ArcSight Connectors Documentation

SmartConnector for Check Point Syslog

Version history
Revision #:
7 of 7
Last update:
‎10-23-2017 01:05 PM
Updated by:

Page 7, What does this mean exactly?

"Save logs locally, on this machine"

And where would the logs be saved to?


Rip Wilder


OK, my bad. It is on page 8. 


Warning: It may be not enough to be on CP version R77.30 to get the syslog feature.

You may also have to install the R77.30 Add-On on the Security Management Server.


Dear all,

as already noticed to our TAM: Syslog is NOT an option for a large company.

Usually (if you have serious firewall administrators) the firewall management subnet is protected by a firewall and the firewall administrators are the only onces that have access to that network. Connecting a ArcSight syslog connector to the firewall MLM and MDS servers (gathering all logs of all managed Check Point firewalls) means in that case: All syslog events will pass the firewall between MLM / MDS and connector. The firewall team will not allow to have a server within their firewall administration subnet that is managed be another team !!! If you send each and every firewall log event via syslog (usual you need syslog_tcp to rely on the connection) the admin firewall will crash because of the hugh amount of TCP session that the firewall has to handle.

We strictly ask for a ArcSight connector that supports LEA OPSEC sslca and supports Check Point R.80.

Best regards



Warning to all of you that might be running ArcSight Connector appliances (ArcMC's) models c650X or higher and are hosting your Check Point SmartConnector for the LEA OPSEC. If you upgrade the RHEL OS to 7.2, which is recommended before upgrading to ArcMC 2.7. That this will break your current check point connector. We believe it has to do with 32 bit compatibility libraries within the OS, and the way the RHEL OS handles hooks to the 32 bit versions of functions. After we upgraded to RHEL 7.2 and upgraded to ArcMC 2.7 we no longer even have the option to install the old LEA OPSEC Connector. We have even tried to perform a container restore of a working Check Point connector onto the upgraded appliance with no luck. We were going to look into the syslog option, but as already stated this is not a usable solution for larger organizations. We are working with our TAM to escalate this issue as well.
Wanted to bump this post, and reiterate our need for a CheckPoint solution on ArcMC 2.7 running RHEL 7.2 or higher.

Unsupported solution to this issue and can only be done by ppl how know their stuff ;) 
We tested this approach, however below is NOT a step by strep guide

Works with 32bit connector >=7.7.0


- install 32 bit version of smartconnector to any server/laptop/etc. choose a linux host, so that you will get the 32bit lea binaries for linux, and not windows.
- select to install a checkpoint connector ... dont add details, just make a generic checkpoint lea connector
- find the binaries, that are used for the connection ( lea_client, certificate pull, etc), and

On the 64 bit destination connector(appliance):

- copy checkpoint binaries to a FRESH Smartconnector 
- copy to the SC
- run "setup" for Smartconnector, you should be able to see Checkpoint ad_opesc now.

Hope that helps

P.S.: SHA2 support was added as Hotfix, and now is part of 7.7.0