IBM Support

Check Point log sources display "err=-93" error message in QRadar



Administrators configuring IBM Security QRadar to retrieve events from Check Point Firewall-1 with OPSEC can result in the error "Opsec error. rc=-1 err=-93 The referred entity does not exist in the Certificate Authority".


These error codes indicate the following:

  • rc=-1 indicates that an operation failed.
  • err=-93 indicates that the Check Point policy has not been installed.

Diagnosing The Problem

When this issue occurs, the log source created in QRadar will display Error in the log source Status column. Administrators can review the QRadar logs to determine the root error code.

To review the QRadar error log:

  1. Using SSH, log in to the Console as the root user.

  2. Optional. If the Check Point log source is assigned to a managed host, open an SSH session to the managed host.

    The error will be located on whatever QRadar appliance attempts to make the OPSEC connection to the Check Point appliance.

  3. Type the following command to review the QRadar log file: less /var/log/qradar.log.
  4. Review the error log to look for error codes related to OPSEC. For example:
    Opsec error. rc=-1 err=-93. The referred entity does not exist in the Certificate Authority.

Resolving The Problem

To resolve this issue, administrators can verify that the Check Point policy is installed.

How to install a Check Point Firewall-1 policy:

  1. Log in to the Checkpoint Smart Dashboard interface.
  2. Select Policy > Install > OK.

    You are now ready to force the QRadar log source to attempt to reconnect to the Check Point Firewall-1 appliance.

How to force the log source in QRadar to attempt to reconnect:

  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Select the Log Source icon.
  4. Select your Check Point Firewall-1 log source.
  5. Click Enable/Disable to disable, then reenable the Check Point log source. This action should force the OPSEC/LEA protocol to attempt to connect to the Check Point Firewall-1 appliance.

Where to find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019