Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

HOWTO: How do I troubleshoot OPSEC LEA issues?

Expand / Collapse


This article applies to:

  • Firewall Suite 4.X

Question:

How do I troubleshoot OPSEC LEA issues?

Procedure:

If OPSEC LEA is not working, the following steps will help you to troubleshoot the potential issue. Be sure to back up any data before deleting it.

Note: Check Point firewalls can be configured to store event record information on a Management Station. If this is the case, then the "server-side" information that follows applies to the management station and not the firewall. In this case, Firewall Suite needs to be configured to connect to the management station rather than the firewall to obtain the necessary event information via OPSEC LEA.

Server Side:

  1. Modifications will be made to the following file:

      fwopsec.conf

  2. Locate the following line:

      lea_server auth_port 18184

  3. Change the line to read as follows:

      lea_server port 18184

    This should be completed even if you are eventually going to move to an authenticated LEA connection. This technique allows you to narrow the problem between an authentication problem and a network or firewall problem.

  4. A rule must exist on the firewall permitting the Firewall Suite machine to access port 18184 via the TCP/IP protocol.

  5. The firewall(s), management station, and Firewall Suite machine must all be set to the same time zone. The OPSEC SDK does not provide efficient methods to handle translation for the firewall event records, so data can be lost in the gaps between time zones, leading to various problems with connection via OPSEC LEA.

  6. Make sure to reboot the firewall after making these changes.



Firewall Suite Side:

  1. Log on as administrator. Delete the IP_Address directory located under the following directory:

      [WebTrends_Installation_Directory]/LeaCache

  2. Delete all profiles, including the sample profiles.

  3. Restart the machine. When the machine comes back up, verify that the LEA Service has stopped or is non-existent in the control panel.

  4. Recreate a Firewall Suite profile that uses OPSEC LEA. After specifying the firewall or management station IP address and specifying your IP addresses behind the firewall correctly, use all other defaults in the profile settings. Verify that the service starts in control panel. Also, verify that the following directory contains log files that are being updated.

      [WebTrends_Installation_Directory]/LeaCache


Troubleshooting Tools:

If no files are being created or a message appears saying that the OPSEC LEA connection has failed, then use the following additional troubleshooting tools:

  1. Open a telnet session using the Windows telnet application. Connect to the same IP address that you specified using Firewall Suite on port 18184. Wait 1-2 minutes. If it says "connection failed," there are network or security issues preventing the connection and you need to return to the server-side section above and continue troubleshooting. If the screen goes blank but still responds, then the port can be connected successfully.

  2. Use netstat to check the operation of your local ports. Type the following at a command prompt:

      netstat -an 1 | findstr 18184

    If nothing appears, then no port 18184 ports are being used. Check to see if the service is actually still running. If it is, then reboot the Firewall Suite machine to be sure it is clear from RAM.

    If ports do appear, a correctly operating OPSEC LEA connection will be listed as "Established". A connection that is connected properly but is not sending records, will display TIME_WAIT.

  3. Solaris FW-1 users only: Customers have reported an inconsistent issue with Solaris versions of FW-1. Some customers have been unable to start the OPSEC LEA connection, even though all above steps and packet sniffers verified that the pathway was clear. The solution was to back up the fw.log and fw.alog binary data stores on the firewall and then delete them, allowing the firewall to create them fresh. The OPSEC LEA connection has shown to work from this point forward.

Notes:

For more information about how to debug OPSEC LEA connections, please review the followin g Trustwave Knowledgebase article:

  • Q10909: What troubleshooting steps do I take to debug OPSEC LEA connection issues?

This article was previously published as:
NETIQKB352

To contact Trustwave about this article or to request support:


Rate this Article:
     
Tags:

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.