_WAIT, see step 13 of Configure connection details above.

The script connects to the Check Point environment, pulls the logs, and closes
the connection. After the connection is closed on the client, the connection might
remain open for some time in the TIME_WAIT state. To minimize TIME_WAIT after
the lea_loggrabber finishes, increase the Interval parameter to a value greater
than that returned by: cat /proc/sys/net/ipv4/tcp_fin_timeout (typically 60
seconds on Linux).
Note: You can modify opsec.conf to let you enable/disable the TCP Nagle,
which in some cases might improve network efficiency. For instructions, see TCP
Nagle in the "Manage Connections" topic in this manual.
Note: You can modify opsec.conf to enable adjustment the client connection
buffer size, which might help improve performance under high load conditions.
For instructions, see Connection buffer size in the "Manage Connections" topic in
32

this manual.
Step 3. Verify that trust state is established
1. Open the Check Point SmartDashboard,
2. Click the Servers and OPSEC Applications icon.
3. Expand the OPSEC Applications and OPSEC Application lists.
4. Double-click the SplunkLEA application name.
5. Click the Communication button and verify that Trust state is now set to
Trust established. (Older Check Point versions may only display the Customer
Name.)

Additional configuration steps

Warning: We strongly recommend that you do not modify fw1-loggrabber
options in the fw1-loggreabber.conf file. Changing options can cause REST
conflicts.
Set log record checkpoint value (optional)
In networks with a large latency and the possibility that the connection could be
lost before all log record data are committed to Splunk, loggrabber might need to
retrieve lost records from the log position of the last checkpoint.
By default, the Splunk Add-on for Check Point OPSEC LEA commits log records
after every 10,000 records are received, so there are never more than 10,000
records outstanding. You can change the default checkpoint value to match your
network latency by modifying the SPLUNK_REST_STATUS_COMMIT value in the
fw1-loggrabber.conf file.
Filtering log data
You can specify the type of log data you want to collect by manually editing

$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.

For detailed information about configuring log data collection, see the
fw1-loggrabber manpage. In the CONFIGURATION FILE section, see the
FW1_FILTER_RULE and AUDIT_FILTER_RULE property descriptions, which
refer to examples in the FILTERING section.
33

About Management High Availability

The Splunk Add-on for Check Point OPSEC LEA does not support and has not
been tested with Check Point Management High Availability (HA).
In case of failover:
If the log server is on a different machine than the Management server,
such as in a Multi-Domain Management Server (Provider-1) environment,
the add-on should work without user interaction.
If the log server is on the same machine as the Management server, then
you must update the log server IP address for the LEA connection inside
the add-on with the new active Management server IP address. For
instructions, see Configure the LEA Client using the UI above.
Important: The opsec_pull_cert script must be run against the currently active
Management server. If not an opsec err=-86 appears.
Note: Depending on how far back the new active Management server was
out-of-sync, you might need to recreate the OPSEC application, or you might
experience missing log entries. See Create the OPSEC application.

34

Manage Connections
Manage connections
The Splunk Add-on for Check Point OPSEC LEA includes features to help you
manage your Check Point connections.
Connection metrics: View data throughput in events per second (eps) for
each OPSEC LEA connection. View time of last connection.
Online mode: Check Point's real-time mode. Keeps the individual Check
Point process running for a connection and prevents intermittent Check
Point process restarts.
Network connection options in opsec.conf:
Enable/disable TCP Nagle.
Adjust connection buffer size.
Connections display filter: Filters the display of connections on the
Manage Connections page by name, IP address, and firewall version.
Useful for large environments, which might include hundreds of Check
Point connections.

Monitor Connection Metrics

The Splunk Add-on for Check Point OPSEC LEA lets you monitor connection
metrics for multiple OPSEC LEA connections simultaneously. Expand any
connection panel on the Manage Connections page to view the event throughput
(events per second) over that specific connection.
Monitoring connection throughput can help you identify system issues, and
respond proactively.
For example, unexpectedly low throughput could indicate a network bottleneck or
an issue with your Check Point environment. Unexpectedly high throughput
might indicate that you need to add Splunk indexers to your deployment, to avoid
load conditions that can cause system latency. See "Indexer requirements".
1. In Splunk Web, go to Apps > Splunk Add-on for Check Point OPSEC LEA
The Manage Connections page opens.
35

2. Click on the arrow at left of the connection you want to view.

The panel expands, showing event throughput in events per second (eps) over
the last 15 minutes and last 24 hours.

Online mode
The Splunk Add-on for OPSEC LEA lets you enable the Check Point Online
mode. This keeps the individual Check Point process running for a connection,
and prevents the process from being closed when no new log data is available
on the Check Point server. Online mode might improve performance in cases
where data flow from Check Point is intermittent.
To enable Online mode, select the Online mode check box when you configure
the LEA client connection.
Caution: When migrating to version 2.1: Enabling Online mode immediately after
upgrade might cause gaps in your data. This occurs because online mode
collects new incoming logs only. It does not perform log look back. Therefore any
data stored during the upgrade process is not pulled into Splunk. We recommend
that you do not enable online mode until after all log data generated during the
upgrade period is indexed. See known issue (OPSEC-208).

Network connection options in opsec.conf

TCP Nagle
The Splunk Add-on for OPSEC LEA lets you disable the TCP Nagle, which in
some cases can improve TCP/IP network efficiency by eliminating the negative
interaction between Nagle's algorithm and Delayed ACK.
1. Go to
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf.
2. In opsec.conf, append the following key-value pair to the connection domain:
no_nagle=1

Connection buffer size

In some cases, increasing the connection buffer size might improve data
throughput. You can adjust the connection buffer size in opsec.conf, as follows:
36

1. Go to
$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf.
2. In opsec.conf, append the following key-value pair to the connection domain:
conn_buf_size=<number_in_bytes>

Manage Indexer capacity

An insufficient number of indexers can negatively impact performance and
introduce latency into your system. To determine the indexer requirements of
your Splunk Add-on for Check Point OPSEC LEA deployment, see "Indexer
requirements" in the Hardware requirements section of this manual.

37

Terminology
Terminology
CLM
Customer Log Module. The CLM is a log server for a single Customer. Through
the CLM, an administrator can view events that occur on the firewall policy. Each
CLM is contained in a Multi-Domain Log Module (MLM).

CMA
Customer Management Add-On. A Check Point FW-1 management server
where customer-specific security policies are defined.

Customer
A Customer is the unit that subscribes to a Check Point firewall.

FW-1
Firewall-1. A Check Point firewall instance that provides gateway security and
identity awareness.

LEA
Log Export API. LEA is the Check Point OPSEC API for accessing FW-1 firewall
log data. The Splunk Add-on for Check Point OPSEC LEA extends the open
source FW-1-loggrabber tool, using the LEA to collect raw log data.

MDS
Multi-Domain Server. The MDS stores Provider-1 system information, including
details of the Provider-1 deployment, its administrators, and Customer
management information.

Multi-Domain Security Management

See Provider-1 (below).
38

MLM
Multi-Domain Log Module. A special Multi-Domain Server (MDS) that is
dedicated to collecting and storing log data. The MLM is a container for
Customer Log Modules (CLMs).

OPSEC
Open Platform for Security. The Check Point OPSEC is an open management
framework for managing network security. The Splunk Add-on for Check Point
OPSEC LEA uses the LEA to extend OPSEC and provide network security
monitoring and visualization.

Provider-1
Provider-1 is Check Point's Multi-Domain Security Management product. You
can use Provider-1 to segment security management of complex network
operations (which might involve thousands of customers), into multiple separate
virtual domains, based on geography, business unit, security function, or other
logical grouping.

Smart Domain Manager

The Smart Domain Manager is a GUI for managing a Provider-1 instance. This
was previously called the Multi Domain GUI (MDG).

SmartConsole
The SmartConsole (also called SmartDashboard) is a Windows-based GUI
that lets you create global policy rules for a firewall or groups of firewalls.

SmartDashboard
See SmartConsole (above).

39

Troubleshooting
Set debug logging level
To enable debugging, add debug directives to the following files, which are
located in the $SPLUNK_HOME/etc/apps/splunk_TA_opseclea/bin directory.

pull_cert.sh
For pull-cert issues, add the following line to the pull_cert.sh script:
export TDERROR_ALL_ALL=5

Additionally, enable opsec_pull_cert debugging by adding the -d argument, as

described in How to use the opsec_pull_cert command.

lea-loggrabber.sh
For log collection issues, use the lea-loggrabber-debug.sh script from the
command line; this is a debug variant of the lea-loggrabber.sh script.

View debug logs

Note: See What Splunk logs about itself for a general description of Splunk error
logging.

UI messages
With debugging enabled, error messages are logged to the
$SPLUNK_HOME/var/log/splunk/web_service.log file.
Note: Log entries for splunk_TA_opseclea display as <string>:nn,
instead of listing the OPSEC LEA controller name. This is a known
bug.

Loggrabber messages
Splunk Add-on for Check Point OPSEC LEA loggrabber messages are logged to
the $SPLUNK_HOME/var/log/splunk/splunkd.log file.
40

Run lea-loggrabber manually

Warning: Use lea-loggrabber with caution. Some fw1-loggrabber options can
cause REST conflicts.
Manually running lea-loggrabber can be a useful debugging tool.
Note: For Check Point server authentication to work, make sure your
environment $HOME directory is writable.
1. Set the SPLUNK_TOK environment variable to the authorization key:

2.

SPLUNK_TOK=$<auth_key>
export SPLUNK_TOK
Run the lea-loggrabber-debug.sh debugger
script:lea-loggrabber-debug.sh --configentity <entity_name>

You can also add the debug level argument to the lea-loggrabber invocation in
the lea-loggrabber.sh script: --debug-level 3.

Basic Check Point debugging

You might find it helpful to review the Check Point Troubleshooting and
Debugging Tools for Faster Resolution document to debug issues external to the
Splunk LEA client.

Enabling and disabling Check Point debugging

To enable debugging on the Checkpoint Management Server, enter the following
commands:
1.
2.
3.
4.

% fw debug fwm on TDERROR_ALL_ALL=5

% fw debug fwm on OPSEC_DEBUG_LEVEL=9
% fw debug fwd on TDERROR_ALL_ALL=5
% fw debug fwd on OPSEC_DEBUG_LEVEL=9

To disable Check Point debugging, enter the following commands:

1. % fw debug fwm off TDERROR_ALL_ALL=1
2. % fw debug fwm off OPSEC_DEBUG_LEVEL=1
3. % fw debug fwd off TDERROR_ALL_ALL=1
41

4. % fw debug fwd off OPSEC_DEBUG_LEVEL=1

The Check Point debug logs are located in the $FWDIR/log/fwm.elg* and
$FWDIR/log/fwd.elg* files.

42