PDA

View Full Version : Solution! R75.30 SmartEvent not able to communicate to log server in CMA environment



jimmorbid
2012-04-10, 03:38
Hi everyone.

I have had some trouble with my SmartEvent Server communicating with CLM log servers in a CMA environment. The issue is that the SmartEvent server (which is a Global object) could not talk to log servers that were defined as local objects on a domain.

While the SmartEvent Correlation Unit was able to see the Log server it could not establish SIC with it, and therefore nothing worked.

After much digging and SR liasons with Check Point support, I have managed to get it working, with the following solution:

The issue is that the CLM local domain object log servers are not aware of the Global SmartEvent object. To fix this you need to force authentication between the two.

1) Run cpstop on the SmartEvent server
2) Run the following command: fw putkey -p <shared_secret> <log server IP>
3) Make a backup of $CPDIR/conf/sic_policy.conf
4) Edit the $CPDIR/conf/sic_policy.conf file, making the following changes

In the [Outbound Rule] section, locate the following lines:

# for log_export tool and Abacus analyzer
ANY ; ANY ;ANY; lea ; sslca

Change the line:

ANY ; ANY ;ANY; lea ; sslca

To read:

ANY ; ANY ;ANY; lea ; ssl, sslca

Note: Be sure to insert ssl before sslca.

Still in the [Outbound Rule] section, locate the following lines:

# for LC: should implement 'Loggers' hook
ANY ; Loggers ;ANY; lea ; sslca

Change the last line as follows:

ANY ; Loggers ;ANY; lea ; sslca, ssl

5) Now you move over to your log server. Run cpstop
6) Run the following command: fw putkey -p <shared_secret> <SmartEvent IP>
7) Make a backup of $CPDIR/conf/sic_policy.conf
8) Edit the $CPDIR/conf/sic_policy.conf file, making the following changes

In the [Inbound Rule] section, locate the following lines:

#Abacus
ANY ; SEAM_analyzers ; ANY; lea ; sslca

Change the last line as follows:

ANY ; SEAM_analyzers ; ANY; lea ; ssl

You might have a reference to Reporting_Tool in your file right after SEAM_analyzers

Still in the [Inbound Rule] section, locate the following lines:

# Reporting Tool (ssl in P-1)
ANY ; Log_Consolidator; ANY; lea ; sslca, ssl

Change the last line as follows:

ANY ; Log_Consolidator; ANY; lea ; ssl

Still in the [Inbound Rule] section, locate the following lines:

# log export to DB utility (lea client from any SVN host)

Add the following line:

ANY ;ANY; ANY; lea ; ssl

It should look as follows:

ANY ; CP_PRODUCT; ANY; lea ; sslca
ANY ;ANY; ANY; lea ; ssl


9) Run cpstart on the log server, and cpstart on the SmartEvent server.

What you are basically doing is forcing SIC to between the servers, and specifying that they need to communicate via SSL.

If you have multiple SmartEvent Correlation Units (mine is built into the Event Server) then you will need to run this process on every Correlation Unit.

Hope this helps someone out there.

Special thanks to the gents at Check Point for helping me figure this out!

JM