Sending logs using OPSEC LEA

This article describes how to set up the Devo LEA client on a Devo relay to pull events from a Checkpoint Management Server (centralized event logging).

The following details need to be provided to Devo for the LEA client configuration:

  • DN of management server
  • LEA server authentication type setting in fw.conf
  • LEA server authentication port setting in fw.conf
  • OPSEC application name for Devo
  • OPSEC DN from OPSEC application communication configuration
  • Onetime password from OPSEC application communication configuration

These are the configuration steps to follow:

  1. Get Checkpoint management server DN and provide it to Devo for the LEA client configuration.
    • The opsec_entity_sic_name can be retrieved by double-clicking the main Checkpoint object.
    • Another option is to use the guidbedittool (find the executable in the CP install directory) to look at the management server properties and get the opsec_sic name DN from the list (check sk61833 on Checkpoint Support Center for the directions).
  2. Get the Firewall LEA authentication settings and provide them to Devo for the LEA client configuration.

    $FWDIR on a GAiA appliance is usually /opt/CPEdge-cmp-<version>.
    • Check lea_server authtype setting in $FWDIR/conf/fwopsec.conf file.
      • Look for lea_server auth_type → Setting is typically ssl_opsec or sslca.
      • Look for lea_server auth_port → Setting is typically 18184.

    • If the authentication setting has not been configured:
      • Edit the fwopsec.conf file (in the $FWDIR/conf directory or the %FWDIR%\conf\ directory on Windows).
      • Locate the following lines:

        #lea_server auth_port 18184
        #lea_server port 0
      • Change the lines to read as follows (if the lines are missing, add them to the file):

        lea_server auth_port 18184
        lea_server auth_type ssl_opsec
      • Restart the firewall engine:

        cpstop
        cpstart
  3. In the Checkpoint SmartConsole, create the OPSEC configuration for the Devo LEA client.
    From the main navigation bar choose:

    • Opsec applications → New application → Fill out form.
    • Note the name given to the new Opsec application and provide it to Devo for the LEA client configuration.
    • Click Communication to create one time password and provide it to Devo for the LEA client configuration.
    • Note DN for created opsec_sic and provide it to Devo for the LEA client configuration.
    • Make sure to execute the Install database command to initiate changes.

  4. Compile LEA client on the relay server if necessary.

    Go to the next step if a compiled LEA client is already available.
      • Use apt-get install <package> to install the following utilities:
        • ia32-libs
        • libpam0g:i386
        • g++-multilib
        • libc6-dev-i386

      • Contact your Devo representative to obtain the Devo OPSEC LEA Client files.
      • Download the Opsec SDK for Linux from here.
      • Copy both archive files on to the relay device into /home/logtrust/opsec → make directory if necessary.
      • On the relay device, extract both downloaded archive files.
      • Rename the gitlab lea-client extract directory to lea-client.
      • Extract the OPSEC_SDK_6_0.linux30.tar.gz archive.
      • Move the extracted pkg_rel directory into the lea-client directory.
      • Go to the lea-client directory and run Make → The lea-client executable should be present.
      • Go to Next step - Install compiled LEA client.

  5.  Install compiled LEA client onto the relay server.
    • If not already completed in the previous step, install system libs:

      Apt-get update
      Apt-get install ia32-libs
    • Copy the lea-client executable onto relay into the following directory (make sure it has been compiled for the correct OS version):

      /opt/logtrust/opsec/bin
    • Create a necessary symlink for relay startup:

      ln -sf /opt/logtrust/opsec/bin/lea-client /usr/local/bin/lea-client
    • Create the init symlink:

      ln -sf /opt/logtrust/opsec/bin/lea-client /etc/init.d/lea-client
    • Create the startup daemon config at the default run levels:

      update-rc.d lea-client defaults

      .

  6. Configure LEA client.
      • Use the opsec_pull_cert utility to get the p12 certificate file and to initialize the opsec application communication

         ./opsec_pull_cert -h <mgmt server host ip address> -n <opsec application name for logtrust> -p <activation key from opsec application -o <path to output the cert file> -od <opsec_sic_name DN from the opsec application configuration>

    Example command

    ./opsec_pull_cert -h 10.1.1.5 -n Devo Lea Client -p one_time_password -o /opt/logtrust/opsec/bin/logtrust-customer.p12 -od CN=LogTrust,O=DOMAIN.customer.com.dofw6p
    • Make sure the cert file is located in /opt/logtrust/opsec/bin/.
    • Set up the LEA client configuration file.
      • Create a configuration file in /opt/logtrust/opsec/etc called <customer_name>-lea.conf.
      • Modify the file with the following settings:

        ## LEA Config Section
        lea_server auth_type <auth type from fw.conf>
        lea_server ip <management ser ip>
        lea_server auth_port <authentication port setting>
        lea_server opsec_entity_sic_name "<DN of management server>"
        opsec_sic_name "<DN from opsec application configuration>"
        opsec_sslca_file <path and file name of certificate file obtained with opsec_pull_cert utility>
        ## Log Program Section
        destination_server <hostname of relay>
        destination_port <port on relay listening for inbound events>
        transport_mode tcp
        online_mode true
        log_filename fw.log
        resolve_names true
        ## SYSLOG configuration
        ## Use numeric values for facility and severity
        use_syslog_format true
        syslog_facility 16
        syslog_severity 5
        syslog_tag firewall.checkpoint.lea

    Example configuration file

    ## LEA Config Section
    lea_server auth_type ssl_opsec
    lea_server ip 10.1.1.5
    lea_server auth_port 18184
    lea_server opsec_entity_sic_name "cn=cp_mgmt,o=DOMAIN.customer.com.dofw6p"
    opsec_sic_name "CN=LogTrust,O=DOMAIN.customer.com.dofw6p"
    opsec_sslca_file /opt/logtrust/opsec/bin/logtrust-customer.p12
    ## Log Program Section
    destination_server lt.relay.poc
    destination_port 13000
    transport_mode tcp
    online_mode true
    log_filename fw.log
    resolve_names true
    ## SYSLOG configuration
    ## Use numeric values for facility and severity
    use_syslog_format true
    syslog_facility 16
    syslog_severity 5
    syslog_tag firewall.checkpoint.lea
    Check that the Devo relay is up and running.
  7. Start the LEA client.

    ./lea-client -c <path to configuration file>


    Example command

    ./lea-client -c /opt/logtrust/opsec/etc/customer-lea.conf

    .

  8. Events should be visible in the firewall.checkpoint.lea table.
    • Access via Search or use free text (from firewall.checkpoint.lea) to query.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US