fw1-loggrabber and MDM/P1

Update: My guys are telling me that loggrabber is faulting because there are new fields in the log records that loggrabber does not know about. I think it was the ‘user’ field or something to do with application control. They debugged it and recoded it to get it working.

================================

Do you need to grab logs from SmartTracker so you can do analysis? fw1-loggrabber to the rescue! An oldtime tool that really works well.

In my career I have setup fw1-loggrabber about about 3x, and everytime I forget what goes where and what DN’s to use. Especially in a P1/MDM environment it gets somewhat confusing because the DMS and the DLS are on two different platforms. Also the documentation is old and confusing because  here are SOOOOO  many damn versions and SIC protocols. Ugh.

Here is the magic ju-ju so I never forget again! On R75.46 anyways (Oh yeah, don’t forget to never upgrade to R76 or R77, you will die a slow death)

You have to setup SIC with the DMS, and pull logs from the DLS. Seems simple, but the DN’s get a little tricky.

fw1-loggrabber

First on your DMS, setup an OPSEC client that is the middle man between the Unix fw1-loggrabber and the DMS/DLS:

It should look something like this ( I had to remove proprietary info).

fw loggrabber config

Save the SIC password. Push databases to the DMS and the DLS.

Then go to the DMS and get a list of all the valid SIC certs and write them all down. Specifically the loggrabber, DLS and the DMS ones

  1. mdsenv DMS1
  2. cpca_client lscert -kind SIC -stat Valid

Then go to your fw1-lograbber Unix client and establish SIC and get the public cert of the DMS1 IP address 10.2.1.101 and the OPSEC LEA agent name. Both of these queries go to the DMS. Turn on the debug.

  1. ./opsec_putkey -debug -p vpn123   10.2.1.101
  2. ./opsec_pull_cert -p vpn123 -h 10.2.1.101 -n LEA-Loggrabber    -d

This file should be put into your local directory: opsec.p12

From the above diagram, create your LEA config, lea.conf . I showed you what CN’s to use here. I also use full path names. I use sslca and it works by default so you can ignore all those other protocols.

You should be ready to execute the fw1-loggrabber on your Unix machine, pull from the DLS. I use the debug switch to make sure things are working OK.

fw1-loggrabber --debug-level 3

So be a little careful on a MLM. If you have your logs going there and you have Tufin extracting logs and you have SEIM like (god help you) RSA Envision sucking logs and you decide to put this on your MLM, then your log servers are going to be REALLY BUSY!!! LEA sucks a lot of disk and CPU. So make sure your log server has lots of CPU.

And Dreez Says to His People: Go Forth and Grab Logs!

over and out,

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Heinz Werner  On October 1, 2013 at 4:29 pm

    Why not upgrade to R76 or R77.10? Do you have any documented problems (expecially regarding R77.10?)

    • Dreezman  On October 1, 2013 at 7:10 pm

      R76 is basically VSX. VSX kernel was reworked in R75.40 and they are still working out the kinks. Also the administration and debugging is different.

      I have not been happy with the quality of the product since R75.20. They are trying to jam too many features into too short of time without adequate vetting and testing. I have one large customer on R76 that is having management and cluster problems.

      CP has been doing marketing releases (they release features based on what marketing tells their clients). They say they are going back to quality control releases in January 2014. I will wait until we see some HF releases before I upgrade. Your mileage may vary.

      dreez

      • Dreezman  On October 1, 2013 at 7:10 pm

        Stick to the R75.46-48 is my advice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: