Splunk® Supported Add-ons

Splunk Add-on for Check Point OPSEC LEA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure OPSEC LEA to send data to the Splunk platform

You need to perform configuration in Check Point OPSEC LEA before you can collect OPSEC LEA data with the Splunk Add-on for Check Point OPSEC LEA.

Create the Splunk OPSEC application

Create the Splunk OPSEC application using the Check Point SmartDashboard or the desired CMA/Domain on Provider-1. Name the new OPSEC application SplunkLEA. (You can use any name but SplunkLEA is recommended by convention.) When configuring the host, select or create the Splunk host on which the Splunk Add-on for Check Point OPSEC LEA is being installed for data collection, usually a forwarder. Consult the Check Point documentation for more information about creating an OPSEC application.

Do not use hyphens in OPSEC App name. See certificate authority not found error.

Create the OPSEC application certificate

Create an OPSEC application certificate in the Check Point SmartDashboard. Be sure to take note of the one-time password you enter. You will need this one-time password when you create an OPSEC LEA connection in the add-on. Note that the password must not include any of the following special characters: exclamation (!), circumflex accent (^), tilde (~), grave accent (`), quotation ("), or apostrophe (').

After initialization, note the opsec_sic_name that is generated. You will need this opsec_sic_name if you are configuring the add-on using the configuration files. Consult the Check Point documentation for more information about creating an application certificate.

Add firewall rules

If there are firewalls between the Splunk instance performing the data collection and the Management Server, you need to add firewall rules using the SmartDashboard application. Verify that the FW1_lea and FW1_ica_pull rule settings are correct. Action should be set to accept for both rules. Consult the Check Point documentation for more information about firewall rules.

Install the database

The last configuration step for OPSEC LEA is to install the database. In the SmartDashboard, under Policy, install the database for your Management Server. Consult the Check Point documentation for more information.

Last modified on 22 October, 2019
PREVIOUS
Upgrade the Splunk Add-on for Check Point OPSEC LEA
  NEXT
Configure the Splunk Add-on for Check Point OPSEC LEA through the UI

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters