Page 7, What does this mean exactly?
"Save logs locally, on this machine"
And where would the logs be saved to?
OK, my bad. It is on page 8.
Warning: It may be not enough to be on CP version R77.30 to get the syslog feature.
You may also have to install the R77.30 Add-On on the Security Management Server.
as already noticed to our TAM: Syslog is NOT an option for a large company.
Usually (if you have serious firewall administrators) the firewall management subnet is protected by a firewall and the firewall administrators are the only onces that have access to that network. Connecting a ArcSight syslog connector to the firewall MLM and MDS servers (gathering all logs of all managed Check Point firewalls) means in that case: All syslog events will pass the firewall between MLM / MDS and connector. The firewall team will not allow to have a server within their firewall administration subnet that is managed be another team !!! If you send each and every firewall log event via syslog (usual you need syslog_tcp to rely on the connection) the admin firewall will crash because of the hugh amount of TCP session that the firewall has to handle.
We strictly ask for a ArcSight connector that supports LEA OPSEC sslca and supports Check Point R.80.
Unsupported solution to this issue and can only be done by ppl how know their stuff ;) We tested this approach, however below is NOT a step by strep guide
Works with 32bit connector >=7.7.0
- install 32 bit version of smartconnector to any server/laptop/etc. choose a linux host, so that you will get the 32bit lea binaries for linux, and not windows.- select to install a checkpoint connector ... dont add details, just make a generic checkpoint lea connector- find the binaries, that are used for the connection ( lea_client, certificate pull, etc), and
On the 64 bit destination connector(appliance):
- copy checkpoint binaries to a FRESH Smartconnector - copy agent.properties to the SC- run "setup" for Smartconnector, you should be able to see Checkpoint ad_opesc now.
Hope that helps
P.S.: SHA2 support was added as Hotfix, and now is part of 7.7.0