NetWitness Community

RSAAdmin · ‎2015-04-04

Hello Everyone.

firewalls connect to the RSA SA. Customizable according to instructions "Check Point Security Suite, IPS-1".

Сreated Host, then SA_OPSEC. Open ports in CP- FW1_ica_Pull (18184) end FW_lea(18210).

when connecting LogCollector an error:

Collect log Type - Security

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Session starting: sdn=cn=cp_mgmt,o=SC-01.KVVGES..8pfha6 cdn=CN=SA_OPSEC,O=SC-01.KVVGES..8pfha6 cen=SA_OPSEC kfp=/etc/netwitness/ng/truststore/checkpoint_SC_01_KVVSGES.p12 file=0 record=0 log=security-current start=end count=5000 time=120"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Client Version Full Description(Opsec SDK 6.0 patch=1 build=591000010 6.0) Version(6000)"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Time to establish session(00:00:00.003387)"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Session exit reason: The SIC infrastructure was unable to establish the connection"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Session completed: Total Time(00:00:25.008199) Total Events(0)"

Collect log Type - Audit

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Session starting: sdn=cn=cp_mgmt,o=SC-01.KVVGES..8pfha6 cdn=CN=SA_OPSEC,O=SC-01.KVVGES..8pfha6 cen=SA_OPSEC kfp=/etc/netwitness/ng/truststore/checkpoint_SC_01_KVVSGES.p12 file=0 record=0 log=audit-current start=end count=5000 time=120"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Client Version Full Description(Opsec SDK 6.0 patch=1 build=591000010 6.0) Version(6000)"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Time to establish session(00:00:00.002976)"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Session exit reason: The SIC infrastructure was unable to establish the connection"

[processing] [WorkUnit] [processing] SC-01-KVVSGES:xxx.xxx.xxx.xxx:Session completed: Total Time(00:00:25.008754) Total Events(0)"

The most important thing - the event did not come.

Which one has suggestions, ideas ?

Anonymous · ‎2015-04-20

Delete and re-create the SIC keys/certificates.

RSAAdmin · ‎2015-04-26

Unfortunately, there's a number of issues that may be preventing your connection to establish. Assuming you have enabled Debug on your Check Point Event Source, you should be able to find the connection command in your Log Collector's logs (Administration > Services > YourLogCollector > Logs). It will look something like this...

_cmdLine set to NwCheckpointProcess --ip xxxxx --name xxxxxx --port 18184 --sdn y --cdn CN=xxxxx,O=xxxxx..xxxxx --cen xxxxx --kfp /etc/netwitness/ng/truststore/checkpoint_xxxxx.p12 --count 5000 --time 120 --timeout 0 --audit --file 0 --record 41594 --debug

-- or --

_cmdLine=NwCheckpointProcess --ip xxxxx --name xxxxxx --port 18184 --sdn y --cdn CN=xxxxx,O=xxxxx..xxxxx --cen xxxxx --kfp /etc/netwitness/ng/truststore/checkpoint_xxxxx.p12 --count 5000 --time 120 --timeout 0 --audit --file 0 --record 41594 --debug

Copy the entire command (starting with "NwCheckpointProcess") and paste it into your Log Collector's console. Before you hit enter, add " --odebug" to the end of the command (that's a space and two dashes).

This will kick off a connection attempt with lots of debug info. This will get you a better idea about what exactly is causing the problem. Post your results if you're still stuck.

Anonymous · ‎2015-04-27

NetWitness Community

Problems connecting to the СheckPoint