This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Checkpoint connector for r75.40 SPLAT

Hi guru,

Please help me to get Checkpoint r75.40 SPLAT log into LEM

I tried OPSEC/Check Point NG LEA Client but it fails to start

Many thanks

  • Of all the connectors we have, the Check Point integration is one of the most complicated.  We have details on this here:

    SolarWinds Knowledge Base :: Integrating Check Point with SolarWinds LEM

    There's a lot of settings on the Check Point side.  On the LEM side, there's some tricks, which are in that document but let me highlight them as they seem to trip people up:

    2014-02-03 08_38_41-SolarWinds Log and Event Manager Console.png

    The Server DN field must be all lower-case.

    The Client DN field must be all upper-case (though some people say mixed-case works too).

    If you can get the connector running, it may be able to bring in the logs you care about, but getting it working first is key.

  • FormerMember
    0 FormerMember in reply to curtisi

    To clarify the uppercase/lowercase thing - it's critical that "cn" and "o" and then "CN" and "O" are case sensitive. Your OPSEC Name will likely be mixed case (whatever you configure on the CP side) and your server specific side is commonly lowercase. Most important that the CN/O cases aren't mixed, it causes weird issues and possibly failures. Safest is to copy/paste these values from the CP side, just in case.

  • Hi Curtisi, Nicole,

    Guru

    Problem is solved now

    Thanks a lot

  • We have gotten the checkpoint connector to work on the LEM, but are we able to see user activity level? curtisi

  • FormerMember
    0 FormerMember in reply to marcusmm8

    The connector will connect to both the 'admin' and the firewall logs, so you will see things like logons to your management station and policy pushes in addition to all the firewall blocks.

  • will i be able to see logs from users? similar to smartview tracker?

  • FormerMember
    0 FormerMember in reply to marcusmm8

    From what I've seen, everything you see in SmartView Tracker should be present in the LEM data, but I think in a few cases SmartView Tracker might pull together different sources in a different view for some of its Users views. LEM will be entirely based on what's coming into the logs, so you will see the user data in the log data that comes through, but if there's anything stateful that SmartView Tracker is getting by interrogating connections on the firewall and not using the log data, LEM won't have it. It might also take a little bit of effort to backtrack out the same views from LEM. (One of the advantages SmartView has is that it's focused on the CP data/systems, but LEM is a lot more generic.)

    For best results, hook up a CP firewall to LEM and take a look. emoticons_wink.png