Configure OPSEC LEA to send data to the Splunk platform
You need to perform configuration in Check Point OPSEC LEA before you can collect OPSEC LEA data with the Splunk Add-on for Check Point OPSEC LEA.
Create the Splunk OPSEC application
Create the Splunk OPSEC application using the Check Point SmartDashboard or the desired CMA/Domain on Provider-1. Name the new OPSEC application SplunkLEA. (You can use any name but SplunkLEA is recommended by convention.) When configuring the host, select or create the Splunk host on which the Splunk Add-on for Check Point OPSEC LEA is being installed for data collection, usually a forwarder. Consult the Check Point documentation for more information about creating an OPSEC application.
Do not use hyphens in OPSEC App name. See certificate authority not found error.
Create the OPSEC application certificate
Create an OPSEC application certificate in the Check Point SmartDashboard. Be sure to take note of the one-time password you enter. You will need this one-time password when you create an OPSEC LEA connection in the add-on. Note that the password must not include any of the following special characters: exclamation (!), circumflex accent (^), tilde (~), grave accent (`), quotation ("), or apostrophe (').
After initialization, note the
opsec_sic_name that is generated. You will need this
opsec_sic_name if you are configuring the add-on using the configuration files. Consult the Check Point documentation for more information about creating an application certificate.
Add firewall rules
If there are firewalls between the Splunk instance performing the data collection and the Management Server, you need to add firewall rules using the SmartDashboard application. Verify that the FW1_lea and FW1_ica_pull rule settings are correct. Action should be set to accept for both rules. Consult the Check Point documentation for more information about firewall rules.
Install the database
The last configuration step for OPSEC LEA is to install the database. In the SmartDashboard, under Policy, install the database for your Management Server. Consult the Check Point documentation for more information.
Upgrade the Splunk Add-on for Check Point OPSEC LEA
Configure the Splunk Add-on for Check Point OPSEC LEA through the UI
This documentation applies to the following versions of Splunk® Supported Add-ons: released