This article applies to:
Question:
How do I troubleshoot OPSEC LEA issues?
Procedure:
If OPSEC LEA is not working, the following steps will help you to troubleshoot the potential issue. Be sure to back up any data before deleting it.
Note: Check Point firewalls can be configured to store event record information on a Management Station. If this is the case, then the "server-side" information that follows applies to the management station and not the firewall. In this case, Firewall Suite needs to be configured to connect to the management station rather than the firewall to obtain the necessary event information via OPSEC LEA.
Server Side:
- Modifications will be made to the following file:
- Locate the following line:
- Change the line to read as follows:
This should be completed even if you are eventually going to move to an authenticated LEA connection. This technique allows you to narrow the problem between an authentication problem and a network or firewall problem.
- A rule must exist on the firewall permitting the Firewall Suite machine to access port 18184 via the TCP/IP protocol.
- The firewall(s), management station, and Firewall Suite machine must all be set to the same time zone. The OPSEC SDK does not provide efficient methods to handle translation for the firewall event records, so data can be lost in the gaps between time zones, leading to various problems with connection via OPSEC LEA.
- Make sure to reboot the firewall after making these changes.
Firewall Suite Side:
- Log on as administrator. Delete the IP_Address directory located under the following directory:
- Delete all profiles, including the sample profiles.
- Restart the machine. When the machine comes back up, verify that the LEA Service has stopped or is non-existent in the control panel.
- Recreate a Firewall Suite profile that uses OPSEC LEA. After specifying the firewall or management station IP address and specifying your IP addresses behind the firewall correctly, use all other defaults in the profile settings. Verify that the service starts in control panel. Also, verify that the following directory contains log files that are being updated.
Troubleshooting Tools:
If no files are being created or a message appears saying that the OPSEC LEA connection has failed, then use the following additional troubleshooting tools:
- Open a telnet session using the Windows telnet application. Connect to the same IP address that you specified using Firewall Suite on port 18184. Wait 1-2 minutes. If it says "connection failed," there are network or security issues preventing the connection and you need to return to the server-side section above and continue troubleshooting. If the screen goes blank but still responds, then the port can be connected successfully.
- Use netstat to check the operation of your local ports. Type the following at a command prompt:
If nothing appears, then no port 18184 ports are being used. Check to see if the service is actually still running. If it is, then reboot the Firewall Suite machine to be sure it is clear from RAM.
If ports do appear, a correctly operating OPSEC LEA connection will be listed as "Established". A connection that is connected properly but is not sending records, will display TIME_WAIT.
- Solaris FW-1 users only: Customers have reported an inconsistent issue with Solaris versions of FW-1. Some customers have been unable to start the OPSEC LEA connection, even though all above steps and packet sniffers verified that the pathway was clear. The solution was to back up the fw.log and fw.alog binary data stores on the firewall and then delete them, allowing the firewall to create them fresh. The OPSEC LEA connection has shown to work from this point forward.
Notes:
For more information about how to debug OPSEC LEA connections, please review the followin g Trustwave Knowledgebase article:
- Q10909: What troubleshooting steps do I take to debug OPSEC LEA connection issues?
- This article was previously published as:
- NETIQKB352