This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Checkpoint Not reporting

AtulChavan
Beginner
Beginner

‎2017-01-13 03:18 AM

Hi Guys,

 

Our network team has upgraded Checkpoint. But from that point onwards, we are not receiving logs. On hybrid, I can see following error.

The SIC infrastructure was unable to establish the connection

 

So I deleted event source and reconfigure it with new SIC as password. But now I am receiving error while pulling certificate

error pulling certificate.

 

Please suggest troubleshooting steps.

pastedImage_2.png

Preview file
7 KB
0 Likes
5 REPLIES 5

DavidWaugh1
Employee
Employee

‎2017-01-13 04:02 AM

Hello can you give the exact version of Checkpoint that was upgraded to. Was it Check Point R80.

Check Point R80 uses a different Certificate Authority that signs certificates with a SHA256 hash which is not currently supported by our log Check Point log collector component. Support for this is due in 10.6.3

0 Likes

AtulChavan
Beginner
Beginner
In response to DavidWaugh1

‎2017-01-13 04:44 AM

Hi David,

 

Upgraded version is 77.30. Unfortunately, we have old version of sa 10.2

 

Do you have any troubleshooting steps?

0 Likes

DavidWaugh1
Employee
Employee
In response to AtulChavan

‎2017-01-13 05:49 AM

Yes see: 000026235 - How to integrate Check Point Provider-1 or Multi Domain Server with RSA Security Analytics 

 

In particular scroll down to the bottom and look for the section:

 

"If after following these instructions you are still facing difficulties then run the following command from an SSH Session on your log collector, replacing the values as follows:"

 

0 Likes

AtulChavan
Beginner
Beginner
In response to DavidWaugh1

‎2017-01-13 09:42 AM

Hi David,

 

I am receiving following error.

 

[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] fwCert_OurValCerts: validation OK
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] sic_client_end_handler: for conn id = 10
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] opsec_auth_client_connected: connect failed (147)
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] opsec_auth_client_connected: SIC Error for lea: Authentication error
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] opsec_auth_client_connected:conn=(nil) opaque=0x9455300 err=0 comm=0x9454e70
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] comm failed to connect 0x9454e70
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 0)
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] COM 0x9454e70 got signal 131075
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] destroying comm 0x9454e70
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] Destroying comm 0x9454e70 with 1 active sessions
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] Destroying session (9464218) id 3 (ent=9455b50) reason=SIC_FAILURE
[ 14771 4148131552]@NWAPPLIANCE23132[13 Jan 19:51:28] SESSION ID:3 is sending DG_TYPE=3

<LOG_FAILURE>>MHMUMDOPDAK1N-CPS1:172.16.2.39:Session exit reason: The SIC infrastructure was unable to establish the connection<<LOG_FAILURE>

0 Likes

DavidWaugh1
Employee
Employee

‎2017-01-13 09:48 AM

Okay,

If you get your firewall people to check the lines in fwopsec.conf.

 

They should contain:

 

https://community.rsa.com/docs/DOC-49968

 

lea_server auth_port 18184
lea_server port 0  
lea_server auth_type sslca 
lea_server conn_buf_size 2000000
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.