Check Point FireWall-1 version R77.10 can drop the OPSEC/LEA connections from QRadar when the firewall completes a log switch to start a new log file.
Check Point FireWall-1 devices that use OPSEC/LEA protocol stop reporting events at random intervals. This can lead to issues where the log source appears to stop receiving events from the Check Point Firewall-1 appliance at random intervals.
The issue is a known issue with Check Point FireWall-1 version R77.10 and requires a hotfix to correct.
Check Point FireWall-1 systems at version R77.10, which provide events to QRadar with the OPSEC/LEA protocol.
Diagnosing The Problem
Administrators can verify the status of their Check Point FireWall-1 log sources in QRadar by reviewing the Last Event Time column, then verifying the status of the leapipe process.
To verify that the leapipe process is running on QRadar:
- Using SSH, log in to the Console.
- Optional. Using SSH, log in to the managed host identified in the Target Event Collector field of the Check Point FireWall-1 log source.
- To verify the OPSEC/LEA process is running, type the following command: ps -el | grep leapipe
root@demo ~# ps -el | grep leapipe
4 S 0 28487 19087 0 80 0 - 34261 poll_s ? 00:00:03 leapipe2syslog
- If the leapipe process is listed, then the process is running on the QRadar, then administrators can update their R77.10 servers with the hotfix.
Resolving The Problem
Administrators can contact Check Point support to receive the hotfix for this issue and verify compatibility with their firewall appliances.
|Issue||Log server stops forwarding logs to LEA clients / OPSEC clients|
|Vendor support portal||https://supportcenter.checkpoint.com/supportcenter/portal|
For additional assistance with event collection, administrators can contact IBM customer support:
Was this topic helpful?
10 May 2019