This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

AWS R80.20 Checkpoint connection issue

NicoleJohnson1
New Contributor
New Contributor

‎2019-04-03 05:50 PM

Hello,

 

I am having an issue with a new Checkpoint event source. The version of checkpoint we are using for AWS is R80.20. I have been able to successfully add the new event source using the CheckPoint_Security Suite guide (IPS-1) from RSA that was last modified on 5/9/18. However I am seeing the following error in the var/log/messages: The SIC infrastructure was unable to establish the connection. I found the corresponding support articles: https://community.rsa.com/docs/DOC-49968 and https://community.rsa.com/docs/DOC-49968 as well as https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107509. What I have learned is that this setup does not include a management server (MLM) therefore the Server Distinguished name provided to me is not that of the management server but of the firewall. Here is excerpt of what was provided to me:

Client SIC Name  (DN String from CMA)

CN=SA_OPSEC,O=ELAVON_AWS_PROD.

Server SIC Name  (from GuiDBedit on CLM)

CN=ELAVON_AWS_PROD,O=ELAVON_AWS_PROD

Will this config work without a management server? I was told this is just a CMA. Please advise

0 Likes
1 REPLY 1

ConODonnell
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2019-04-04 05:33 PM

This should work with an MLM. the Sic error can be from a few different issues so we would ideally need to get an opsec log. If you set the event source logging to debug (not verbose) and wait for a poll cycle you should see a log appear with the word cmdline=NwCheckpointProcess appear in either the logs from collcetor in SA console or /var/log/messages on collector.

Double click the log to bring it up and then cop all text to the right of the equals sign and paste into and ssh session on the collector in question. Then append --odebug to the string and hit enter then copy and past the resulting text here when the connection fails.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.