IBM Support

Check Point FireWall-1 R77.10 can drop log source connections that use OPSEC/LEA

Troubleshooting


Problem

Check Point FireWall-1 version R77.10 can drop the OPSEC/LEA connections from QRadar when the firewall completes a log switch to start a new log file.

Symptom

Check Point FireWall-1 devices that use OPSEC/LEA protocol stop reporting events at random intervals. This can lead to issues where the log source appears to stop receiving events from the Check Point Firewall-1 appliance at random intervals.

Cause

The issue is a known issue with Check Point FireWall-1 version R77.10 and requires a hotfix to correct.

Environment

Check Point FireWall-1 systems at version R77.10, which provide events to QRadar with the OPSEC/LEA protocol.

Diagnosing The Problem

Administrators can verify the status of their Check Point FireWall-1 log sources in QRadar by reviewing the Last Event Time column, then verifying the status of the leapipe process.
To verify that the leapipe process is running on QRadar:

  1. Using SSH, log in to the Console.
  2. Optional. Using SSH, log in to the managed host identified in the Target Event Collector field of the Check Point FireWall-1 log source.
  3. To verify the OPSEC/LEA process is running, type the following command: ps -el | grep leapipe

    For example:

    root@demo ~# ps -el | grep leapipe
    4 S 0 28487 19087 0 80 0 - 34261 poll_s ? 00:00:03 leapipe2syslog

  4. If the leapipe process is listed, then the process is running on the QRadar, then administrators can update their R77.10 servers with the hotfix.

Resolving The Problem

Administrators can contact Check Point support to receive the hotfix for this issue and verify compatibility with their firewall appliances.


Issue Log server stops forwarding logs to LEA clients / OPSEC clients
Solution ID sk98588
Vendor support portal https://supportcenter.checkpoint.com/supportcenter/portal


For additional assistance with event collection, administrators can contact IBM customer support:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21666541

Page Feedback