How does OPSEC LEA connectivity work in Security Reporting Center?


This article applies to:

  • Security Reporting Center 2.0

Question:

How does OPSEC LEA connectivity work in Security Reporting Center?

Information:

Checkpoint firewalls maintain two binary log event databases on the firewall or management console, the standard database and the accounting database. These databases record traffic according to the firewall rule set. Marshal provides a method of connecting to this log database and downloading the log files in a format that Security Reporting Center can read.

The database connectivity is provided by a secondary process that uses the Checkpoint-developed OPSEC LEA interface. Security Reporting Center starts a secondary process (lea_service.exe for Windows) upon creation of a profile that is configured to use OPSEC LEA.

Once the LEA process is started, it connects to the firewall on TCP port 18184 and continuously polls the firewall for new log record data. This process is fault tolerant in that it records its last-known position in the database. Because of this, Security Reporting Center is capable of reconnecting to the firewall and resuming transfer of log records in the case of communication failure. If the LEA connection is dropped for any reason, the process will attempt to re-connect every five minutes.

The LEA process writes the contents of the two databases to a location that you specify when the profile is configured.

This article was previously published as:
NETIQKB13427

Last Modified 6/25/2008.
https://support.trustwave.com/kb/KnowledgebaseArticle10550.aspx