Sensor properties for the OPSEC LEA sensor

book

Article ID: 179524

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

 

Resolution

Sensor properties for the OPSEC LEA sensor

See About sensor properties for common sensor types.

Table: OPSEC LEA sensor properties

Sensor properties

Description

LEA opsec application name

Name of the OPSEC Application that is created in the Check Point SmartDashboard Console.

For Check Point FireWall-1 installation, set this field as follows:

  • For a remote installation, specify the name of the OPSEC Application that is created for the collector computer.

  • For a local installation, this property is not required.

  • For a distributed installation, specify the name of the OPSEC application that is created for the collector computer.

For Check Point Provider-1 installations, set this field as follows:

  • If a global OPSEC Application for all CMAs was created, specify the name of that Application.

  • If a Distributed Provider-1 with MDS/CMA exists on one computer, and the MLM/CLM exists on a separate computer (where clear text communication is the only option), this field must be BLANK.

  • If multiple OPSEC Applications were created, that is, one for each CMA, then specify the name of a CMA-level OPSEC Application.

    Note:
    You must specify the name of each CMA-level OPSEC Application for each sensor.

The password specified when creating the LEA opsec application

The password that was specified when you created the OPSEC Application.

If a Distributed Provider-1 with MDS/CMA exists on one computer and the MLM/CLM exists on a separate computer (where clear text communication is the only option), you must set this field to BLANK.

Initial Read Policy

Location in the record file where the collector begins to collect data when the collector is first enabled. If you specify BEGINNING, reading starts from the beginning of the log file and all data in the Check Point database is reread by the collector when the Agent or OPSEC LEA server is restarted. If you specify END, reading starts from the end of the log file.

BEGINNING and END values only pertain when the collector is run for the first time. After the collector's initial start, the last position (the last log record read by the collector) is saved. When the collector restarts, it resumes reading from the last position. The Initial Read Policy value has no effect.

Monitor in RealTime

Whether the collector should monitor the record file in real time. Specify True.

LEA server IP-address

For Check Point FireWall-1 collector installation, set this field as follows:

  • For both remote installation and local installation, specify the IP address of the Check Point LEA server from which events are collected.

  • For a distributed installation, specify the IP address of the Check Point Log Server.

For Check Point Provider-1 installations with MDS/CMA/Log server all on one computer, set this field to the IP address of the CMA.

For Distributed Provider-1 installations with MDS/CMA on one computer and the MLM/CLM on a separate computer (where clear text communication is the only option), set this field to the IP address of the CLM.

LEA server auth port

Authentication port on the Check Point LEA server on which the LEA application is running.

For Check Point FireWall-1 collector installations, set this field as follows:

  • For a remote installation, specify 18184 as the LEA server auth port.

  • For a local installation, specify 0 (zero) as the LEA server auth port.

  • For a distributed installation, specify 0 (zero) as the LEA server auth port.

For Check Point Provider-1 installations with MDS/CMA/Log server all on one computer, set this field to 18184 as the LEA server auth port.

For Distributed Provider-1 installations with MDS/CMA on one computer and the MLM/CLM on a separate computer (where clear text communication is the only option), set this field to 0 (zero) as the LEA server auth port.

LEA server auth type

Authentication type that the Symantec Event Collector uses. For a local installation, specify local. For a remote installation, specify sslca in this field.

For Check Point FireWall-1 collector installations, set this field as follows:

  • For a remote installation, specify sslca as the LEA server auth type.

    For sslca, both client and server must provide certificates that are created and signed by a trusted certificate authority.

  • For a local installation, specify local as the LEA server auth type.

  • For a distributed installation, specify local as the LEA server auth type.

For Check Point Provider-1 installations with MDS/CMA/Log server all on one computer, set this field to sslca as the LEA server auth type.

For Distributed Provider-1 installations with MDS/CMA on one computer and the MLM/CLM on a separate computer (where clear text communication is the only option), set this field to local as the LEA server auth type.

LEA server port

Communications port for the LEA server.

For Check Point FireWall-1 collector installations, set this field as follows:

  • For a remote installation, specify 0 (zero) as the LEA server port.

  • For a local installation, specify 18184 as the LEA server port.

  • For a distributed installation, specify 18184 as the LEA server port.

For Check Point Provider-1 installations with MDS/CMA/Log server all on one computer, set this field to 0 (zero) as the LEA server port.

For Distributed Provider-1 installations with MDS/CMA on one computer and the MLM/CLM on a separate computer (where clear text communication is the only option), set this field to 18184 as the LEA server port.

LEA server opsec entity sic name

Qualified name of the OPSEC management server, CMA, or CLM. Copy the name from the OPSEC Application on the Check Point SmartDashboard Console.

For Check Point FireWall-1 collector installations, set this field as follows:

  • For a remote installation, specify the sic name of the OPSEC management server.

  • For a local installation, this property is not required.

  • For a distributed installation, specify the sic name of the Check Point Log Server.

For Check Point Provider-1 installations with MDS/CMA/LOG server all on one computer, set this field to the sic name of the CMA.

For Distributed Provider-1 installations with MDS/CMA on one computer and the MLM/CLM on a separate computer (where clear text communication is the only option), you must set this field to BLANK.

opsec sic name

Sic name of the OPSEC Application. Copy the name from the OPSEC Application on the Check Point SmartDashboard Console.

For Check Point FireWall-1 collector installations, set this field as follows:

  • For a remote installation, specify the sic name of the OPSEC Application.

  • For a local installation, this property is not required.

  • For a distributed installation, specify the sic name of the OPSEC application that was created for the collector computer.

For Check Point Provider-1 installations, set this field as follows:

  • If a global OPSEC Application for all CMAs was created, specify the qualified sic name of that Application.

  • If multiple OPSEC Applications were created (one for each CMA), then specify the sic name of a CMA-level OPSEC Application.

    Note:
    You must specify the name of each CMA-level OPSEC Application for each sensor.

For Distributed Provider-1 installations with MDS/CMA on one computer and the MLM/CLM on a separate computer (where clear text communication is the only option), you must set this field to BLANK.

Read audit log

Set this property to True if you want to collect events from the Check Point Audit Log. These events include administrator logon and log off events and any modifications to the Check Point rules and configuration.