Tutorial Guide LCE Opsec Server to Checkpoint Firewall

This guide was created and meant for configuration between Checkpoint Firewall and LCE Server.
The below screenshot was just only brief example of how its process being made. The actual event
may vary depending on the server configuration it self.

This guide was using virtual machine with detail below:

LCE Server IP address : 192.168.1.101
Checkpoint Server : 192.168.1.200
Windows 7 as main OS : 192.168.1.100

Step Creating LEA Profile for LCE Opsec

1. Make sure fwopsec.conf has lea authorization open and follow as these value:

Then restart Checkpoint afterwards.

2. Open Smartdashboard and add new Host in Node section by right clicking Node > Node >
Host…
 Note 1. Please insert name of the LCE host. (lce_commbank)
Note 2. Please insert IP Address of the LCE Opsec Server.

3. Make sure the new Host has been registered in Network Objects.

4. Now create a new Opsec Application. Open the Server and Opsec tab > right click on OPSEC
Application > New > OPSEC Application…
 Note 1. Insert the OPSEC Application name. (lea_commbank)
Note 2. Put “lce_commbank” as the Host.
Note 3. Check only LEA in Client Entities.

5. Click Communication Tab.

 Note 1. Insert the LCE key as password. (in this case is “nusantara”)
Note 2. Click Initialize.
Note 3. The trust state will change to “Initialized but trust not established”.
Note 4. Click Close.

6. The Communication now showing certificate for Opsec Client. Copy the value and click OK.
7. In Network Objects, open your Check Point Gateway (“fwdika”).
 Note 1. Click button Test SIC Status.

8. In SIC Status, it showing communication between Checkpoint and LCE (host) Server.

Note 1. Copy the DN certificate. (“cn=cp_mgmt,o=fwdika..s8yra8”)

9. Up to this point if everything works fine, proceed to LCE Opsec configuration.

10. Login to LCE Server.
11. Edit the values in lce_opsec.config.
 Note 1. Please paste OPSEC_CLIENT value certificate that taken from point 6 above.
Note 2. Please paste OPSEC_SERVER value certificate that taken from point 8 above.
Note 3. Make sure your Check Point IP (FW1_SERVER=””) are correct.
Note 4. Don’t forget to restart lce_opsec afterwards.

12. Before generating Checkpoint certificate, first restart your Checkpoint with cmd “cprestart”.
13. Generate Checkpoint certificate key from LCE Server.

14. In LCE Server, expand to Opsec directory. And run lce_opsecd with cmd “./lce_opsecd”
Note 1. If everything went correctly, the LCE Opsec Server will start grabbing logs (fw.log)
from Checkpoint firewall.
Note 2. And the Host Node (and OPSEC Application) that created before is now gone. This
mean LCE Server and Checkpoint Firewall are successfully communication through OPSEC.