nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
- SolarWinds Academy
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Checkpoint connector for r75.40 SPLAT

hihijejn

Hi guru,

Please help me to get Checkpoint r75.40 SPLAT log into LEM

I tried OPSEC/Check Point NG LEA Client but it fails to start

Many thanks

Find more posts tagged with

siem

security_information_and_event_management

hipaa

Accepted answers

FormerMember

To clarify the uppercase/lowercase thing - it's critical that "cn" and "o" and then "CN" and "O" are case sensitive. Your OPSEC Name will likely be mixed case (whatever you configure on the CP side) and your server specific side is commonly lowercase. Most important that the CN/O cases aren't mixed, it causes weird issues and possibly failures. Safest is to copy/paste these values from the CP side, just in case.

All comments

curtisi

Of all the connectors we have, the Check Point integration is one of the most complicated. We have details on this here:

SolarWinds Knowledge Base :: Integrating Check Point with SolarWinds LEM

There's a lot of settings on the Check Point side. On the LEM side, there's some tricks, which are in that document but let me highlight them as they seem to trip people up:

2014-02-03 08_38_41-SolarWinds Log and Event Manager Console.png

The Server DN field must be all lower-case.

The Client DN field must be all upper-case (though some people say mixed-case works too).

If you can get the connector running, it may be able to bring in the logs you care about, but getting it working first is key.

FormerMember

hihijejn

Hi Curtisi, Nicole,

Guru

Problem is solved now

Thanks a lot

marcusmm8

We have gotten the checkpoint connector to work on the LEM, but are we able to see user activity level? curtisi

FormerMember

The connector will connect to both the 'admin' and the firewall logs, so you will see things like logons to your management station and policy pushes in addition to all the firewall blocks.

marcusmm8

will i be able to see logs from users? similar to smartview tracker?

FormerMember

From what I've seen, everything you see in SmartView Tracker should be present in the LEM data, but I think in a few cases SmartView Tracker might pull together different sources in a different view for some of its Users views. LEM will be entirely based on what's coming into the logs, so you will see the user data in the log data that comes through, but if there's anything stateful that SmartView Tracker is getting by interrogating connections on the firewall and not using the log data, LEM won't have it. It might also take a little bit of effort to backtrack out the same views from LEM. (One of the advantages SmartView has is that it's focused on the CP data/systems, but LEM is a lot more generic.)

For best results, hook up a CP firewall to LEM and take a look.